diff options
Diffstat (limited to 'doc/protocol/rfc4158.txt')
-rw-r--r-- | doc/protocol/rfc4158.txt | 4539 |
1 files changed, 0 insertions, 4539 deletions
diff --git a/doc/protocol/rfc4158.txt b/doc/protocol/rfc4158.txt deleted file mode 100644 index 52716e1063..0000000000 --- a/doc/protocol/rfc4158.txt +++ /dev/null @@ -1,4539 +0,0 @@ - - - - - - -Network Working Group M. Cooper -Request for Comments: 4158 Orion Security Solutions -Category: Informational Y. Dzambasow - A&N Associates - P. Hesse - Gemini Security Solutions - S. Joseph - Van Dyke Technologies - R. Nicholas - BAE Systems - September 2005 - - - Internet X.509 Public Key Infrastructure: - Certification Path Building - -Status of This Memo - - This memo provides information for the Internet community. It does - not specify an Internet standard of any kind. Distribution of this - memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2005). - -Abstract - - This document provides guidance and recommendations to developers - building X.509 public-key certification paths within their - applications. By following the guidance and recommendations defined - in this document, an application developer is more likely to develop - a robust X.509 certificate-enabled application that can build valid - certification paths across a wide range of PKI environments. - -Table of Contents - - 1. Introduction ....................................................3 - 1.1. Motivation .................................................4 - 1.2. Purpose ....................................................4 - 1.3. Terminology ................................................5 - 1.4. Notation ...................................................8 - 1.5. Overview of PKI Structures .................................8 - 1.5.1. Hierarchical Structures .............................8 - 1.5.2. Mesh Structures ....................................10 - 1.5.3. Bi-Lateral Cross-Certified Structures ..............11 - 1.5.4. Bridge Structures ..................................13 - 1.6. Bridge Structures and Certification Path Processing .......14 - - - -Cooper, et al. Informational [Page 1] - -RFC 4158 Certification Path Building September 2005 - - - 2. Certification Path Building ....................................15 - 2.1. Introduction to Certification Path Building ...............15 - 2.2. Criteria for Path Building ................................16 - 2.3. Path-Building Algorithms ..................................17 - 2.4. How to Build a Certification Path .........................21 - 2.4.1. Certificate Repetition .............................23 - 2.4.2. Introduction to Path-Building Optimization .........24 - 2.5. Building Certification Paths for Revocation Signer - Certificates ..............................................30 - 2.6. Suggested Path-Building Software Components ...............31 - 2.7. Inputs to the Path-Building Module ........................33 - 2.7.1. Required Inputs ....................................33 - 2.7.2. Optional Inputs ....................................34 - 3. Optimizing Path Building .......................................35 - 3.1. Optimized Path Building ...................................35 - 3.2. Sorting vs. Elimination ...................................38 - 3.3. Representing the Decision Tree ............................41 - 3.3.1. Node Representation for CA Entities ................41 - 3.3.2. Using Nodes to Iterate Over All Paths ..............42 - 3.4. Implementing Path-Building Optimization ...................45 - 3.5. Selected Methods for Sorting Certificates .................46 - 3.5.1. basicConstraints Is Present and cA Equals True .....47 - 3.5.2. Recognized Signature Algorithms ....................48 - 3.5.3. keyUsage Is Correct ................................48 - 3.5.4. Time (T) Falls within the Certificate Validity .....48 - 3.5.5. Certificate Was Previously Validated ...............49 - 3.5.6. Previously Verified Signatures .....................49 - 3.5.7. Path Length Constraints ............................50 - 3.5.8. Name Constraints ...................................50 - 3.5.9. Certificate Is Not Revoked .........................51 - 3.5.10. Issuer Found in the Path Cache ....................52 - 3.5.11. Issuer Found in the Application Protocol ..........52 - 3.5.12. Matching Key Identifiers (KIDs) ...................52 - 3.5.13. Policy Processing .................................53 - 3.5.14. Policies Intersect the Sought Policy Set ..........54 - 3.5.15. Endpoint Distinguished Name (DN) Matching .........55 - 3.5.16. Relative Distinguished Name (RDN) Matching ........55 - 3.5.17. Certificates are Retrieved from - cACertificate Directory Attribute .................56 - 3.5.18. Consistent Public Key and Signature Algorithms ....56 - 3.5.19. Similar Issuer and Subject Names ..................57 - 3.5.20. Certificates in the Certification Cache ...........57 - 3.5.21. Current CRL Found in Local Cache ..................58 - 3.6. Certificate Sorting Methods for Revocation Signer - Certification Paths .......................................58 - 3.6.1. Identical Trust Anchors ............................58 - 3.6.2. Endpoint Distinguished Name (DN) Matching ..........59 - 3.6.3. Relative Distinguished Name (RDN) Matching .........59 - - - -Cooper, et al. Informational [Page 2] - -RFC 4158 Certification Path Building September 2005 - - - 3.6.4. Identical Intermediate Names .......................60 - 4. Forward Policy Chaining ........................................60 - 4.1. Simple Intersection .......................................61 - 4.2. Policy Mapping ............................................62 - 4.3. Assigning Scores for Forward Policy Chaining ..............63 - 5. Avoiding Path-Building Errors ..................................64 - 5.1. Dead Ends .................................................64 - 5.2. Loop Detection ............................................65 - 5.3. Use of Key Identifiers ....................................66 - 5.4. Distinguished Name Encoding ...............................66 - 6. Retrieval Methods ..............................................67 - 6.1. Directories Using LDAP ....................................67 - 6.2. Certificate Store Access via HTTP .........................69 - 6.3. Authority Information Access ..............................69 - 6.4. Subject Information Access ................................70 - 6.5. CRL Distribution Points ...................................70 - 6.6. Data Obtained via Application Protocol ....................71 - 6.7. Proprietary Mechanisms ....................................71 - 7. Improving Retrieval Performance ................................71 - 7.1. Caching ...................................................72 - 7.2. Retrieval Order ...........................................73 - 7.3. Parallel Fetching and Prefetching .........................73 - 8. Security Considerations ........................................74 - 8.1. General Considerations for Building a Certification Path ..74 - 8.2. Specific Considerations for Building Revocation - Signer Paths ..............................................75 - 9. Acknowledgements ...............................................78 - 10. Normative References ..........................................78 - 11. Informative References ........................................78 - -1. Introduction - - [X.509] public key certificates have become an accepted method for - securely binding the identity of an individual or device to a public - key, in order to support public key cryptographic operations such as - digital signature verification and public key-based encryption. - However, prior to using the public key contained in a certificate, an - application first has to determine the authenticity of that - certificate, and specifically, the validity of all the certificates - leading to a trusted public key, called a trust anchor. Through - validating this certification path, the assertion of the binding made - between the identity and the public key in each of the certificates - can be traced back to a single trust anchor. - - The process by which an application determines this authenticity of a - certificate is called certification path processing. Certification - path processing establishes a chain of trust between a trust anchor - and a certificate. This chain of trust is composed of a series of - - - -Cooper, et al. Informational [Page 3] - -RFC 4158 Certification Path Building September 2005 - - - certificates known as a certification path. A certification path - begins with a certificate whose signature can be verified using a - trust anchor and ends with the target certificate. Path processing - entails building and validating the certification path to determine - whether a target certificate is appropriate for use in a particular - application context. See Section 3.2 of [RFC3280] for more - information on certification paths and trust. - -1.1. Motivation - - Many other documents (such as [RFC3280]) cover certification path - validation requirements and procedures in detail but do not discuss - certification path building because the means used to find the path - does not affect its validation. This document therefore is an effort - to provide useful guidance for developers of certification path- - building implementations. - - Additionally, the need to develop complex certification paths is - increasing. Many PKIs are now using complex structures (see Section - 1.5) rather than simple hierarchies. Additionally, some enterprises - are gradually moving away from trust lists filled with many trust - anchors, and toward an infrastructure with one trust anchor and many - cross-certified relationships. This document provides helpful - information for developing certification paths in these more - complicated situations. - -1.2. Purpose - - This document provides information and guidance for certification - path building. There are no requirements or protocol specifications - in this document. This document provides many options for performing - certification path building, as opposed to just one particular way. - This document draws upon the authors' experiences with existing - complex certification paths to offer insights and recommendations to - developers who are integrating support for [X.509] certificates into - their applications. - - In addition, this document suggests using an effective general - approach to path building that involves a depth first tree traversal. - While the authors believe this approach offers the balance of - simplicity in design with very effective and infrastructure-neutral - path-building capabilities, the algorithm is no more than a suggested - approach. Other approaches (e.g., breadth first tree traversals) - exist and may be shown to be more effective under certain conditions. - Certification path validation is described in detail in both [X.509] - and [RFC3280] and is not repeated in this document. - - - - - -Cooper, et al. Informational [Page 4] - -RFC 4158 Certification Path Building September 2005 - - - This document does not provide guidance for building the - certification path from an end entity certificate to a proxy - certificate as described in [RFC3820]. - -1.3. Terminology - - Terms used throughout this document will be used in the following - ways: - - Building in the Forward direction: The process of building a - certification path from the target certificate to a trust anchor. - 'Forward' is the former name of the crossCertificatePair element - 'issuedToThisCA'. - - Building in the Reverse direction: The process of building a - certification path from a trust anchor to the target certificate. - 'Reverse' is the former name of the crossCertificatePair element - 'issuedByThisCA'. - - Certificate: A digital binding that cannot be counterfeited between - a named entity and a public key. - - Certificate Graph: A graph that represents the entire PKI (or all - cross-certified PKIs) in which all named entities are viewed as - nodes and all certificates are viewed as arcs between nodes. - - Certificate Processing System: An application or device that - performs the functions of certification path building and - certification path validation. - - Certification Authority (CA): An entity that issues and manages - certificates. - - Certification Path: An ordered list of certificates starting with a - certificate signed by a trust anchor and ending with the target - certificate. - - Certification Path Building: The process used to assemble the - certification path between the trust anchor and the target - certificate. - - Certification Path Validation: The process that verifies the binding - between the subject and the subject-public-key defined in the - target certificate, using a trust anchor and set of known - constraints. - - - - - - -Cooper, et al. Informational [Page 5] - -RFC 4158 Certification Path Building September 2005 - - - Certificate Revocation List (CRL): A signed, time stamped list - identifying a set of certificates that are no longer considered - valid by the certificate issuer. - - CRL Signer Certificate: The specific certificate that may be used for - verifying the signature on a CRL issued by, or on behalf of, a - specific CA. - - Cross-Certificate: A certificate issued by one CA to another CA for - the purpose of establishing a trust relationship between the two - CAs. - - Cross-Certification: The act of issuing cross-certificates. - - Decision Tree: When the path-building software has multiple - certificates to choose from, and must make a decision, the - collection of possible choices is called a decision tree. - - Directory: Generally used to refer an LDAP accessible repository for - certificates and PKI information. The term may also be used - generically to refer to any certificate storing repository. - - End Entity: The holder of a private key and corresponding - certificate, whose identity is defined as the Subject of the - certificate. Human end entities are often called "subscribers". - - Is-revocation-signer indicator: A boolean flag furnished to the - path-building software. If set, this indicates that the target - certificate is a Revocation Signer certificate for a specific CA. - For example, if building a certification path for an indirect CRL - Signer certificate, this flag would be set. - - Local PKI: The set of PKI components and data (certificates, - directories, CRLs, etc.) that are created and used by the - certificate using organization. In general, this concept refers - to the components that are in close proximity to the certificate - using application. The assumption is that the local data is more - easily accessible and/or inexpensive to retrieve than non-local - PKI data. - - Local Realm: See Local PKI. - - Node (in a certificate graph): The collection of certificates having - identical subject distinguished names. - - Online Certificate Status Protocol (OCSP): An Internet protocol used - by a client to obtain the revocation status of a certificate from - a server. - - - -Cooper, et al. Informational [Page 6] - -RFC 4158 Certification Path Building September 2005 - - - OCSP Response Signer Certificate: The specific certificate that may - be used for verifying the signature on an OCSP response. This - response may be provided by the CA, on behalf of the CA, or by a - different signer as determined by the Relying Party's local - policy. - - Public Key Infrastructure (PKI): The set of hardware, software, - personnel, policy, and procedures used by a CA to issue and manage - certificates. - - Relying Party (RP): An application or entity that processes - certificates for the purpose of 1) verifying a digital signature, - 2) authenticating another entity, or 3) establishing confidential - communications. - - Revocation Signer Certificate: Refers collectively to either a CRL - Signer Certificate or OCSP Response Signer Certificate. - - Target Certificate: The certificate that is to be validated by a - Relying Party. It is the "Certificate targeted for validation". - Although frequently this is the End Entity or a leaf node in the - PKI structure, this could also be a CA certificate if a CA - certificate is being validated. (e.g., This could be for the - purpose of building and validating a certification path for the - signer of a CRL.) - - Trust (of public keys): In the scope of this document, a public key - is considered trustworthy if the certificate containing the public - key can be validated according to the procedures in [RFC3280]. - - Trust List: A list of trust