Federal Public Key Infrastructure Architecture - Access with TrustFederal Public Key Infrastructure Architecture - Access with Trust    Contact Us   |  
   Federal PKI Contacts  |  Sitemap


Path Discovery & Validation Mission Statement                             minutes     membership

The Path Discovery and Validation Working Group (PD-Val WG) is a working group of the Federal PKI Policy Authority. Its mission is to make recommendations to the Federal PKI (FPKI) community on infrastructure and desktop solutions that will facilitate bridge-enabled certificate validation. Recommendations are based on the applicant's test results received from the FPKI Lab.

What is Path Discovery & Validation?

Certificate validation consists of two phases: trust path discovery and trust path validation. Trust path discovery is the process of discovering a chain of cross-certificates and CA certificates running from the relying party's trust anchor to the end-entity's certificate. A trust path may be discovered dynamically each time as needed or it may be constructed once and stored (or "cached"); PDVAL products may vary in how they choose to implement this operation. Trust path validation is the process of examining each certificate that comprises the trust path and consulting the issuing CA's CRL or OCSP responder to determine each certificate's validity status at that moment. It is expected that even if a trust path is cached, all certificates in the trust path are validated in real-time at the beginning of each transaction.

Path Discovery & Validation Testing

The Public Key Interoperability Test Suite (PKITS) is a comprehensive X.509 path test suite developed by NIST in conjunction with BAE Systems and NSA. The PKITS path discovery and validation test suite ensures that vendor products and/or services have been implemented according to RFC 3280 and work in a bridge environment. Click here for approved products/services.

Federal PKI Hint List

The Federal PKI Policy Authority has established a "hint list" to assist the user in selecting an appropriate credential. Final acceptance of the credential is subject to: trust path validation through a trust anchor on the "trust list"; and certificate path validation.

This "hint list" contains Certificate Authority (CA) names (i.e., the issuer's DN) that is sent to the user's web browser in the CertificateRequest message of an SSL/TLS session during session establishment when PKI-based client authentication is required.

For assistance on how to bridge-enable your web server with the hint list, please refer to the Bridge-Enabling Web Servers document. Page Last Updated: 06 Mar 2008
  We welcome your comments to improve upon the accessibility and usability of our site. Click on one of the links below to better navigate our website:
WHITEHOUSE.GOV   READY.GOV   The U.S. government's official web portal   ExpectMore.gov