Re: DPD & DPV Basics

[Steve Hanna <steve.hanna@xxxxxxx>]

Thank you, Carlin, for pointing out several cases where it might be
useful for a DPD server to return an invalid or unvalidated path.

I'm glad to see that you and Steve Kent have agreed that these cases
should not be addressed at this time. They can be addressed later by
adding parameters that the client could use to describe what sort of
invalid or unvalidated paths it is willing to accept.

-Steve

"Covey, Carlin" wrote:
> 
> Frank,
> 
> See comments below.
> 
> -----Original Message-----
> From: Frank Balluffi [mailto:frankb@xxxxxxxxxxxx]
> Sent: Thursday, January 11, 2001 2:31 PM
> To: 'Steve Hanna'; PKIX List
> Subject: RE: DPD & DPV Basics
> 
> <snip>
> 
> 1. Can someone explain the value of a DPD server returning a path that may
> not be valid?
> 
> <snip>
> 
> [Carlin]
> I agree that returning a path that may not be valid would not be the normal
> case.
> However, I can think of some circumstances in which it would be useful.
> 
> The returned certificate path might include a certificate that has expired,
> or which is currently suspended.  The DPD client may be willing to accept
> such an invalid chain for certain purposes.
> 
> Another case is a valid chain that traces to a root that is not one of the
> client's trust anchors.  The DPD client might be willing to add that root to
> 
> its set of trust anchors.
> 
> A third case is a chain that the DPD client can validate, but the DPD server
> cannot.
> (For instance, the client may be able validate a certificate signed with
> ECDSA,
> whereas the server may have no means to do so.)
> 
> Regards,
> 
> Carlin
> 
> --------------------------------------
> - Carlin Covey
>   Cylink Corp.