anchors. - - Trust Anchor: The combination of a trusted public key and the name of - the entity to which the corresponding private key belongs. - - Trust Anchor Certificate: A self-signed certificate for a trust - anchor that is used in certification path processing. - - User: An individual that is using a certificate processing system. - This document refers to some cases in which users may or may not - be prompted with information or requests, depending upon the - implementation of the certificate processing system. - - - - - - - - - -Cooper, et al. Informational [Page 7] - -RFC 4158 Certification Path Building September 2005 - - -1.4. Notation - - This document makes use of a few common notations that are used in - the diagrams and examples. - - The first is the arrow symbol (->) which represents the issuance of a - certificate from one entity to another. For example, if entity H - were to issue a certificate to entity K, this is denoted as H->K. - - Sometimes it is necessary to specify the subject and issuer of a - given certificate. If entity H were to issue a certificate to entity - K this can be denoted as K(H). - - These notations can be combined to denote complicated certification - paths such as C(D)->B(C)->A(B). - -1.5. Overview of PKI Structures - - When verifying [X.509] public key certificates, often the application - performing the verification has no knowledge of the underlying Public - Key Infrastructure (PKI) that issued the certificate. PKI structures - can range from very simple, hierarchical structures to complex - structures such as mesh architectures involving multiple bridges (see - Section 1.5.4). These structures define the types of certification - paths that might be built and validated by an application [MINHPKIS]. - This section describes four common PKI structures. - -1.5.1. Hierarchical Structures - - A hierarchical PKI, depicted in Figure 1, is one in which all of the - end entities and relying parties use a single "Root CA" as their - trust anchor. If the hierarchy has multiple levels, the Root CA - certifies the public keys of intermediate CAs (also known as - subordinate CAs). These CAs then certify end entities' - (subscribers') public keys or may, in a large PKI, certify other CAs. - In this architecture, certificates are issued in only one direction, - and a CA never certifies another CA "superior" to itself. Typically, - only one superior CA certifies each CA. - - - - - - - - - - - - - -Cooper, et al. Informational [Page 8] - -RFC 4158 Certification Path Building September 2005 - - - +---------+ - +---| Root CA |---+ - | +---------+ | - | | - | | - v v - +----+ +----+ - +-----| CA | +-----| CA |------+ - | +----+ | +----+ | - | | | - v v v - +----+ +----+ +----+ - +--| CA |-----+ | CA |-+ +---| CA |---+ - | +----+ | +----+ | | +----+ | - | | | | | | | | - | | | | | | | | - v v v v v v v v - +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+ - | EE | | EE | | EE | | EE | | EE | | EE | | EE | | EE | - +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+ - - Figure 1 - Sample Hierarchical PKI - - Certification path building in a hierarchical PKI is a - straightforward process that simply requires the relying party to - successively retrieve issuer certificates until a certificate that - was issued by the trust anchor (the "Root CA" in Figure 1) is - located. - - A widely used variation on the single-rooted hierarchical PKI is the - inclusion of multiple CAs as trust anchors. (See Figure 2.) Here, - end entity certificates are validated using the same approach as with - any hierarchical PKI. The difference is that a certificate will be - accepted if it can be verified back to any of the set of trust - anchors. Popular web browsers use this approach, and are shipped - with trust lists containing dozens to more than one hundred CAs. - While this approach simplifies the implementation of a limited form - of certificate verification, it also may introduce certain security - vulnerabilities. For example, the user may have little or no idea of - the policies or operating practices of the various trust anchors, and - may not be aware of which root was used to verify a given - certificate. Additionally, the compromise of any trusted CA private - key or the insertion of a rogue CA certificate to the trust list may - compromise the entire system. Conversely, if the trust list is - properly managed and kept to a reasonable size, it can be an - efficient solution to building and validating certification paths. - - - - - -Cooper, et al. Informational [Page 9] - -RFC 4158 Certification Path Building September 2005 - - - +-------------------------------------------------------+ - | Trust List | - | | - | +---------+ +---------+ +---------+ | - | +--| Root CA | | Root CA | | Root CA | | - | | +---------+ +---------+ +---------+ | - | | | | | | - +--|------|----------------|---------------- |----------+ - | | | | - | | | | - | | v | - | | +----+ | - | | +----| CA |---+ | - | | | +----+ | | - | | | | | - | | v v v - | | +----+ +----+ +----+ - | | | CA |---+ | CA |-+ | CA |---+ - | | +----+ | +----+ | +----+ | - | | | | | | | | - | | | | | | | | - v v v v v v v v - +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+ - | EE | | EE | | EE | | EE | | EE | | EE | | EE | | EE | - +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+ - - Figure 2 - Multi-Rooted Hierarchical PKI - -1.5.2. Mesh Structures - - In a typical mesh style PKI (depicted in Figure 3), each end entity - trusts the CA that issued their own certificate(s). Thus, there is - no 'Root CA' for the entire PKI. The CAs in this environment have - peer relationships; they are neither superior nor subordinate to one - another. In a mesh, CAs in the PKI cross-certify. That is, each CA - issues a certificate to, and is issued a certificate by, peer CAs in - the PKI. The figure depicts a mesh PKI that is fully cross-certified - (sometimes called a full mesh). However, it is possible to architect - and deploy a mesh PKI with a mixture of uni-directional and bi- - directional cross-certifications (called a partial mesh). Partial - meshes may also include CAs that are not cross-certified with other - CAs in the mesh. - - - - - - - - - -Cooper, et al. Informational [Page 10] - -RFC 4158 Certification Path Building September 2005 - - - +---------------------------------+ - | | - +-----------+----------------------+ | - | v v | - | +-------+ +------+ | - | +--->| CA B |<------------->| CA C |<--+ | - | | +-------+ +------+ | | - | | | ^ ^ | | | - | | v | | | | | - | | +----+ | | | | | - | | | EE | +----+ +--------+ v | | - | | +----+ | | +----+ | | - | | | | | EE | | | - v v v v +----+ v v - +------+ +------+ +------+ - | CA E |<----------->| CA A |<----------->| CA D | - +------+ +------+ +------+ - | ^ ^ ^ ^ | - | | | | | | - v | +------------------------------------+ | v - +----+ | | +----+ - | EE | | +------+ | | EE | - +----+ +----------------| CA F |-----------------+ +----+ - +------+ - - Figure 3 - Mesh PKI - - Certification path building in a mesh PKI is more complex than in a - hierarchical PKI due to the likely existence of multiple paths - between a relying party's trust anchor and the certificate to be - verified. These multiple paths increase the potential for creating - "loops", "dead ends", or invalid paths while building the - certification path between a trust anchor and a target certificate. - In addition, in cases where no valid path exists, the total number of - paths traversed by the path-building software in order to conclude - "no path exists" can grow exceedingly large. For example, if - ignoring everything except the structure of the graph, the Mesh PKI - figure above has 22 non-self issued CA certificates and a total of - 5,092,429 certification paths between CA F and the EE issued by CA D - without repeating any certificates. - -1.5.3. Bi-Lateral Cross-Certified Structures - - PKIs can be connected via cross-certification to enable the relying - parties of each to verify and accept certificates issued by the other - PKI. If the PKIs are hierarchical, cross-certification will - typically be accomplished by each Root CA issuing a certificate for - the other PKI's Root CA. This results in a slightly more complex, - - - -Cooper, et al. Informational [Page 11] - -RFC 4158 Certification Path Building September 2005 - - - but still essentially hierarchical environment. If the PKIs are mesh - style, then a CA within each PKI is selected, more or less - arbitrarily, to establish the cross-certification, effectively - creating a larger mesh PKI. Figure 4 depicts a hybrid situation - resulting from a hierarchical PKI cross-certifying with a mesh PKI. - - PKI 1 and 2 cross-certificates - +-------------------------------+ - | | - | v - | +---------+ - | +----| Root CA |---+ - | | +---------+ | - | | PKI 1 | - | v v - | +------+ +------+ - v PKI 2 +-| CA |-+ | CA | - +------+ | +------+ | +------+ - +------->| CA |<-----+ | | | | | - | +------+ | | | | | | - | | | | v v v v v - | | | | +----+ +----+ +----+ +----+ +----+ - | v v | | EE | | EE | | EE | | EE | | EE | - | +----+ +----+ | +----+ +----+ +----+ +----+ +----+ - | | EE | | EE | | - | +----+ +----+ | - v v - +------+ +------+ - | CA |<-------------->| CA |------+ - +------+ +------+ | - | | | | | - | | | | | - v v v v v - +----+ +----+ +----+ +----+ +----+ - | EE | | EE | | EE | | EE | | EE | - +----+ +----+ +----+ +----+ +----+ - - Figure 4 - Hybrid PKI - - In current implementations, this situation creates a concern that the - applications used under the hierarchical PKIs will not have path - building capabilities robust enough to handle this more complex - certificate graph. As the number of cross-certified PKIs grows, the - number of the relationships between them grows exponentially. Two - principal concerns about cross-certification are the creation of - unintended certification paths through transitive trust, and the - dilution of assurance when a high-assurance PKI with restrictive - operating policies is cross-certified with a PKI with less - - - -Cooper, et al. Informational [Page 12] - -RFC 4158 Certification Path Building September 2005 - - - restrictive policies. (Proper name constraints and certificate - policies processing can help mitigate the problem of assurance - dilution.) - -1.5.4. Bridge Structures - - Another approach to the interconnection of PKIs is the use of a - "bridge" certification authority (BCA). A BCA is a nexus to - establish trust paths among multiple PKIs. The BCA cross-certifies - with one CA in each participating PKI. Each PKI only cross-certifies - with one other CA (i.e., the BCA), and the BCA cross-certifies only - once with each participating PKI. As a result, the number of cross - certified relationships in the bridged environment grows linearly - with the number of PKIs whereas the number of cross-certified - relationships in mesh architectures grows exponentially. However, - when connecting PKIs in this way, the number and variety of PKIs - involved results in a non-hierarchical environment, such as the one - as depicted in Figure 5. (Note: as discussed in Section 2.3, non- - hierarchical PKIs can be considered hierarchical, depending upon - perspective.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Cooper, et al. Informational [Page 13] - -RFC 4158 Certification Path Building September 2005 - - - PKI 1 cross-certified with Bridge - +-------------------------------+ - | | - v v - +-----------+ +---------+ - | Bridge CA | +---| Root CA |-----+ - +-----------+ | +---------+ | - ^ | PKI 1 | - PKI 2 cross|cert with Bridge v v - | +------+ +------+ - v PKI 2 +-| CA |-+ | CA | - +------+ | +------+ | +------+ - +------->| CA |<-----+ | | | | | - | +------+ | | | | | | - | | | | v v v v v - | | | | +----+ +----+ +----+ +----+ +----+ - | v v | | EE | | EE | | EE | | EE | | EE | - | +----+ +----+ | +----+ +----+ +----+ +----+ +----+ - | | EE | | EE | | - | +----+ +----+ | - v v - +------+ +------+ - | CA |<-------------->| CA |------+ - +------+ +------+ | - | | | | | - | | | | | - v v v v v - +----+ +----+ +----+ +----+ +----+ - | EE | | EE | | EE | | EE | | EE | - +----+ +----+ +----+ +----+ +----+ - - Figure 5 - Cross-Certification with a Bridge CA - -1.6. Bridge Structures and Certification Path Processing - - Developers building certificate-enabled applications intended for - widespread use throughout various sectors are encouraged to consider - supporting a Bridge PKI structure because implementation of - certification path processing functions to support a Bridge PKI - structure requires support of all the PKI structures (e.g., - hierarchical, mesh, hybrid) which the Bridge may connect. An - application that can successfully build valid certification paths in - all Bridge PKIs will therefore have implemented all of the processing - logic required to support the less complicated PKI structures. Thus, - if an application fully supports the Bridge PKI structure, it can be - deployed in any standards-compliant PKI environment and will perform - the required certification path processing properly. - - - - -Cooper, et al. Informational [Page 14] - -RFC 4158 Certification Path Building September 2005 - - -2. Certification Path Building - - Certification path building is the process by which the certificate - processing system obtains the certification path between a trust - anchor and the target certificate. Different implementations can - build the certification path in different ways; therefore, it is not - the intent of this document to recommend a single "best" way to - perform this function. Rather, guidance is provided on the technical - issues that surround the path-building process, and on the - capabilities path-building implementations need in order to build - certification paths successfully, irrespective of PKI structures. - -2.1. Introduction to Certification Path Building - - A certification path is an ordered list of certificates starting with - a certificate that can be validated by one of the relying party's - trust anchors, and ending with the certificate to be validated. (The - certificate to be validated is referred to as the "target - certificate" throughout this document.) Though not required, as a - matter of convenience these trust anchors are typically stored in - trust anchor certificates. The intermediate certificates that - comprise the certification path may be retrieved by any means - available to the validating application. These sources may include - LDAP, HTTP, SQL, a local cache or certificate store, or as part of - the security protocol itself as is common practice with signed S/MIME - messages and SSL/TLS sessions. - - Figure 6 shows an example of a certification path. In this figure, - the horizontal arrows represent certificates, and the notation B(A) - signifies a certificate issued to B, signed by A. - - +---------+ +-----+ +-----+ +-----+ +--------+ - | Trust |----->| CA |---->| CA |---->| CA |---->| Target | - | Anchor | : | A | : | B | : | C | : | EE | - +---------+ : +-----+ : +-----+ : +-----+ : +--------+ - : : : : - : : : : - Cert 1 Cert 2 Cert 3 Cert 4 - A(Trust Anchor) B(A) C(B) Target(C) - - Figure 6 - Example Certification Path - - Unlike certification path validation, certification path building is - not addressed by the standards that define the semantics and - structure of a PKI. This is because the validation of a - certification path is unaffected by the method in which the - certification path was built. However, the ability to build a valid - certification path is of paramount importance for applications that - - - -Cooper, et al. Informational [Page 15] - -RFC 4158 Certification Path Building September 2005 - - - rely on a PKI. Without valid certification paths, certificates - cannot be validated according to [RFC3280] and therefore cannot be - trusted. Thus, the ability to build a path is every bit as important - as the ability to validate it properly. - - There are many issues that can complicate the path-building process. - For example, building a path through a cross-certified environment - could require the path-building module to traverse multiple PKI - domains spanning multiple directories, using multiple algorithms, and - employing varying key lengths. A path-building client may also need - to manage a number of trust anchors, partially populated directory - entries (e.g., missing issuedToThisCA entries in the - crossCertificatePair attribute), parsing of certain certificate - extensions (e.g., authorityInformationAccess) and directory - attributes (e.g., crossCertificatePair), and