Re: PKIX Path determination/construction/processing and AKIpointer hanging

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

> From: "Peter Williams" <peterw@valicert.com>
> 
> QUESTION: If a certificate path chosen by a relying party contains at
> least one certificate whose authority key id backpointer does
> NOT resolve to a certificate in that path or any certificate
> known to the relying party, can one designate otherwise normal
> processing of  that chain as conforming to PKIX 2459?
> 
> My answer to the question is yes. Does anyone disagree?


If I understand the question correctly, I disagree.  Restating
the question as I understand it:

  If a certificate path chosen by a relying party is not
  a continuous chain between the certificate being validated
  and a certificate trusted by the relying party, can one designate
  otherwise normal processing of that chain as conforming to RFC 2459?

If the relying party has no notion of a trusted public key, or has
an implementation which returns a "success" answer when given a path
not terminating in a trusted public key, then RFC2459 is irrelevant.
Frobbing the bits in accordance with section 6 may increase the entropy
of the relying party's immediate environment (generate some heat and
waste some time), but it has no other useful effect.

RFC2459 says "This text assumes that all valid paths begin with
certificates issued by a single 'most trusted CA'." (and then goes
on to discuss extended path validation where paths may begin with
one of several trusted CAs).

I interpret "This text assumes ..." to mean that if the assumption
is not met, then the results are undefined, and that if the results
are undefined, then there is no meaningful conformance.