pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: COST-PEM Certificate Validation and CRLs

1993-06-14 08:02:00
from [John Lowry] [Permanent Link] 
Mr. Muftic,

        I believe that you have misunderstood the use of CRLs and the
        certificate-based key management model employed in PEM.

        The model is that certificate validation is not a service performed by
        the CA but by the user.  The CA must make available all the components
        necessary for the user to perform validation, but only those that the 
CA is
        directly repsonsible for. 

        If the recipient cannot validate each certificate and check to 
ascertain that
        none of them are on a CRL by performing the signature validation on each
        certificate and each CRL and performing the date validitity checks and 
serial
        number checks, then there is no validation.

        You are correct that there is a difficulty obtaining CA certificates 
and CRLs.
        Eventually this will be accomplished with a directory system of some 
sort.
        It appears that your system has a method of distributing certificates 
and
        it may work.  The flaw is that CRLs are not available to the person 
performing
        validation.  They are required to take the CA's "word" for it.  What if 
the
        CA is incompetent or unavailable ?  What if the CA is mistaken or 
subverted or
        criminal ?  Are your CAs going to assume liability for certificate
validation on
        messages being acted upon by the users ?

        I do not understand your requirement to make the end users "accumulate 
... all
        certificates along      their certification path."  Does this mean all 
"user"
certificates
        or are you speaking of CA certificates ?  If you mean all "user"
certificates then
        this is going to be an unacceptable burden in    some environments.  

        Certificate validation is fairly straight forward, for an originator or
recipient.
        Start at the bottom of the hierarchy.  Obtain the certificate and CRL 
of each
        issuer name until you reach the root.  Check that all dates are valid 
and that
        none of the certificates under evaluation appear on the appropriate 
CRL. 
Starting
        at the root, validate the signature on each subordinate certificate and 
when    
        the certificate holder is a CA, validate the signature on the CRL.  If 
all
conditions
        are satisfied, then the subject certificate is valid.  (Sequencing can 
be
changed
        for purposes of efficiency...).  This is what is required in RFC1422,
section 2,
        fourth paragraph.

John
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Question about DNs, John Lowry
Next by Date:  Re: (Non-PEM) self-signed certifi, Robert W. Shirey
Previous by Thread:  COST-PEM Certificate Validation and CRLs, Sead Muftic
Next by Thread:  Re: COST-PEM Certificate Validation and CRLs, gvb
Indexes:  [Date] [Thread] [Top] [All Lists]