error handling such as - loop detection. - - In addition, a developer has to decide whether to build paths from a - trust anchor (the reverse direction) to the target certificate or - from the target certificate (the forward direction) to a trust - anchor. Some implementations may even decide to use both. The - choice a developer makes should be dependent on the environment and - the underlying PKI for that environment. More information on making - this choice can be found in Section 2.3. - -2.2. Criteria for Path Building - - From this point forward, this document will be discussing specific - algorithms and mechanisms to assist developers of certification - path-building implementations. To provide justification for these - mechanisms, it is important to denote what the authors considered the - criteria for a path-building implementation. - - Criterion 1: The implementation is able to find all possible paths, - excepting paths containing repeated subject name/public key pairs. - This means that all potentially valid certification paths between the - trust anchor and the target certificate which may be valid paths can - be built by the algorithm. As discussed in Section 2.4.2, we - recommend that subject names and public key pairs are not repeated in - paths. - - Criterion 2: The implementation is as efficient as possible. An - efficient certification path-building implementation is defined to be - one that builds paths that are more likely to validate following - [RFC3280], before building paths that are not likely to validate, - with the understanding that there is no way to account for all - possible configurations and infrastructures. This criterion is - intended to ensure implementations that can produce useful error - - - -Cooper, et al. Informational [Page 16] - -RFC 4158 Certification Path Building September 2005 - - - information. If a particular path is entirely valid except for a - single expired certificate, this is most likely the 'right' path. If - other paths are developed that are invalid for multiple obscure - reasons, this provides little useful information. - - The algorithms and mechanisms discussed henceforth are chosen because - the authors consider them to be good methods for meeting the above - criteria. - -2.3. Path-Building Algorithms - - It is intuitive for people familiar with the Bridge CA concept or - mesh type PKIs to view path building as traversing a complex graph. - However, from the simplest viewpoint, writing a path-building module - can be nothing more than traversal of a spanning tree, even in a very - complex cross-certified environment. Complex environments as well as - hierarchical PKIs can be represented as trees because certificates - are not permitted to repeat in a path. If certificates could be - repeated, loops can be formed such that the number of paths and - number of certificates in a path both increase without bound (e.g., A - issues to B, B issues to C, and C issues to A). Figure 7 below - illustrates this concept from the trust anchor's perspective. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Cooper, et al. Informational [Page 17] - -RFC 4158 Certification Path Building September 2005 - - - +---------+ +---------+ - | Trust | | Trust | - | Anchor | | Anchor | - +---------+ +---------+ - | | | | - v v v v - +---+ +---+ +---+ +---+ - | A |<-->| C | +--| A | | C |--+ - +---+ +---+ | +---+ +---+ | - | | | | | | - | +---+ | v v v v - +->| B |<-+ +---+ +---+ +---+ +---+ - +---+ | B | | C | | A | | B | - | +---+ +---+ +---+ +---+ - v | | | | - +----+ v v v v - | EE | +----+ +---+ +---+ +----+ - +----+ | EE | | B | | B | | EE | - +----+ +---+ +---+ +----+ - A certificate graph with | | - bi-directional cross-cert. v v - between CAs A and C. +----+ +----+ - | EE | | EE | - +----+ +----+ - - The same certificate graph - rendered as a tree - the - way path-building software - could see it. - - Figure 7 - Simple Certificate Graph - From Anchor Tree Depiction - - When viewed from this perspective, all PKIs look like hierarchies - emanating from the trust anchor. An infrastructure can be depicted - in this way regardless of its complexity. In Figure 8, the same - graph is depicted from the end entity (EE) (the target certificate in - this example). It would appear this way if building in the forward - (from EE or from target) direction. In this example, without knowing - any particulars of the certificates, it appears at first that - building from EE has a smaller decision tree than building from the - trust anchor. While it is true that there are fewer nodes in the - tree, it is not necessarily more efficient in this example. - - - - - - - - - -Cooper, et al. Informational [Page 18] - -RFC 4158 Certification Path Building September 2005 - - - +---------+ +---------+ - | Trust | | Trust | - | Anchor | | Anchor | - +---------+ +---------+ - ^ ^ - | | - | | - +---+ +---+ - | A | | C | - +---+ +---+ - +---------+ ^ ^ +---------+ - | Trust | | | | Trust | - | Anchor | | | | Anchor | - +---------+ | | +---------+ - ^ | | ^ - | +---+ +---+ | - +-------| C | | A |---------+ - +---+ +---+ - ^ ^ - | | - | +---+ | - +---------| B |------+ - +---+ - ^ - | - | - +----+ - | EE | - +----+ - - The same certificate graph rendered - as a tree but from the end entity - rather than the trust anchor. - - Figure 8 - Certificate Graph - From Target Certificate Depiction - - Suppose a path-building algorithm performed no optimizations. That - is, the algorithm is only capable of detecting that the current - certificate in the tree was issued by the trust anchor, or that it - issued the target certificate (EE). From the tree above, building - from the target certificate will require going through two - intermediate certificates before encountering a certificate issued by - the trust anchor 100% of the time (e.g., EE chains to B, which then - chains to C, which is issued by the Trust Anchor). The path-building - module would not chain C to A because it can recognize that C has a - certificate issued by the Trust Anchor (TA). - - - - - -Cooper, et al. Informational [Page 19] - -RFC 4158 Certification Path Building September 2005 - - - On the other hand, in the first tree (Figure 7: from anchor - depiction), there is a 50% probability of building a path longer than - needed (e.g., TA to A to C to B to EE rather than the shorter TA to A - to B to EE). However, even given our simplistic example, the path- - building software, when at A, could be designed to recognize that B's - subject distinguished name (DN) matches the issuer DN of the EE. - Given this one optimization, the builder could prefer B to C. (B's - subject DN matches that of the EE's issuer whereas C's subject DN - does not.) So, for this example, assuming the issuedByThisCA - (reverse) and issuedToThisCA (forward) elements were fully populated - in the directory and our path-building module implemented the - aforementioned DN matching optimization method, path building from - either the trust anchor or the target certificate could be made - roughly equivalent. A list of possible optimization methods is - provided later in this document. - - A more complicated example is created when the path-building software - encounters a situation when there are multiple certificates from - which to choose while building a path. We refer to this as a large - decision tree, or a situation with high fan-out. This might occur if - an implementation has multiple trust anchors to choose from, and is - building in the reverse (from trust anchor) direction. Or, it may - occur in either direction if a Bridge CA is encountered. Large - decision trees are the enemy of efficient path-building software. To - combat this problem, implementations should make careful decisions - about the path-building direction, and should utilize optimizations - such as those discussed in Section 3.1 when confronted with a large - decision tree. - - Irrespective of the path-building approach for any path-building - algorithm, cases can be constructed that make the algorithm perform - poorly. The following questions should help a developer decide from - which direction to build certification paths for their application: - - 1) What is required to accommodate the local PKI environment and the - PKI environments with which interoperability will be required? - - a. If using a directory, is the directory [RFC2587] compliant - (specifically, are the issuedToThisCA [forward] cross- - certificates and/or the cACertificate attributes fully - populated in the directory)? If yes, you are able to build in - the forward direction. - - b. If using a directory, does the directory contain all the - issuedByThisCA (reverse) cross-certificates in the - crossCertificatePair attribute, or, alternately, are all - certificates issued from each CA available via some other - means? If yes, it is possible to build in the reverse - - - -Cooper, et al. Informational [Page 20] - -RFC 4158 Certification Path Building September 2005 - - - direction. Note: [RFC2587] does not require the issuedByThisCA - (reverse) cross-certificates to be populated; if they are - absent it will not be possible to build solely in the reverse - direction. - - c. Are all issuer certificates available via some means other than - a directory (e.g., the authorityInformationAccess extension is - present and populated in all certificates)? If yes, you are - able to build in the forward direction. - - 2) How many trust anchors will the path-building and validation - software be using? - - a. Are there (or will there be) multiple trust anchors in the - local PKI? If yes, forward path building may offer better - performance. - - b. Will the path-building and validation software need to place - trust in trust anchors from PKIs that do not populate reverse - cross-certificates for all intermediate CAs? If no, and the - local PKI populates reverse cross-certificates, reverse path - building is an option. - -2.4. How to Build a Certification Path - - As was discussed in the prior section, path building is essentially a - tree traversal. It was easy to see how this is true in a simple - example, but how about a more complicated one? Before taking a look - at more a complicated scenario, it is worthwhile to address loops and - what constitutes a loop in a certification path. [X.509] specifies - that the same certificate may not repeat in a path. In a strict - sense, this works well as it is not possible to create an endless - loop without repeating one or more certificates in the path. - However, this requirement fails to adequately address Bridged PKI - environments. - - - - - - - - - - - - - - - - -Cooper, et al. Informational [Page 21] - -RFC 4158 Certification Path Building September 2005 - - - +---+ +---+ - | F |--->| H | - +---+ +---+ - ^ ^ ^ - | \ \ - | \ \ - | v v - | +---+ +---+ - | | G |--->| I | - | +---+ +---+ - | ^ - | / - | / - +------+ +-----------+ +------+ +---+ +---+ - | TA W |<----->| Bridge CA |<------>| TA X |-->| L |-->| M | - +------+ +-----------+ +------+ +---+ +---+ - ^ ^ \ \ - / \ \ \ - / \ \ \ - v v v v - +------+ +------+ +---+ +---+ - | TA Y | | TA Z | | J | | N | - +------+ +------+ +---+ +---+ - / \ / \ | | - / \ / \ | | - / \ / \ v v - v v v v +---+ +----+ - +---+ +---+ +---+ +---+ | K | | EE | - | A |<--->| C | | O | | P | +---+ +----+ - +---+ +---+ +---+ +---+ - \ / / \ \ - \ / / \ \ - \ / v v v - v v +---+ +---+ +---+ - +---+ | Q | | R | | S | - | B | +---+ +---+ +---+ - +---+ | - /\ | - / \ | - v v v - +---+ +---+ +---+ - | E | | D | | T | - +---+ +---+ +---+ - - Figure 9 - Four Bridged PKIs - - - - - - -Cooper, et al. Informational [Page 22] - -RFC 4158 Certification Path Building September 2005 - - - Figure 9 depicts four root certification authorities cross-certified - with a Bridge CA (BCA). While multiple trust anchors are shown in - the Figure, our examples all consider TA Z as the trust anchor. The - other trust anchors serve different relying parties. By building - certification paths through the BCA, trust can be extended across the - four infrastructures. In Figure 9, the BCA has four certificates - issued to it; one issued from each of the trust anchors in the graph. - If stored in the BCA directory system, the four certificates issued - to the BCA would be stored in the issuedToThisCA (forward) entry of - four different crossCertificatePair structures. The BCA also has - issued four certificates, one to each of the trust anchors. If - stored in the BCA directory system, those certificates would be - stored in the issuedByThisCA (reverse) entry of the same four - crossCertificatePair structures. (Note that the cross-certificates - are stored as matched pairs in the crossCertificatePair attribute. - For example, a crossCertificatePair structure might contain both A(B) - and B(A), but not contain A(C) and B(A).) The four - crossCertificatePair structures would then be stored in the BCA's - directory entry in the crossCertificatePair attribute. - -2.4.1. Certificate Repetition - - [X.509] requires that certificates are not repeated when building - paths. For instance, from the figure above, do not build the path TA - Z->BCA->Y->A->C->A->C->B->D. Not only is the repetition unnecessary - to build the path from Z to D, but it also requires the reuse of a - certificate (the one issued from C to A), which makes the path non- - compliant with [X.509]. - - What about the following path from TA Z to EE? - - TA Z->BCA->Y->BCA->W->BCA->X->L->N->EE - - Unlike the first example, this path does not require a developer to - repeat any certificates; therefore, it is compliant with [X.509]. - Each of the BCA certificates is issued from a different source and is - therefore a different certificate. Suppose now that the bottom left - PKI (in Figure 9) had double arrows between Y and C, as well as - between Y and A. The following path could then be built: - - TA Z->BCA->Y->A->C->Y->BCA->W->BCA->X->L->N->EE - - A path such as this could become arbitrarily complex and traverse - every cross-certified CA in every PKI in a cross-certified - environment while still remaining compliant with [X.509]. As a - practical matter, the path above is not something an application - would typically want or need to build for a variety of reasons: - - - - -Cooper, et al. Informational [Page 23] - -RFC 4158 Certification Path Building September 2005 - - - - First, certification paths like the example above are generally - not intended by the PKI designers and should not be necessary in - order to validate any given certificate. If a convoluted path - such as the example above is required (there is no corresponding - simple path) in order to validate a given certificate, this is - most likely indicative of a flaw in the PKI design. - - - Second, the longer a path becomes, the greater the potential - dilution of trust in the certification path. That is, with each - successive link in the infrastructure (i.e., certification by - CAs and cross-certification between CAs) some amount of - assurance may be considered lost. - - - Third, the longer and more complicated a path, the less likely - it is to validate because of basic constraints, policies or - policy constraints, name constraints, CRL availability, or even - revocation. - - - Lastly, and certainly not least important from a developer's or - user's perspective, is performance. Allowing paths like the one - above dramatically increases the number of possible paths for - every certificate in a mesh or cross-certified environment. - Every path built may require one or more of the following: - validation of certificate properties, CPU intensive signature - validations, CRL retrievals, increased network load, and local - memory caching. Eliminating the superfluous paths can greatly - improve performance, especially in the case where no path - exists. - - There is a special case involving certificates with the same - distinguished names but differing encodings required by [RFC3280]. - This case should not be considered a repeated certificate. See - Section 5.4 for more information. - -2.4.2. Introduction to Path-Building Optimization - - How can these superfluous paths be eliminated? Rather than only - disallowing identical certificates from repeating, it is recommended - that a developer disallow the same public key and subject name pair - from being repeated. For maximum flexibility, the subject name - should collectively include any subject alternative names. Using - this approach, all of the intended and needed paths should be - available, and the excess and diluted paths should be eliminated. - For