[kmf-discuss] PKIX certificate path validation

Jan Pechanec Jan.Pechanec at Sun.COM
Wed Dec 19 13:26:58 PST 2007 

On Wed, 19 Dec 2007, Wyllys Ingersoll wrote:

> Yes, sorry.  We talked about this in our iTeam meeting yesterday.  We would
> like to improve our
> validation checking to go further along the chain.  Full PKIX support is very
> complex
> and is not trivial to implement.  It involves a lot more than just walking the
> chain and checking
> signatures. 

	yes, I know that section 6.1 in RFC 3280 is not just a couple of 
pages. I don't see a problem if it's not fully supported as long as the 
basic chain validation process works. If it's documented what is supported 
and what is not, I think it's better than not to support it at all. And it 
could be extended later on.

>>> 	do you think there is a way who KMF could be extended so that I could
>>> call a function similar to kmf_verify_cert() that could get a list of
>>> certificates that are part of the validation path, possibly with OCSP
>>> responses that would be used when needed according to the policy? I mean that
>>> if policy enforces OCSP usage, it would contact the respoder only if the OCSP
>>> response wasn't given as an input?
>
> Can you clarify - what are the inputs you would like to pass in and what are
> the outputs?
>
> Caching OCSP responses is difficult because KMF is not a daemon process and
> keeps very

	I understand the problem about caching OCSP responses but that's not 
the issue here. I would like to give you an array of certificate attributes 
(not sure if you would want them ordered wrt to the path validation) and an 
array of OCSP response attributes (because I get them from the other side). 
My understanding from the SSH/x509 draft is that there might be just a few 
responses for some of the certificates.

	I would like to get a response whether the certificate is valid. And 
if OCSP was forced by the policy and a response was not provided for 
certificate X, KMF would take care of that - it would fetch a response. Etc. 
It would also check that in responsed provided, nextUpdate is fresh enough 
etc.

	is this enough for you?

	thanks, Jan.

-- 
Jan Pechanec

More information about the kmf-discuss mailing list