Path ConstructionPath Construction“It’s Easy!”“It’s Easy!”

Mark Davis

Current WP Scope

Applications that make use of public key certificates have to validate certificate paths.

Before validating a certificate path, it is first necessary to construct that path.

This means finding a set of certificates that appears to chain up to a trust point.

This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".

So What is the Problem?

Does not seem to work in the real world Brought up as area of interest at first PKI

Forum Standards seem to address the problem Objectives:

– Identify parts of the task– Describe the problem– How can PKI Forum make progress?

Path Construction

Want to validate a certificate You have some trusted roots Each certificate has “issuer name”

– May have other information Path validation described in standards

– Start with root– Check each cert (cert, policy, revocation status)– When check of cert of interest complete, then

work is done

No Problem. Well …

Finding the certificates– Mostly an LDAP problem

Finding a path– Graph theory problem

Checking a path– Good news! Recognizable correct answer– Whose rules

• Certificate may or may not contain standard profile• Roots may be from different profiles

#1 Finding Missing Certificate

Can’t identify certificate– DN non proper– Cert storage not related to Issuer DN– LDAP

“Path Policy” may not use X.509 certificates– PKCS #7

Interdomain directory authorization problems

#2 Finding the path

Assuming you can find the certificates In real life, number of certificates well bounded Graph traversal algorithms well understood

– I admit that building routing algorithms is hard. But somebody else already did it.

– We do not introduce new problems Each Cert Issuer -> Issue Cert link must be

handled by SW Partial Path’s

– SW must parse partial path and maintain like as above

Other Problems

…

What does the paper need to say – Mark’s Version

LDAP is hard (see LDAP WP) Sometimes you don’t use LDAP to get

Certificates (see …) Graph Traversal is hard (see Knuth) Path construction is easy!

What does the paper need to say – WG Consensus Version

List the problems with LDAP Recommend protocols and business logic solve as

much as problem as possible Error Handling needs guidance CA-CA paper must give guidance to bound path

construction Path construction may be a resource intensive

– server may be better than on small device Environmental impacts described