example, using this approach, only one path exists from the TA Z - to EE in the diagram above: TA Z->BCA->X->L->N->EE. - - - - - - -Cooper, et al. Informational [Page 24] - -RFC 4158 Certification Path Building September 2005 - - - Given the simplifying rule of not repeating pairs of subject names - (including subject alternative names) and public keys, and only using - certificates found in the cACertificate and forward (issuedToThisCA) - element of the crossCertificatePair attributes, Figure 10 depicts the - forward path-building decision tree from the EE to all reachable - nodes in the graph. This is the ideal graph for a path builder - attempting to build a path from TA Z to EE. - - +------+ +-----------+ +------+ +---+ - | TA W |<------| Bridge CA |<-------| TA X |<--| L | - +------+ +-----------+ +------+ +---+ - / \ ^ - / \ \ - / \ \ - v v \ - +------+ +------+ +---+ - | TA Y | | TA Z | | N | - +------+ +------+ +---+ - ^ - \ - \ - +----+ - | EE | - +----+ - - Figure 10 - Forward (From Entity) Decision Tree - - It is not possible to build forward direction paths into the - infrastructures behind CAs W, Y, and Z, because W, Y, and Z have not - been issued certificates by their subordinate CAs. (The subordinate - CAs are F and G, A and C, and O and P, respectively.) If simplicity - and speed are desirable, the graph in Figure 10 is a very appealing - way to structure the path-building algorithm. Finding a path from - the EE to one of the four trust anchors is reasonably simple. - Alternately, a developer could choose to build in the opposite - direction, using the reverse cross-certificates from any one of the - four trust anchors around the BCA. The graph in Figure 11 depicts - all possible paths as a tree emanating from TA Z. (Note: it is not - recommended that implementations attempt to determine all possible - paths, this would require retrieval and storage of all PKI data - including certificates and CRLs! This example is provided to - demonstrate the complexity which might be encountered.) - - - - - - - - - -Cooper, et al. Informational [Page 25] - -RFC 4158 Certification Path Building September 2005 - - - +---+ +---+ - | I |--->| H | - +---+ +---+ - ^ - | +---+ +---+ - | | H |--->| I | - | +---+ +---+ - +---+ ^ - | G | / +---+ +---+ +---+ - +---+ / | F |--->| H |--->| I | - ^ / +---+ +---+ +---+ - \ / ^ - \/ / - +---+ +---+ +---+ +---+ +---+ - | F | | G |--->| I |--->| H | | M | - +---+ +---+ +---+ +---+ +---+ - ^ ^ ^ - | / | - +------+ +-----------+ +------+ +---+ - | TA W |<------| Bridge CA |-------->| TA X |-->| L | - +------+ +-----------+ +------+ +---+ - / ^ \ \ - v \ v v - +------+ +------+ +---+ +---+ - | TA Y | | TA Z | | J | | N | - +------+ +------+ +---+ +---+ - / \ / \ \ \ - v v v v v v - +---+ +---+ +---+ +---+ +---+ +----+ - | A | | C | | O | | P | | K | | EE | - +---+ +---+ +---+ +---+ +---+ +----+ - / \ / \ / \ \ - v v v v v v v - +---+ +---+ +---+ +---+ +---+ +---+ +---+ - | B | | C | | A | | B | | Q | | R | | S | - +---+ +---+ +---+ +---+ +---+ +---+ +---+ - / \ \ \ \ \ \ - v v v v v v v - +---+ +---+ +---+ +---+ +---+ +---+ +---+ - | E | | D | | B | | B | | E | | D | | T | - +---+ +---+ +---+ +---+ +---+ +---+ +---+ - / | | \ - v v v v - +---+ +---+ +---+ +---+ - | E | | D | | E | | D | - +---+ +---+ +---+ +---+ - - Figure 11 - Reverse (From Anchor) Decision Tree - - - -Cooper, et al. Informational [Page 26] - -RFC 4158 Certification Path Building September 2005 - - - Given the relative complexity of this decision tree, it becomes clear - that making the right choices while navigating the tree can make a - large difference in how quickly a valid path is returned. The path- - building software could potentially traverse the entire graph before - choosing the shortest path: TA Z->BCA->X->L->N->EE. With a decision - tree like the one above, the basic depth first traversal approach - introduces obvious inefficiencies in the path-building process. To - compensate for this, a path-building module needs to decide not only - in which direction to traverse the tree, but also which branches of - the tree are more likely to yield a valid path. - - The path-building algorithm then ideally becomes a tree traversal - algorithm with weights or priorities assigned to each branch point to - guide the decision making. If properly designed, such an approach - would effectively yield the "best path first" more often than not. - (The terminology "best path first" is quoted because the definition - of the "best" path may differ from PKI to PKI. That is ultimately to - be determined by the developer, not by this document.) Finding the - "best path first" is an effort to make the implementation efficient, - which is one of our criteria as stated in Section 2.2. - - So how would a developer go about finding the best path first? Given - the simplifying idea of addressing path building as a tree traversal, - path building could be structured as a depth first search. A simple - example of depth first tree traversal path building is depicted in - Figure 12, with no preference given to sort order. - - Note: The arrows in the lower portion of the figure do not indicate - the direction of certificate issuance; they indicate the direction of - the tree traversal from the target certificate (EE). - - - - - - - - - - - - - - - - - - - - - -Cooper, et al. Informational [Page 27] - -RFC 4158 Certification Path Building September 2005 - - - +----+ +----+ +----+ - | TA | | TA | | TA | - +----+ +----+ +----+ - / \ ^ ^ - / \ | | - v v +---+ +---+ - +---+ +---+ | A | | C | - | A |<->| C | +---+ +---+ - +---+ +---+ ^ ^ - ^ ^ +----+ | | +----+ - \ / | TA | | | | TA | - v v +----+ | | +----+ - +---+ ^ | | ^ - | B | \ | | / - +---+ \ | | / - / \ +---+ +---+ - / \ | C | | A | - v v +---+ +---+ - +---+ +---+ ^ ^ - | E | | D | | / - +---+ +---+ | / - +---+ - Infrastructure | B | - +---+ - ^ - | - +----+ - | EE | - +----+ - - The Same Infrastructure - Represented as a Tree - - - - - - - - - - - - - - - - - - - -Cooper, et al. Informational [Page 28] - -RFC 4158 Certification Path Building September 2005 - - - +----+ +----+ - | TA | | TA | - +----+ +----+ - ^ ^ - | | - +---+ +---+ - | A | | C | - +---+ +---+ - +----+ ^ ^ +----+ - | TA | | | | TA | - +----+ | | +----+ - ^ | | ^ - \ | | / - +---+ +---+ +---+ +---+ - | C | | C | | A | | A | - +---+ +---+ +---+ +---+ - ^ ^ ^ ^ - | | / / - | | / / - +---+ +---+ +---+ +---+ - | B | | B | | B | | B | - +---+ +---+ +---+ +---+ - ^ ^ ^ ^ - | | | | - | | | | - +----+ +----+ +----+ +----+ - | EE | | EE | | EE | | EE | - +----+ +----+ +----+ +----+ - - All possible paths from EE to TA - using a depth first decision tree traversal - - Figure 12 - Path Building Using a Depth First Tree Traversal - - Figure 12 illustrates that four possible paths exist for this - example. Suppose that the last path (TA->A->B->EE) is the only path - that will validate. This could be for any combination of reasons - such as name constraints, policy processing, validity periods, or - path length constraints. The goal of an efficient path-building - component is to select the fourth path first by testing properties of - the certificates as the tree is traversed. For example, when the - path-building software is at entity B in the graph, it should examine - both choices A and C to determine which certificate is the most - likely best choice. An efficient module would conclude that A is the - more likely correct path. Then, at A, the module compares - terminating the path at TA, or moving to C. Again, an efficient - module will make the better choice (TA) and thereby find the "best - path first". - - - -Cooper, et al. Informational [Page 29] - -RFC 4158 Certification Path Building September 2005 - - - What if the choice between CA certificates is not binary as it was in - the previous example? What if the path-building software encounters - a branch point with some arbitrary number of CA certificates thereby - creating the same arbitrary number of tree branches? (This would be - typical in a mesh style PKI CA, or at a Bridge CA directory entry, as - each will have multiple certificates issued to itself from other - CAs.) This situation actually does not change the algorithm at all, - if it is structured properly. In our example, rather than treating - each decision as binary (i.e., choosing A or C), the path-building - software should sort all the available possibilities at any given - branch point, and then select the best choice from the list. In the - event the path could not be built through the first choice, then the - second choice should be tried next upon traversing back to that point - in the tree. Continue following this pattern until a path is found - or all CA nodes in the tree have been traversed. Note that the - certificates at any given point in the tree should only be sorted at - the time a decision is first made. Specifically, in the example, the - sorting of A and C is done when the algorithm reached B. There is no - memory resident representation of the entire tree. Just like any - other recursive depth first search algorithm, the only information - the algorithm needs to keep track of is what nodes (entities) in the - tree lie behind it on the current path, and for each of those nodes, - which arcs (certificates) have already been tried. - -2.5. Building Certification Paths for Revocation Signer Certificates - - Special consideration is given to building a certification path for - the Revocation Signer certificate because it may or may not be the - same as the Certification Authority certificate. For example, after - a CA performs a key rollover, the new CA certificate will be the CRL - Signer certificate, whereas the old CA certificate is the - Certification Authority certificate for previously issued - certificates. In the case of indirect CRLs, the CRL Signer - certificate will contain a different name and key than the - Certification Authority certificate. In the case of OCSP, the - Revocation Signer certificate may represent an OCSP Responder that is - not the same entity as the Certification Authority. - - When the Revocation Signer certificate and the Certification - Authority certificate are identical, no additional consideration is - required from a certification path-building standpoint. That is, the - certification path built (and validated) for the Certification - Authority certificate can also be used as the certification path for - the Revocation Signer certificate. In this case, the signature on - the revocation data (e.g., CRL or OCSP response) is verified using - the same certificate, and no other certification path building is - required. An efficient certification path validation algorithm - should first try all possible CRLs issued by the Certification - - - -Cooper, et al. Informational [Page 30] - -RFC 4158 Certification Path Building September 2005 - - - Authority to determine if any of the CRLs (a) cover the certificate - in question, (b) are current, and (c) are signed using the same key - used to sign the certificate. - - When the Revocation Signer certificate is not identical to the - Certification Authority certificate, a certification path must be - built (and validated) for the Revocation Signer certificate. In - general, the certification path-building software may build the path - as it would for any other certificate. However, this document also - outlines methods in later sections for greatly improving path - building efficiency for Revocation Signer certificate case. - -2.6. Suggested Path-Building Software Components - - There is no single way to define an interface to a path-building - module. It is not the intent of this document to prescribe a - particular method or semantic; rather, it is up to the implementer to - decide. There are many ways this could be done. For example, a - path-building module could build every conceivable path and return - the entire list to the caller. Or, the module could build until it - finds just one that validates and then terminate the procedure. Or, - it could build paths in an iterative fashion, depending on validation - outside of the builder and successive calls to the builder to get - more paths until one valid path is found or all possible paths have - been found. All of these are possible approaches, and each of these - may offer different benefits to a particular environment or - application. - - Regardless of semantics, a path-building module needs to contain the - following components: - - 1) The logic for building and traversing the certificate graph. - - 2) Logic for retrieving the necessary certificates (and CRLs and/or - other revocation status information if the path is to be - validated) from the available source(s). - - Assuming a more efficient and agile path-building module is desired, - the following is a good starting point and will tie into the - remainder of this document. For a path-building module to take full - advantage of all the suggested optimizations listed in this document, - it will need all of the components listed below. - - 1) A local certificate and CRL cache. - - a. This may be used by all certificate-using components; it does - not need to be specific to the path-building software. A local - cache could be memory resident, stored in an operating system - - - -Cooper, et al. Informational [Page 31] - -RFC 4158 Certification Path Building September 2005 - - - or application certificate store, stored in a database, or even - stored in individual files on the hard disk. While the - implementation of this cache is beyond the scope of this - document, some design considerations are listed below. - - 2) The logic for building and traversing the certificate graph/tree. - - a. This performs sorting functionality for prioritizing - certificates (thereby optimizing path building) while - traversing the tree. - - b. There is no need to build a complete graph prior to commencing - path building. Since path building can be implemented as a - depth first tree traversal, the path builder only needs to - store the current location in the tree along with the points - traversed to the current location. All completed branches can - be discarded from memory and future branches are discovered as - the tree is traversed. - - 3) Logic for retrieving the necessary certificates from the available - certificate source(s): - - a. Local cache. - - i. Be able to retrieve all certificates for an entity by - subject name, as well as individual certificates by - issuer and serial number tuple. - - ii. Tracking which directory attribute (including - issuedToThisCA <forward> and issuedByThisCA <reverse> - for split crossCertificatePair attributes) each - certificate was found in may be useful. This allows for - functionality such as retrieving only forward cross- - certificates, etc. - - iii. A "freshness" timestamp (cache expiry time) can be used - to determine when the directory should be searched - again. - - b. LDAPv3 directory for certificates and CRLs. - - i. Consider supporting multiple directories for general - queries. - - ii. Consider supporting dynamic LDAP connections for - retrieving CRLs using an LDAP URI [RFC3986] in the CRL - distribution point certificate extension. - - - - -Cooper, et al. Informational [Page 32] - -RFC 4158 Certification Path Building September 2005 - - - iii. Support LDAP referrals. This is typically only a matter - of activating the appropriate flag in the LDAP API. - - c. HTTP support for CRL distribution points and authority - information access (AIA) support. - - i. Consider HTTPS support, but be aware that this may create - an unbounded recursion when the implementation tries to - build a certification path for the server's certificate if - this in turn requires an additional HTTPS lookup. - - 4) A certification path cache that stores previously validated - relationships between certificates. This cache should include: - - a. A configurable expiration date for each entry. This date can - be configured based upon factors such as the expiry of the - information used to determine the validity of an entry, - bandwidth, assurance level, storage space, etc. - - b. Support to store previously verified issuer certificate to - subject certificate relationships. - - i. Since the issuer DN and serial number tuple uniquely - identifies a certificate, a pair of these tuples (one for - both the issuer and subject) is an effective method of - storing this relationship. - - c. Support for storing "known bad" paths and certificates. Once a - certificate is determined to be invalid, implementations can - decide not to