On October 4, 2009 11:25:51 pm sandeep kiran p wrote: > Hi All, > A very quick question regarding Certificate path validation. RFC5280 > mentions that path validation begins at the trust anchor and proceeds > towards the end entity certificate. The public key from ith certificate is > used in verifying the signature on i+1th certificate (verification also > involves checking other parameters as well). This proceeds till end entity > certificate is reached. > > But I see some online references which mention that the validation > procedure starts from the end entity certificate and proceeds towards the > root CA. Heres one of them from mozilla. > > https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#Ho >w_CA_Certificates_Are_Used_to_Establish_Trust > > It mentions that that the issuer of the ith certificate is located and its > public key used to verify the signature on ith certificate thereby the > validation seems to proceed bottomup. > > Can someone clarify which of the two methods is correct? > Certainly - they both are. The thing that you have to keep in mind is the difference between path validation (Can I trust every certificate in the path from my Trust Anchor to the Certificate that I want to validate), and Path Discovery (Do I have all of the Certificates that I need to perform Path Validation - if not, then can I go and get them all).
What you need to do is to do Path Discovery first, and, using methods such as AIA chasing and the "Trusted Roots Store", make sure that you have all of the Certificates between one of your Trust Anchors and the certificate you want to validate. Then, once you have built the path, you have to go along that path, and ensure that: 1: All of the Certificates are valid. (Using Validity, CRL/OCSP etc.) 2: All of the Signatures chain 3: All of the policies map. 4: All of the Name Spaces are within constraints. 5: All of the KeyUsage values are correct on all certificates 6: All of the critical extensions are processed on all certificates 7: All CA Certs assert Basic Constraints. And any other check that is specified in RFC5280 that I've missed. :) We've actually written a tool that does Path Discovery and validation called Pathfinder, if you are looking for such a tool. It can be found at: http://www.carillon.ca/tools/pathfinder.php Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
