[kmf-discuss] PKIX certificate path validation

[Huie-Ying Lee]

Jan Pechanec wrote:
> On Thu, 20 Dec 2007, Huie-Ying Lee wrote:
>
>   
>> I read the draft-ietf-secsh-x509-03.txt document today and I think for this to
>> work,
>> the number of the responses should be 1 less than the number of the
>> certificates
>> and they need to be in order.
>>     
>
> 	the draft is quite vague, I think that the number of OCSP responses 
> might not correspond to the number of certificates at all. I think it could 
> be just half of them, for example.
>
>   
>> Currently, kmf_validate_cert() doesn't support this, but I think it is doable
>> by  adding 2 new attributes to it - a cert chain array and a response array.
>> If a cert chain array is provided to kmf_validate_cert(), then the TA cert
>> should be
>> the last certificate in the chain. 
>>     
>
> 	yes. Given the option that OCSP responses for only some of the 
> certificates could be provided - would that be possible?
>
> 	J.
>
>   
If the number of OCSP responses does not correspond to the number of 
certificates, then it is
not easy  to decide the mapping between the certificates and the 
responses.   A response file
can cover many certificates, but it is better that we know what the 
certificates it covers upfront.
Otherwise, for each certificate, we will need to check all the responses 
until we found the right
one.   This doesn't seem very efficient to me.     I think the draft 
should clarify this portion a bit.

If there is only one response file for the entire chain, then it is OK,  
because in this situation,
we can safely assume that this response file is for all the 
certificates  in the chain.

Huie-Ying