retry path development and validation. - -2.7. Inputs to the Path-Building Module - - [X.509] specifically addresses the list of inputs required for path - validation but makes no specific suggestions concerning useful inputs - to path building. However, given that the goal of path building is - to find certification paths that will validate, it follows that the - same inputs used for validation could be used to optimize path - building. - -2.7.1. Required Inputs - - Setting aside configuration information such as repository or cache - locations, the following are required inputs to the certification - path-building process: - - 1) The Target Certificate: The certificate that is to be validated. - This is one endpoint for the path. (It is also possible to - - - -Cooper, et al. Informational [Page 33] - -RFC 4158 Certification Path Building September 2005 - - - provide information used to retrieve a certificate for a target, - rather than the certificate itself.) - - 2) Trust List: This is the other endpoint of the path, and can - consist of either: - - a. Trusted CA certificates - - b. Trusted keys and DNs; a certificate is not necessarily required - -2.7.2. Optional Inputs - - In addition to the inputs listed in Section 2.7.1, the following - optional inputs can also be useful for optimizing path building. - However, if the path-building software takes advantage of all of the - optimization methods described later in this document, all of the - following optional inputs will be required. - - 1) Time (T): The time for which the certificate is to be validated - (e.g., if validating a historical signature from one year ago, T - is needed to build a valid path) - - a. If not included as an input, the path-building software should - always build for T equal to the current system time. - - 2) Initial-inhibit-policy-mapping indicator - - 3) Initial-require-explicit-policy indicator - - 4) Initial-any-policy-inhibit indicator - - 5) Initial user acceptable policy set - - 6) Error handlers (call backs or virtual classes) - - 7) Handlers for custom certificate extensions - - 8) Is-revocation-provider indicator - - a. IMPORTANT: When building a certification path for an OCSP - Responder certificate specified as part of the local - configuration, this flag should not be set. It is set when - building a certification path for a CRL Signer certificate or - for an OCSP Responder Signer certificate discovered using the - information asserted in an authorityInformationAccess - certificate extension. - - - - - -Cooper, et al. Informational [Page 34] - -RFC 4158 Certification Path Building September 2005 - - - 9) The complete certification path for the Certification Authority - (if Is-revocation-provider is set) - - 10) Collection of certificates that may be useful in building the - path - - 11) Collection of certificate revocation lists and/or other - revocation data - - The last two items are a matter of convenience. Alternately, - certificates and revocation information could be placed in a local - cache accessible to the path-building module prior to attempting to - build a path. - -3. Optimizing Path Building - - This section recommends methods for optimizing path-building - processes. - -3.1. Optimized Path Building - - Path building can be optimized by sorting the certificates at every - decision point (at every node in the tree) and then selecting the - most promising certificate not yet selected as described in Section - 2.4.2. This process continues until the path terminates. This is - roughly equivalent to the concept of creating a weighted edge tree, - where the edges are represented by certificates and nodes represent - subject DNs. However, unlike the weighted edge graph concept, a - certification path builder need not have the entire graph available - in order to function efficiently. In addition, the path builder can - be stateless with respect to nodes of the graph not present in the - current path, so the working data set can be relatively small. - - The concept of statelessness with respect to nodes not in the current - path is instrumental to using the sorting optimizations listed in - this document. Initially, it may seem that sorting a given group of - certificates for a CA once and then preserving that sorted order for - later use would be an efficient way to write the path builder. - However, maintaining this state can quickly eliminate the efficiency - that sorting provides. Consider the following diagram: - - - - - - - - - - - -Cooper, et al. Informational [Page 35] - -RFC 4158 Certification Path Building September 2005 - - - +---+ - | R | - +---+ - ^ - / - v - +---+ +---+ +---+ +---+ +----+ - | A |<----->| E |<---->| D |--->| Z |--->| EE | - +---+ +---+ +---+ +---+ +----+ - ^ ^ ^ ^ - \ / \ / - \ / \ / - v v v v - +---+ +---+ - | B |<----->| C | - +---+ +---+ - - Figure 13 - Example of Path-Building Optimization - - In this example, the path builder is building in the forward (from - target) direction for a path between R and EE. The path builder has - also opted to allow subject name and key to repeat. (This will allow - multiple traversals through any of the cross-certified CAs, creating - enough complexity in this small example to illustrate proper state - maintenance. Note that a similarly complex example could be designed - by using multiple keys for each entity and prohibiting repetition.) - - The first step is simple; the builder builds the path Z(D)->EE(Z). - Next the builder adds D and faces a decision between two - certificates. (Choose between D(C) or D(E)). The builder now sorts - the two choices in order of priority. The sorting is partially based - upon what is currently in the path. - - Suppose the order the builder selects is [D(E), D(C)]. The current - path is now D(E)->Z(D)->EE(Z). Currently the builder has three nodes - in the graph (EE, Z, and D) and should maintain the state, including - sort order of the certificates at D, when adding the next node, E. - When E is added, the builder now has four certificates to sort: E(A), - E(B), E(C), and E(D). In this case, the example builder opts for the - order [E(C), E(B), E(A), E(D)]. The current path is now E(C)->D(E)-> - Z(D)->EE(Z) and the path has four nodes; EE, Z, D, and E. - - Upon adding the fifth node, C, the builder sorts the certificates - (C(B), C(D), and C(E)) at C, and selects C(E). The path is now - C(E)->E(C)->D(E)->Z(D)->EE(Z) and the path has five nodes: EE, Z, D, - E, and C. - - - - - -Cooper, et al. Informational [Page 36] - -RFC 4158 Certification Path Building September 2005 - - - Now the builder finds itself back at node E with four certificates. - If the builder were to use the prior sort order from the first - encounter with E, it would have [E(C), E(B), E(A), E(D)]. In the - current path's context, this ordering may be inappropriate. To begin - with, the certificate E(C) is already in the path so it certainly - does not deserve first place. - - The best way to handle this situation is for the path builder to - handle this instance of E as a new (sixth) node in the tree. In - other words, there is no state information for this new instance of E - - it is treated just as any other new node. The certificates at the - new node are sorted based upon the current path content and the first - certificate is then selected. For example, the builder may examine - E(B) and note that it contains a name constraint prohibiting "C". At - this point in the decision tree, E(B) could not be added to the path - and produce a valid result since "C" is already in the path. As a - result, the certificate E(B) should placed at the bottom of the - prioritized list. - - Alternatively, E(B) could be eliminated from this new node in the - tree. It is very important to see that this certificate is - eliminated only at this node and only for the current path. If path - building fails through C and traverses back up the tree to the first - instance of E, E(B) could still produce a valid path that does not - include C; specifically R->A->B->E->D->Z->EE. Thus the state at any - node should not alter the state of previous or subsequent nodes. - (Except for prioritizing certificates in the subsequent nodes.) - - In this example, the builder should also note that E(C) is already in - the path and should make it last or eliminate it from this node since - certificates cannot be repeated in a path. - - If the builder eliminates both certificates E(B) and E(C) at this - node, it is now only left to select between E(A) and E(D). Now the - path has six nodes: EE, Z, D, E(1), C, and E(2). E(1) has four - certificates, and E(2) has two, which the builder sorts to yield - [E(A), E(D)]. The current path is now E(A)->C(E)->E(C)->D(E)-> - Z(D)->EE(Z). A(R) will be found when the seventh node is added to - the path and the path terminated because one of the trust anchors has - been found. - - In the event the first path fails to validate, the path builder will - still have the seven nodes and associated state information to work - with. On the next iteration, the path builder is able to traverse - back up the tree to a working decision point, such as A, and select - the next certificate in the sorted list at A. In this example, that - would be A(B). (A(R) has already been tested.) This would dead end, - and the builder traverse back up to the next decision point, E(2) - - - -Cooper, et al. Informational [Page 37] - -RFC 4158 Certification Path Building September 2005 - - - where it would try D(E). This process repeats until the traversal - backs all the way up to EE or a valid path is found. If the tree - traversal returns to EE, all possible paths have been exhausted and - the builder can conclude no valid path exists. - - This approach of sorting certificates in order to optimize path - building will yield better results than not optimizing the tree - traversal. However, the path-building process can be further - streamlined by eliminating certificates, and entire branches of the - tree as a result, as paths are built. - -3.2. Sorting vs. Elimination - - Consider a situation when building a path in which three CA - certificates are found for a given target certificate and must be - prioritized. When the certificates are examined, as in the previous - example, one of the three has a name constraint present that will - invalidate the path built thus far. When sorting the three - certificates, that one would certainly go to the back of the line. - However, the path-building software could decide that this condition - eliminates the certificate from consideration at this point in the - graph, thereby reducing the number of certificate choices by 33% at - this point. - - NOTE: It is important to understand that the elimination of a - certificate only applies to a single decision point during the tree - traversal. The same certificate may appear again at another point in - the tree; at that point it may or may not be eliminated. The - previous section details an example of this behavior. - - Elimination of certificates could potentially eliminate the traversal - of a large, time-consuming infrastructure that will never lead to a - valid path. The question of whether to sort or eliminate is one that - pits the flexibility of the software interface against efficiency. - - To be clear, if one eliminates invalid paths as they are built, - returning only likely valid paths, the end result will be an - efficient path-building module. The drawback to this is that unless - the software makes allowances for it, the calling application will - not be able to see what went wrong. The user may only see the - unrevealing error message: "No certification path found." - - On the other hand, the path-building module could opt to not rule out - any certification paths. The path-building software could then - return any and all paths it can build from the certificate graph. It - is then up to the validation engine to determine which are valid and - which are invalid. The user or calling application can then have - complete details on why each and every path fails to validate. The - - - -Cooper, et al. Informational [Page 38] - -RFC 4158 Certification Path Building September 2005 - - - drawback is obviously one of performance, as an application or end - user may wait for an extended period of time while cross-certified - PKIs are navigated in order to build paths that will never validate. - - Neither option is a very desirable approach. One option provides - good performance for users, which is beneficial. The other option - though allows administrators to diagnose problems with the PKI, - directory, or software. Below are some recommendations to reach a - middle ground on this issue. - - First, developers are strongly encouraged to output detailed log - information from the path-building software. The log should - explicitly indicate every choice the builder makes and why. It - should clearly identify which certificates are found and used at each - step in building the path. If care is taken to produce a useful log, - PKI administrators and help desk personnel will have ample - information to diagnose a problem with the PKI. Ideally, there would - be a mechanism for turning this logging on and off, so that it is not - running all the time. Additionally, it is recommended that the log - contain information so that a developer or tester can recreate the - paths tried by the path-building software, to assist with diagnostics - and testing. - - Secondly, it is desirable to return something useful to the user. - The easiest approach is probably to implement a "dual mode" path- - building module. In the first mode [mode 1], the software eliminates - any and all paths that will not validate, making it very efficient. - In the second mode [mode 2], all the sorting methods are still - applied, but no paths are eliminated based upon the sorting methods. - Having this dual mode allows the module to first fail to find a valid - path, but still return one invalid path (assuming one exists) by - switching over to the second mode long enough to generate a single - path. This provides a middle ground -- the software is very fast, - but still returns something that gives the user a more specific error - than "no path found". - - Third, it may be useful to not rule out any paths, but instead limit - the number of paths that may be built given a particular input. - Assuming the path-building module is designed to return the "best - path first", the paths most likely to validate would be returned - before this limit is reached. Once the limit is reached the module - can stop building paths, providing a more rapid response to the - caller than one which builds all possible paths. - - Ultimately, the developer determines how to handle the trade-off - between efficiency and provision of information. A developer could - choose the middle ground by opting to implement some optimizations as - elimination rules and others as not. A developer could validate - - - -Cooper, et al. Informational [Page 39] - -RFC 4158 Certification Path Building September 2005 - - - certificate signatures, or even check revocation status while - building the path, and then make decisions based upon the outcome of - those checks as to whether to eliminate the certificate in question. - - This document suggests the following approach: - - 1) While building paths, eliminate any and all certificates that do - not satisfy all path validation requirements with the following - exceptions: - - a. Do not check revocation status if it requires a directory - lookup or network access - - b. Do not check digital signatures (see Section 8.1, General - Considerations for Building A Certification Path, for - additional considerations). - - c. Do not check anything that cannot be checked as part of the - iterative process of traversing the tree. - - d. Create a detailed log, if this feature is enabled. - - e. If a path cannot be found, the path builder shifts to "mode 2" - and allows the building of a single bad path. - - i. Return the path with a failure indicator, as well as - error information detailing why the path is bad. - - 2) If path building succeeds, validate the path in accordance with - [X.509] and [RFC3280] with the following recommendations: - - a. For a performance boost, do not re-check items already checked - by the path builder. (Note: if pre-populated paths are supplied - to the path-building system, the entire path has to be fully - re-validated.) - - b. If the path validation failed, call the path builder again to - build another path. - - i. Always