[kmf-discuss] PKIX certificate path validation

Huie-Ying Lee huie-ying.lee at sun.com
Thu Dec 20 17:57:44 PST 2007 

Jan Pechanec wrote:
> On Wed, 19 Dec 2007, Wyllys Ingersoll wrote:
> 
>> Yes, sorry.  We talked about this in our iTeam meeting yesterday.  We would
>> like to improve our
>> validation checking to go further along the chain.  Full PKIX support is very
>> complex
>> and is not trivial to implement.  It involves a lot more than just walking the
>> chain and checking
>> signatures. 
> 
> 	yes, I know that section 6.1 in RFC 3280 is not just a couple of 
> pages. I don't see a problem if it's not fully supported as long as the 
> basic chain validation process works. If it's documented what is supported 
> and what is not, I think it's better than not to support it at all. And it 
> could be extended later on.
> 
>>>> 	do you think there is a way who KMF could be extended so that I could
>>>> call a function similar to kmf_verify_cert() that could get a list of
>>>> certificates that are part of the validation path, possibly with OCSP
>>>> responses that would be used when needed according to the policy? I mean that
>>>> if policy enforces OCSP usage, it would contact the respoder only if the OCSP
>>>> response wasn't given as an input?
>> Can you clarify - what are the inputs you would like to pass in and what are
>> the outputs?
>>
>> Caching OCSP responses is difficult because KMF is not a daemon process and
>> keeps very
> 
> 	I understand the problem about caching OCSP responses but that's not 
> the issue here. I would like to give you an array of certificate attributes 
> (not sure if you would want them ordered wrt to the path validation) and an 
> array of OCSP response attributes (because I get them from the other side). 
> My understanding from the SSH/x509 draft is that there might be just a few 
> responses for some of the certificates.
> 
> 	I would like to get a response whether the certificate is valid. And 
> if OCSP was forced by the policy and a response was not provided for 
> certificate X, KMF would take care of that - it would fetch a response. Etc. 
> It would also check that in responsed provided, nextUpdate is fresh enough 
> etc.
> 
> 	is this enough for you?
> 
> 	thanks, Jan.
> 

I read the draft-ietf-secsh-x509-03.txt document today and I think for this to work,
the number of the responses should be 1 less than the number of the certificates
and they need to be in order.

Currently, kmf_validate_cert() doesn't support this, but I think it is doable by  
adding 2 new attributes to it - a cert chain array and a response array.
If a cert chain array is provided to kmf_validate_cert(), then the TA cert should be
the last certificate in the chain. 

Huie-Ying

More information about the kmf-discuss mailing list