RE: SCVP No error code found

Hi Faisal,

This has been fixed in 16 which now contains a number of explicit errors relating to the basic validation algorithm.

Trevor

䐼噉氠湡㵧湥甭⁳汣獡㵳畏汴潯䵫獥慳敧效摡牥愠楬湧∽敬瑦•䥄㵒䰢剔㸢㰠剈琠扡湩敤㵸ⴢ∱‾䘼乏⁔慆散∽≔匠穩㵥㈢㸢㰠㹂㱆䈯‾⁆⁛䈼㹒㰠㹂㱓䈯‾㱗剂‾䈼吾⼼㹂椠䈼㹒†䈼匾⼼㹂匠䈼㹒†㰠䘯乏㹔⼼䥄㹖䐼噉㰾剂㰾䐯噉

Hi Trevor,

By reading the SCVP draft 15, I understand that if requestor puts some KeyUsage bits in query (section 3.2.17), then server have to check whether specified KeyUsage bit(s) are present in each queried certificate. If server found that queried certificate does not contain required KeyUsage bit(s) server will not process the request.

Above case arises two questions:

What error code will be returned so that requestor can understand the failure reason?
If there are two certificates in query and KeyUsage required is digitalsignature in each queried certificate but in validation server found that one certificate has digitalsignature while other not. In this case server should not return error code for scvpresponse but should return error code for queried certificate, so by this case replyObject structure should have corresponding error code.
There may be one of two reasons that queried certificate has not required bit(s):
- queried certificate is version 1
- queried certificate is version 3 but has not required bit(s)
* I assume that in case of version 1 certificate, we will continue processing while for version 3 we will generate some error.

Same case as discussed above can occur for ExtendedKeyUsage OID(s)....

Do you have any idea or I am missing some thing from protocol ?

Regards,
Faisal