store the error information and path from the - first iteration and return this to the user in the event - that no valid path is found. Since the path-building - software was designed to return the "best path first", - this path should be shown to the user. - - As stated above, this document recommends that developers do not - validate digital signatures or check revocation status as part of the - path-building process. This recommendation is based on two - - - -Cooper, et al. Informational [Page 40] - -RFC 4158 Certification Path Building September 2005 - - - assumptions about PKI and its usage. First, signatures in a working - PKI are usually good. Since signature validation is costly in terms - of processor time, it is better to delay signature checking until a - complete path is found and then check the signatures on each - certificate in the certification path starting with the trust anchor - (see Section 8.1). Second, it is fairly uncommon in typical - application environments to encounter a revoked certificate; - therefore, most certificates validated will not be revoked. As a - result, it is better to delay retrieving CRLs or other revocation - status information until a complete path has been found. This - reduces the probability of retrieving unneeded revocation status - information while building paths. - -3.3. Representing the Decision Tree - - There are a multitude of ways to implement certification path - building and as many ways to represent the decision tree in memory. - - The method described below is an approach that will work well with - the optimization methods listed later in this document. Although - this approach is the best the authors of this document have - implemented, it is by no means the only way to implement it. - Developers should tailor this approach to their own requirements or - may find that another approach suits their environment, programming - language, or programming style. - -3.3.1. Node Representation for CA Entities - - A "node" in the certification graph is a collection of CA - certificates with identical subject DNs. Minimally, for each node, - in order to fully implement the optimizations to follow, the path- - building module will need to be able to keep track of the following - information: - - 1. Certificates contained in the node - - 2. Sorted order of the certificates - - 3. "Current" certificate indicator - - 4. The current policy set (It may be split into authority and user - constrained sets, if desired.) - - - It is suggested that encapsulating the policy set in an object - with logic for manipulating the set such as performing - intersections, mappings, etc., will simplify implementation. - - - - - -Cooper, et al. Informational [Page 41] - -RFC 4158 Certification Path Building September 2005 - - - 5. Indicators (requireExplicitPolicy, inhibitPolicyMapping, - anyPolicyInhibit) and corresponding skipCert values - - 6. A method for indicating which certificates are eliminated or - removing them from the node. - - - If nodes are recreated from the cache on demand, it may be - simpler to remove eliminated certificates from the node. - - 7. A "next" indicator that points to the next node in the current - path - - 8. A "previous" indicator that points to the previous node in the - current path - -3.3.2. Using Nodes to Iterate Over All Paths - - In simplest form, a node is created, the certificates are sorted, the - next subject DN required is determined from the first certificate, - and a new node is attached to the certification path via the next - indicator (Number 7 above). This process continues until the path - terminates. (Note: end entity certificates may not contain subject - DNs as allowed by [RFC3280]. Since end entity certificates by - definition do not issue certificates, this has no impact on the - process.) - - Keeping in mind that the following algorithm is designed to be - implemented using recursion, consider the example in Figure 12 and - assume that the only path in the diagram is valid for E is TA->A-> - B->E: - - If our path-building module is building a path in the forward - direction for E, a node is first created for E. There are no - certificates to sort because only one certificate exists, so all - initial values are loaded into the node from E. For example, the - policy set is extracted from the certificate and stored in the node. - - Next, the issuer DN (B) is read from E, and new node is created for B - containing both certificates issued to B -- B(A) and B(C). The - sorting rules are applied to these two certificates and the sorting - algorithm returns B(C);B(A). This sorted order is stored and the - current indicator is set to B(C). Indicators are set and the policy - sets are calculated to the extent possible with respect to B(C). The - following diagram illustrates the current state with the current - certificate indicated with a "*". - - - - - - -Cooper, et al. Informational [Page 42] - -RFC 4158 Certification Path Building September 2005 - - - +-------------+ +---------------+ - | Node 1 | | Node 2 | - | Subject: E |--->| Subject: B | - | Issuers: B* | | Issuers: C*,A | - +-------------+ +---------------+ - - Next, a node is created for C and all three certificates are added to - it. The sorting algorithm happens to return the certificates sorted - in the following order: C(TA);C(A);C(B) - - +-------------+ +---------------+ +------------------+ - | Node 1 | | Node 2 | | Node 3 | - | Subject: E |--->| Subject: B |--->| Subject: C | - | Issuers: B | | Issuers: C*,A | | Issuers: TA*,A,B | - +-------------+ +---------------+ +------------------+ - - Recognizing that the trust anchor has been found, the path - (TA->C->B->E) is validated but fails. (Remember that the only valid - path happens to be TA->A->B->E.) The path-building module now moves - the current certificate indicator in node 3 to C(A), and adds the - node for A. - - +-------------+ +---------------+ +------------------+ - | Node 1 | | Node 2 | | Node 3 | - | Subject: E |--->| Subject: B |--->| Subject: C | - | Issuers: B | | Issuers: C*,A | | Issuers: TA,A*,B | - +-------------+ +---------------+ +------------------+ - | - v - +------------------+ - | Node 4 | - | Subject: A | - | Issuers: TA*,C,B | - +------------------+ - - The path TA->A->C->B->E is validated and it fails. The path-building - module now moves the current indicator in node 4 to A(C) and adds a - node for C. - - - - - - - - - - - - - -Cooper, et al. Informational [Page 43] - -RFC 4158 Certification Path Building September 2005 - - - +-------------+ +---------------+ +------------------+ - | Node 1 | | Node 2 | | Node 3 | - | Subject: E |--->| Subject: B |--->| Subject: C | - | Issuers: B | | Issuers: C*,A | | Issuers: TA,A*,B | - +-------------+ +---------------+ +------------------+ - | - v - +------------------+ +------------------+ - | Node 5 | | Node 4 | - | Subject: C |<---| Subject: A | - | Issuers: TA*,A,B | | Issuers: TA,C*,B | - +------------------+ +------------------+ - - At this juncture, the decision of whether to allow repetition of name - and key comes to the forefront. If the certification path-building - module will NOT allow repetition of name and key, there are no - certificates in node 5 that can be used. (C and the corresponding - public key is already in the path at node 3.) At this point, node 5 - is removed from the current path and the current certificate - indicator on node 4 is moved to A(B). - - If instead, the module is only disallowing repetition of - certificates, C(A) is eliminated from node 5 since it is in use in - node 3, and path building continues by first validating TA->C->A-> - C->B->E, and then continuing to try to build paths through C(B). - After this also fails to provide a valid path, node 5 is removed from - the current path and the current certificate indicator on node 4 is - moved to A(B). - - +-------------+ +---------------+ +------------------+ - | Node 1 | | Node 2 | | Node 3 | - | Subject: E |--->| Subject: B |--->| Subject: C | - | Issuers: B | | Issuers: C*,A | | Issuers: TA,A*,B | - +-------------+ +---------------+ +------------------+ - | - v - +------------------+ - | Node 4 | - | Subject: A | - | Issuers: TA,C,B* | - +------------------+ - - Now a new node 5 is created for B. Just as with the prior node 5, if - not repeating name and key, B also offers no certificates that can be - used (B and B's public key is in use in node 2) so the new node 5 is - also removed from the path. At this point all certificates in node 4 - have now been tried, so node 4 is removed from the path, and the - current indicator on node 3 is moved to C(B). - - - -Cooper, et al. Informational [Page 44] - -RFC 4158 Certification Path Building September 2005 - - - Also as above, if allowing repetition of name and key, B(C) is - removed from the new node 5 (B(C) is already in use in node 3) and - paths attempted through the remaining certificate B(A). After this - fails, it will lead back to removing node 5 from the path. At this - point all certificates in node 4 have now been tried, so node 4 is - removed from the path, and the current indicator on node 3 is moved - to C(B). - - This process continues until all certificates in node 1 (if there - happened to be more than one) have been tried, or until a valid path - has been found. Once the process ends and in the event no valid path - was found, it may be concluded that no path can be found from E to - TA. - -3.4. Implementing Path-Building Optimization - - The following section describes methods that may be used for - optimizing the certification path-building process by sorting - certificates. Optimization as described earlier seeks to prioritize - a list of certificates, effectively prioritizing (weighting) branches - of the graph/tree. The optimization methods can be used to assign a - cumulative score to each certificate. The process of scoring the - certificates amounts to testing each certificate against the - optimization methods a developer chooses to implement, and then - adding the score for each test to a cumulative score for each - certificate. After this is completed for each certificate at a given - branch point in the builder's decision tree, the certificates can be - sorted so that the highest scoring certificate is selected first, the - second highest is selected second, etc. - - For example, suppose the path builder has only these two simple - sorting methods: - - 1) If the certificate has a subject key ID, +5 to score. - 2) If the certificate has an authority key ID, +10 to score. - - And it then examined three certificates: - - 1) Issued by CA 1; has authority key ID; score is 10. - 2) Issued by CA 2; has subject key ID; score is 5. - 3) Issued by CA 1; has subject key ID and authority key ID; score is - 15. - - The three certificates are sorted in descending order starting with - the highest score: 3, 1, and 2. The path-building software should - first try building the path through certificate 3. Failing that, it - should try certificate 1. Lastly, it should try building a path - through certificate 2. - - - -Cooper, et al. Informational [Page 45] - -RFC 4158 Certification Path Building September 2005 - - - The following optimization methods specify tests developers may - choose to perform, but does not suggest scores for any of the - methods. Rather, developers should evaluate each method with respect - to the environment in which the application will operate, and assign - weights to each accordingly in the path-building software. - Additionally, many of the optimization methods are not binary in - nature. Some are tri-valued, and some may be well suited to sliding - or exponential scales. Ultimately, the implementer decides the - relative merits of each optimization with respect to his or her own - software or infrastructure. - - Over and above the scores for each method, many methods can be used - to eliminate branches during the tree traversal rather than simply - scoring and weighting them. All cases where certificates could be - eliminated based upon an optimization method are noted with the - method descriptions. - - Many of the sorting methods described below are based upon what has - been perceived by the authors as common in PKIs. Many of the methods - are aimed at making path building for the common PKI fast, but there - are cases where most any sorting method could lead to inefficient - path building. The desired behavior is that although one method may - lead the algorithm in the wrong direction for a given situation or - configuration, the remaining methods will overcome the errant - method(s) and send the path traversal down the correct branch of the - tree more often than not. This certainly will not be true for every - environment and configuration, and these methods may need to be - tweaked for further optimization in the application's target - operating environment. - - As a final note, the list contained in this document is not intended - to be exhaustive. A developer may desire to define additional - sorting methods if the operating environment dictates the need. - -3.5. Selected Methods for Sorting Certificates - - The reader should draw no specific conclusions as to the relative - merits or scores for each of the following methods based upon the - order in which they appear. The relative merit of any sorting - criteria is completely dependent on the specifics of the operating - environment. For most any method, an example can be created to - demonstrate the method is effective and a counter-example could be - designed to demonstrate that it is ineffective. - - Each sorting method is independent and may (or may not) be used to - assign additional scores to each certificate tested. The implementer - decides which methods to use and what weights to assign them. As - noted previously, this list is also not exhaustive. - - - -Cooper, et al. Informational [Page 46] - -RFC 4158 Certification Path Building September 2005 - - - In addition, name chaining (meaning the subject name of the issuer - certificate matches the issuer name of the issued certificate) is not - addressed as a sorting method since adherence to this is required in - order to build the decision tree to which these methods will be - applied. Also, unaddressed in the sorting methods is the prevention - of repeating certificates. Path builders should handle name chaining - and certificate repetition irrespective of the optimization approach. - - Each sorting method description specifies whether the method may be - used to eliminate certificates, the number of possible numeric values - (sorting weights) for the method, components from Section 2.6 that - are required for implementing the method, forward and reverse methods - descriptions, and finally a justification for inclusion of the - method. - - With regard to elimination of certificates, it is important to - understand that certificates are eliminated only at a given decision - point for many methods. For example, the path built up to - certificate X may be invalidated due to name constraints by the - addition of certificate Y. At this decision point only, Y could be - eliminated from further consideration. At some future decision - point, while building this same path, the addition of Y may not - invalidate the path. - - For some other sorting methods, certificates could be eliminated from - the process entirely. For example, certificates with unsupported - signature algorithms could not be included in any path and validated. - Although the path builder may certainly be designed to operate in - this fashion, it is sufficient to always discard certificates only - for a given decision point regardless of cause. - -3.5.1. basicConstraints Is Present and cA Equals True - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: None - - Forward Method: Certificates with basicConstraints present and - cA=TRUE, or those designated as CA certificates out-of-band have - priority. Certificates without basicConstraints, with - basicConstraints and cA=FALSE, or those that are not designated as CA - certificates out-of-band may be eliminated or have zero priority. - - Reverse Method: Same as forward except with regard to end entity - certificates at the terminus of the path. - - Justification: According to [RFC3280], basicConstraints is required - to be present with cA=TRUE in all CA certificates, or must be - - - -Cooper, et al. Informational [Page 47] - -RFC 4158 Certification Path Building September 2005 - - - verified via an out-of-band mechanism. A valid path cannot be built - if this condition