Path Discovery & Validation Mission Statement
The Path Discovery and Validation Working Group (PD-Val WG) is a working group of the Federal PKI Policy Authority. Its mission is to make recommendations to the Federal PKI (FPKI) community on infrastructure and desktop solutions that will facilitate bridge-enabled certificate validation. Recommendations are based on the applicant's test results received from the FPKI Lab.
What is Path Discovery & Validation?
Certificate validation consists of two phases: trust path discovery and trust path validation. Trust path discovery is the process of discovering a chain of cross-certificates and CA certificates running from the relying party's trust anchor to the end-entity's certificate. A trust path may be discovered dynamically each time as needed or it may be constructed once and stored (or "cached"); PDVAL products may vary in how they choose
to implement this operation. Trust path validation is the process of examining each certificate that comprises the trust path and consulting the issuing CA's CRL or OCSP responder to determine each certificate's validity status at that moment. It is expected that even if a trust path is cached, all certificates in the trust path are validated in real-time at the beginning of each transaction.
Path Discovery & Validation Testing
Key Interoperability Test Suite (PKITS) is a comprehensive X.509 path test
suite developed by NIST in conjunction with BAE Systems and NSA. The PKITS path
discovery and validation test suite ensures that vendor products and/or services
have been implemented according to RFC
3280 and work in a bridge environment. Click
here for approved products/services.
Federal PKI Hint List
The Federal PKI Policy Authority has established a "hint list" to assist the user in selecting an appropriate credential. Final acceptance of the credential is subject to: trust path validation through a trust anchor on the "trust list"; and certificate path validation.
This "hint list" contains Certificate Authority (CA) names (i.e., the issuer's DN) that is sent to the user's web browser in the CertificateRequest message of an SSL/TLS session during session establishment when PKI-based client authentication is required.
For assistance on how to bridge-enable your web server with the hint list, please refer to the Bridge-Enabling Web Servers document.
Page Last Updated: 06 Mar 2008