is not met. - -3.5.2. Recognized Signature Algorithms - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: None - - Forward Method: Certificates containing recognized signature and - public key algorithms [PKIXALGS] have priority. - - Reverse Method: Same as forward. - - Justification: If the path-building software is not capable of - processing the signatures associated with the certificate, the - certification path cannot be validated. - -3.5.3. keyUsage Is Correct - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: None - - Forward Method: If keyUsage is present, certificates with - keyCertSign set have 100% priority. If keyUsage is present and - keyCertSign is not set, the certificate may be eliminated or have - zero priority. All others have zero priority. - - Reverse Method: Same as forward except with regard to end entity - certificates at the terminus of the path. - - Justification: A valid certification path cannot be built through a - CA certificate with inappropriate keyUsage. Note that - digitalSignature is not required to be set in a CA certificate. - -3.5.4. Time (T) Falls within the Certificate Validity - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: None - - Forward Method: Certificates that contain the required time (T) - within their validity period have 100% priority. Otherwise, the - certificate is eliminated or has priority zero. - - Reverse Method: Same as forward. - - - - -Cooper, et al. Informational [Page 48] - -RFC 4158 Certification Path Building September 2005 - - - Justification: A valid certification path cannot be built if T falls - outside of the certificate validity period. - - NOTE: Special care should be taken to return a meaningful error to - the caller, especially in the event the target certificate does not - meet this criterion, if this sorting method is used for elimination. - (e.g., the certificate is expired or is not yet valid). - -3.5.5. Certificate Was Previously Validated - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: Certification Path Cache - - Forward Method: A certificate that is present in the certification - path cache has priority. - - Reverse Method: Does not apply. (The validity of a certificate vs. - unknown validity does not infer anything about the correct direction - in the decision tree. In other words, knowing the validity of a CA - certificate does not indicate that the target is more likely found - through that path than another.) - - Justification: Certificates in the path cache have been validated - previously. Assuming the initial constraints have not changed, it is - highly likely that the path from that certificate to a trust anchor - is still valid. (Changes to the initial constraints may cause a - certificate previously considered valid to no longer be considered - valid.) - - Note: It is important that items in the path cache have appropriate - life times. For example, it could be inappropriate to cache a - relationship beyond the period the related CRL will be trusted by the - application. It is also critical to consider certificates and CRLs - farther up the path when setting cache lifetimes. For example, if - the issuer certificate expires in ten days, but the issued - certificate is valid for 20 days, caching the relationship beyond 10 - days would be inappropriate. - -3.5.6. Previously Verified Signatures - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: Path Cache - - Forward Method: If a previously verified relationship exists in the - path cache between the subject certificate and a public key present - in one or more issuer certificates, all the certificates containing - - - -Cooper, et al. Informational [Page 49] - -RFC 4158 Certification Path Building September 2005 - - - said public key have higher priority. Other certificates may be - eliminated or set to zero priority. - - Reverse Method: If known bad signature relationships exist between - certificates, these relationships can be used to eliminate potential - certificates from the decision tree. Nothing can be concluded about - the likelihood of finding a given target certificate down one branch - versus another using known good signature relationships. - - Justification: If the public key in a certificate (A) was previously - used to verify a signature on a second certificate (B), any and all - certificates containing the same key as (A) may be used to verify the - signature on (B). Likewise, any certificates that do not contain the - same key as (A) cannot be used to verify the signature on (B). This - forward direction method is especially strong for multiply cross- - certified CAs after a key rollover has occurred. - -3.5.7. Path Length Constraints - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: None - - Forward Method: Certificates with basic constraints present and - containing a path length constraint that would invalidate the current - path (the current length is known since the software is building from - the target certificate) may be eliminated or set to zero priority. - Otherwise, the priority is 100%. - - Reverse Method: This method may be applied in reverse. To apply it, - the builder keeps a current path length constraint variable and then - sets zero priority for (or eliminates) certificates that would - violate the constraint. - - Justification: A valid path cannot be built if the path length - constraint has been violated. - -3.5.8. Name Constraints - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: None - - Forward Method: Certificates that contain nameConstraints that would - be violated by certificates already in the path to this point are - given zero priority or eliminated. - - - - - -Cooper, et al. Informational [Page 50] - -RFC 4158 Certification Path Building September 2005 - - - Reverse Method: Certificates that will allow successful processing - of any name constraints present in the path to this point are given - higher priority. - - Justification: A valid path cannot be built if name constraints are - violated. - -3.5.9. Certificate Is Not Revoked - - May be used to eliminate certificates: No - Number of possible values: Three - Components required: CRL Cache - - Forward Method: If a current CRL for a certificate is present in the - CRL cache, and the certificate serial number is not on the CRL, the - certificate has priority. If the certificate serial number is - present on the CRL, it has zero priority. If an (acceptably fresh) - OCSP response is available for a certificate, and identifies the - certificate as valid, the certificate has priority. If an OCSP - response is available for a certificate, and identifies the - certificate as invalid, the certificate has zero priority. - - Reverse Method: Same as Forward. - - Alternately, the certificate may be eliminated if the CRL or OCSP - response is verified. That is, fully verify the CRL or OCSP response - signature and relationship to the certificate in question in - accordance with [RFC3280]. While this is viable, the signature - verification required makes it less attractive as an elimination - method. It is suggested that this method only be used for sorting - and that CRLs and OCSP responses are validated post path building. - - Justification: Certificates known to be not revoked can be - considered more likely to be valid than certificates for which the - revocation status is unknown. This is further justified if CRL or - OCSP response validation is performed post path validation - CRLs or - OCSP responses are only retrieved when complete paths are found. - - NOTE: Special care should be taken to allow meaningful errors to - propagate to the caller, especially in cases where the target - certificate is revoked. If a path builder eliminates certificates - using CRLs or OCSP responses, some status information should be - preserved so that a meaningful error may be returned in the event no - path is found. - - - - - - - -Cooper, et al. Informational [Page 51] - -RFC 4158 Certification Path Building September 2005 - - -3.5.10. Issuer Found in the Path Cache - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: Certification Path Cache - - Forward Method: A certificate whose issuer has an entry (or entries) - in the path cache has priority. - - Reverse Method: Does not apply. - - Justification: Since the path cache only contains entries for - certificates that were previously validated back to a trust anchor, - it is more likely than not that the same or a new path may be built - from that point to the (or one of the) trust anchor(s). For - certificates whose issuers are not found in the path cache, nothing - can be concluded. - - NOTE: This method is not the same as the method named "Certificate - Was Previously Validated". It is possible for this sorting method to - evaluate to true while the other method could evaluate to zero. - -3.5.11. Issuer Found in the Application Protocol - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: Certification Path Cache - - Forward Method: If the issuer of a certificate sent by the target - through the application protocol (SSL/TLS, S/MIME, etc.), matches the - signer of the certificate you are looking at, then that certificate - has priority. - - Reverse Method: If the subject of a certificate matches the issuer - of a certificate sent by the target through the application protocol - (SSL/TLS, S/MIME, etc.), then that certificate has priority. - - Justification: The application protocol may contain certificates - that the sender considers valuable to certification path building, - and are more likely to lead to a path to the target certificate. - -3.5.12. Matching Key Identifiers (KIDs) - - May be used to eliminate certificates: No - Number of possible values: Three - Components required: None - - Forward Method: Certificates whose subject key identifier (SKID) - - - -Cooper, et al. Informational [Page 52] - -RFC 4158 Certification Path Building September 2005 - - - matches the current certificate's authority key identifier (AKID) - have highest priority. Certificates without a SKID have medium - priority. Certificates whose SKID does not match the current - certificate's AKID (if both are present) have zero priority. If the - current certificate expresses the issuer name and serial number in - the AKID, certificates that match both these identifiers have highest - priority. Certificates that match only the issuer name in the AKID - have medium priority. - - Reverse Method: Certificates whose AKID matches the current - certificate's SKID have highest priority. Certificates without an - AKID have medium priority. Certificates whose AKID does not match - the current certificate's SKID (if both are present) have zero - priority. If the certificate expresses the issuer name and serial - number in the AKID, certificates that match both these identifiers in - the current certificate have highest priority. Certificates that - match only the issuer name in the AKID have medium priority. - - Justification: Key Identifier (KID) matching is a very useful - mechanism for guiding path building (that is their purpose in the - certificate) and should therefore be assigned a heavy weight. - - NOTE: Although required to be present by [RFC3280], it is extremely - important that KIDs be used only as sorting criteria or as hints - during certification path building. KIDs are not required to match - during certification path validation and cannot be used to eliminate - certificates. This is of critical importance for interoperating - across domains and multi-vendor implementations where the KIDs may - not be calculated in the same fashion. - -3.5.13. Policy Processing - - May be used to eliminate certificates: Yes - Number of possible values: Three - Components required: None - - Forward Method: Certificates that satisfy Forward Policy Chaining - have priority. (See Section 4 entitled "Forward Policy Chaining" for - details.) If the caller provided an initial-policy-set and did not - set the initial-require-explicit flag, the weight of this sorting - method should be increased. If the initial-require-explicit-policy - flag was set by the caller or by a certificate, certificates may be - eliminated. - - Reverse Method: Certificates that contain policies/policy mappings - that will allow successful policy processing of the path to this - point have priority. If the caller provided an initial-policy-set - and did not set the initial-require-explicit flag, the weight of this - - - -Cooper, et al. Informational [Page 53] - -RFC 4158 Certification Path Building September 2005 - - - sorting method should be increased. Certificates may be eliminated - only if initial-require-explicit was set by the caller or if - require-explicit-policy was set by a certificate in the path to this - point. - - Justification: In a policy-using environment, certificates that - successfully propagate policies are more likely part of an intended - certification path than those that do not. - - When building in the forward direction, it is always possible that a - certificate closer to the trust anchor will set the require- - explicit-policy indicator; so giving preference to certification - paths that propagate policies may increase the probability of finding - a valid path first. If the caller (or a certificate in the current - path) has specified or set the initial-require-explicit-policy - indicator as true, this sorting method can also be used to eliminate - certificates when building in the forward direction. - - If building in reverse, it is always possible that a certificate - farther along the path will set the require-explicit-policy - indicator; so giving preference to those certificates that propagate - policies will serve well in that case. In the case where require- - explicit-policy is set by certificates or the caller, certificates - can be eliminated with this method. - -3.5.14. Policies Intersect the Sought Policy Set - - May be used to eliminate certificates: No - Number of possible values: Additive - Components required: None - - Forward Method: Certificates that assert policies found in the - initial-acceptable-policy-set have priority. Each additional - matching policy could have an additive affect on the total score. - - Alternately, this could be binary; it matches 1 or more, or matches - none. - - Reverse Method: Certificates that assert policies found in the - target certificate or map policies to those found in the target - certificate have priority. Each additional matching policy could - have an additive affect on the total score. Alternately, this could - be binary; it matches 1 or more, or matches none. - - Justification: In the forward direction, as the path draws near to - the trust anchor in a cross-certified environment, the policies - asserted in the CA certificates will match those in the caller's - domain. Since the initial acceptable policy set is specified in the - - - -Cooper, et al. Informational [Page 54] - -RFC 4158 Certification Path Building September 2005 - - - caller's domain, matches may indicate that the path building is - drawing nearer to a desired trust anchor. In the reverse direction, - finding policies that match those of the target certificate may - indicate that the path is drawing near to the target's domain. - -3.5.15. Endpoint Distinguished Name (DN) Matching - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: None - - Forward Method: Certificates whose issuer exactly matches a trust - anchor subject DN have priority. - - Reverse Method: Certificates whose subject exactly matches the - target entity issuer DN have priority. - - Justification: In the forward direction, if a certificate's issuer - DN matches a trust anchor's DN [X.501], then it may complete the - path. In the reverse direction, if the certificate's subject DN - matches the issuer DN of the target certificate, it may be the last - certificate required to complete the path. - -3.5.16. Relative Distinguished Name (RDN) Matching - - May be used to eliminate certificates: No - Number of possible values: Sliding Scale - Components required: None - - Forward Method: Certificates that match more ordered RDNs between - the issuer DN and a trust anchor DN have priority. When all the RDNs - match, this yields the highest priority. - - Reverse Method: Certificates with subject DNs that match more RDNs - with the target's issuer DN have higher priority. When all the RDNs - match, this yields the highest priority. - - Justification: In PKIs the DNs are frequently constructed in a tree - like fashion. Higher numbers of matches may indicate that the trust - anchor is to be found in that direction within the tree. Note that - in the case where all the RDNs match [X.501], this sorting method - appears to mirror the preceding one. However, this sorting method - should be capable of producing a 100% weight even if the issuer DN - has more RDNs than the trust anchor. The Issuer DN need only contain - all the RDNs (in order) of the trust anchor. - - NOTE: In the case where all RDNs match, this sorting method mirrors - the functionality of the preceding one. This allows for partial - - - -Cooper, et al. Informational [Page 55] - -RFC 4158 Certification Path Building September 2005 - - - matches to be weighted differently from exact matches. Additionally, - this method can require a lot of processing if many trust anchors are - present. - -3.5.17. Certificates are Retrieved from cACertificate Directory - Attribute - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: Certificate Cache with flags for the attribute - from where the certificate was retrieved and Remote Certificate - Storage/Retrieval using a directory - - Forward Method: Certificates retrieved from the cACertificate - directory attribute have priority over certificates retrieved from - the crossCertificatePair attribute. (See [RFC2587].) - - Reverse Method: Does not apply. - - Justification: The cACertificate directory attribute contains - certificates issued from local sources and self issued certificates. - By using the cACertificate directory attribute before the - crossCertificatePair attribute, the path-building algorithm will - (depending on the local PKI configuration) tend to demonstrate a - preference for the local PKI before venturing to external cross- - certified PKIs. Most of today's PKI applications spend most of their - time processing information from the local (user's own) PKI, and the - local PKI is usually very efficient to traverse due to proximity and - network speed. - -3.5.18. Consistent Public Key and Signature Algorithms - - May be used to eliminate certificates: Yes - Number of possible values: Binary - Components required: None - - Forward Method: If the public key in the issuer certificate matches - the algorithm used to sign the subject certificate, then it has - priority. (Certificates with unmatched public key and signature - algorithms may be eliminated.) - - Reverse Method: If the public key in the current certificate matches - the algorithm used to sign the subject certificate, then it has - priority. (Certificates with unmatched public key and signature - algorithms may be eliminated.) - - Justification: Since the public key and signature algorithms are not - consistent, the signature on the subject certificate will not verify - - - -Cooper, et al. Informational [Page 56] - -RFC 4158 Certification Path Building September 2005 - - - successfully. For example, if the issuer certificate contains an RSA - public key, then it could not have issued a subject certificate - signed with the DSA-with-SHA-1 algorithm. - -3.5.19. Similar Issuer and Subject Names - - May be used to eliminate certificates: No - Number of possible values: Sliding Scale - Components required: None - - Forward Method: Certificates encountered with a subject DN that - matches more RDNs with the issuer DN of the target certificate have - priority. - - Reverse Method: Same as forward. - - Justification: As it is generally more efficient to search the local - domain prior to branching to cross-certified domains, using - certificates with similar names first tends to make a more efficient - path builder. Cross-certificates issued from external domains will - generally match fewer RDNs (if any), whereas certificates in the - local domain will frequently match multiple RDNs. - -3.5.20. Certificates in the Certification Cache - - May be used to eliminate certificates: No - Number of possible values: Three - Components required: Local Certificate Cache and Remote Certificate - Storage/Retrieval (e.g., LDAP directory as the repository) - - Forward Method: A certificate whose issuer certificate is present in - the certificate cache and populated with certificates has higher - priority. A certificate whose issuer's entry is fully populated with - current data (all certificate attributes have been searched within - the timeout period) has higher priority. - - Reverse Method: If the subject of a certificate is present in the - certificate cache and populated with certificates, then it has higher - priority. If the entry is fully populated with current data (all - certificate attributes have been searched within the timeout period) - then it has higher priority. - - Justification: The presence of required directory values populated - in the cache increases the likelihood that all the required - certificates and CRLs needed to complete the path from this - certificate to the trust anchor (or target if building in reverse) - are present in the cache from a prior path being developed, thereby - - - - -Cooper, et al. Informational [Page 57] - -RFC 4158 Certification Path Building September 2005 - - - eliminating the need for directory access to complete the path. In - the event no path can be found, the performance cost is low since the - certificates were likely not retrieved from the network. - -3.5.21. Current CRL Found in Local Cache - - May be used to eliminate certificates: No - Number of possible values: Binary - Components Required: CRL Cache - - Forward Method: Certificates have priority if the issuer's CRL entry - exists and is populated with current data in the CRL cache. - - Reverse Method: Certificates have priority if the subject's CRL - entry exists and is populated with current data in the CRL cache. - - Justification: If revocation is checked only after a complete path - has been found, this indicates that a complete path has been found - through this entity at some past point, so a path still likely - exists. This also helps reduce remote retrievals until necessary. - -3.6. Certificate Sorting Methods for Revocation Signer Certification - Paths - - Unless using a locally-configured OCSP responder or some other - locally-configured trusted revocation status service, certificate - revocation information is expected to be provided by the PKI that - issued the certificate. It follows that when building a - certification path for a Revocation Signer certificate, it is - desirable to confine the building algorithm to the PKI that issued - the certificate. The following sorting methods seek to order - possible paths so that the intended Revocation Signer certification - path is found first. - - These sorting methods are not intended to be used in lieu of the ones - described in the previous section; they are most effective when used - in conjunction with those in Section 3.5. Some sorting criteria below - have identical names as those in the preceding section. This - indicates that the sorting criteria described in the preceding - section are modified slightly when building the Revocation Signer - certification path. - -3.6.1. Identical Trust Anchors - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: Is-revocation-signer indicator and the - Certification Authority's trust anchor - - - -Cooper, et al. Informational [Page 58] - -RFC 4158 Certification Path Building September 2005 - - - Forward Method: Not applicable. - - Reverse Method: Path building should begin from the same trust - anchor used to validate the Certification Authority before trying any - other trust anchors. If any trust anchors exist with a different - public key but an identical subject DN to that of the Certification - Authority's trust anchor, they should be tried prior to those with - mismatched names. - - Justification: The revocation information for a given certificate - should be produced by the PKI that issues the certificate. - Therefore, building a path from a different trust anchor than the - Certification Authority's is not desirable. - -3.6.2. Endpoint Distinguished Name (DN) Matching - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: Is-revocation-signer indicator and the - Certification Authority's trust anchor - - Forward Method: Operates identically to the sorting method described - in 3.5.15, except that instead of performing the matching against all - trust anchors, the DN matching is performed only against the trust - anchor DN used to validate the CA certificate. - - Reverse Method: No change for Revocation Signer's certification - path. - - Justification: The revocation information for a given certificate - should be produced by the PKI that issues the certificate. - Therefore, building a path to a different trust anchor than the CA's - is not desirable. This sorting method helps to guide forward - direction path building toward the trust anchor used to validate the - CA certificate. - -3.6.3. Relative Distinguished Name (RDN) Matching - - May be used to eliminate certificates: No - Number of possible values: Sliding Scale - Components required: Is-revocation-signer indicator and the - Certification Authority's trust anchor - - Forward Method: Operates identically to the sorting method described - in 3.5.16 except that instead of performing the RDN matching against - all trust anchors, the matching is performed only against the trust - anchor DN used to validate the CA certificate. - - - - -Cooper, et al. Informational [Page 59] - -RFC 4158 Certification Path Building September 2005 - - - Reverse Method: No change for Revocation Signer's certification - path. - - Justification: The revocation information for a given certificate - should be produced by the PKI that issues the certificate. - Therefore, building a path to a different trust anchor than the CA's - is not desirable. This sorting method helps to guide forward - direction path building toward the trust anchor used to validate the - CA certificate. - -3.6.4. Identical Intermediate Names - - May be used to eliminate certificates: No - Number of possible values: Binary - Components required: Is-revocation-signer indicator and the - Certification Authority's complete certification path - - Forward Method: If the issuer DN in the certificate matches the - issuer DN of a certificate in the Certification Authority's path, it - has higher priority. - - Reverse Method: If the subject DN in the certificate matches the - subject DN of a certificate in the Certification Authority's path, it - has higher priority. - - Justification: Following the same path as the Certificate should - deter the path-building algorithm from wandering in an inappropriate - direction. Note that this sorting method is indifferent to whether - the certificate is self-issued. This is beneficial in this situation - because it would be undesirable to lower the priority of a re-key - certificate. - -4. Forward Policy Chaining - - It is tempting to jump to the conclusion that certificate policies - offer little assistance to path building when building from the - target certificate. It's easy to understand the "validate as you go" - approach from the trust anchor, and much less obvious that any value - can be derived in the other direction. However, since policy - validation consists of the intersection of the issuer policy set with - the subject policy set and the mapping of policies from the issuer - set to the subject set, policy validation can be done while building - a path in the forward direction as well as the reverse. It is simply - a matter of reversing the procedure. That is not to say this is as - ideal as policy validation when building from the trust anchor, but - it does offer a method that can be used to mostly eliminate what has - long been considered a weakness inherent to building in the forward - (from the target certificate) direction. - - - -Cooper, et al. Informational [Page 60] - -RFC 4158 Certification Path Building September 2005 - - -4.1. Simple Intersection - - The most basic form of policy processing is the intersection of the - policy sets from the first CA certificate through the target - certificate. Fortunately, the intersection of policy sets will - always yield the same final set regardless of the order of - intersection. This allows processing of policy set intersections in - either direction. For example, if the trust anchor issues a CA - certificate (A) with policies {X,Y,Z}, and that CA issues another CA - certificate (B) with policies {X,Y}, and CA B then issues a third CA - certificate (C) with policy set {Y,G}, one normally calculates the - policy set from the trust anchor as follows: - - 1) Intersect A{X,Y,Z} with B{X,Y} to yield the set {X,Y} - - 2) Intersect that result, {X,Y} with C{Y,G} to yield the final set - {Y} - - Now it has been shown that certificate C is good for policy Y. - - The other direction is exactly the same procedure, only in reverse: - - 1) Intersect C{Y,G} with B{X,Y} to yield the set {Y} - - 2) Intersect that result, {Y} with A{X,Y,Z} to yield the final set - {Y} - - Just like in the reverse direction, it has been shown that - certificate C is good for policy Y, but this time in the forward - direction. - - When building in the forward direction, policy processing is handled - much like it is in reverse -- the software lends preference to - certificates that propagate policies. Neither approach guarantees - that a path with valid policies will be found, but rather both - approaches help guide the path in the direction it should go in order - for the policies to propagate. - - If the caller has supplied an initial-acceptable-policy set, there is - less value in using it when building in the forward direction unless - the caller also set inhibit-policy-mapping. In that case, the path - builder can further constrain the path building to propagating - policies that exist in the initial-acceptable-policy-set. However, - even if the inhibit-policy-mapping is not set, the initial-policy-set - can still be used to guide the path building toward the desired trust - anchor. - - - - - -Cooper, et al. Informational [Page 61] - -RFC 4158 Certification Path Building September 2005 - - -4.2. Policy Mapping - - When a CA issues a certificate into another domain, an environment - with disparate policy identifiers to its own, the CA may make use of - policy mappings to map equivalence from the local domain's policy to - the non-local domain's policy. If in the prior example, A had - included a policy mapping that mapped X to G in the certificate it - issued to B, C would be good for X and Y: - - 1) Intersect A{X,Y,Z} with B{X,Y} to yield the set {X,Y} - - 2) Process Policy Mappings in B's certificate (X maps to G) to yield - {G,Y} (same as {Y,G}) - - 3) Intersect that result, {G,Y} with C{Y,G} to yield the final set - {G,Y} - - Since policies are always expressed in the relying party's domain, - the certificate C is said to be good for {X, Y}, not {Y, G}. This is - because "G" doesn't mean anything in the context of the trust anchor - that issued A without the policy mapping. - - When building in the forward direction, policies can be "unmapped" by - reversing the mapping procedure. This procedure is limited by one - important aspect: if policy mapping has occurred in the forward - direction, there is no mechanism by which it can be known in advance - whether or not a future addition to the current path will invalidate - the policy chain (assuming one exists) by setting inhibit-policy- - mapping. Fortunately, it is uncommon practice to set this flag. The - following is the procedure for processing policy mapping in the - forward direction: - - 1) Begin with C's policy set {Y,G} - - 2) Apply the policy mapping in B's certificate (X maps to G) in - reverse to yield {Y,X} (same as {X,Y}) - - 3) Intersect the result {X,Y} with B{X,Y} to yield the set {X,Y} - - 4) Intersect that result, {X,Y}, with A{X,Y,Z} to yield the final set - {X,Y} - - Just like in the reverse direction, it is determined in the forward - direction that certificate C is good for policies {X,Y}. If during - this procedure, an inhibit-policy-mapping flag was encountered, what - should be done? This is reasonably easy to keep track of as well. - The software simply maintains a flag on any policies that were - propagated as a result of a mapping; just a simple Boolean kept with - - - -Cooper, et al. Informational [Page 62] - -RFC 4158 Certification Path Building September 2005 - - - the policies in the set. Imagine now that the certificate issued to - A has the inhibit-policy-mapping constraint expressed with a skip - certificates value of zero. - - 1) Begin with C's policy set {Y,G} - - 2) Apply the policy mapping in B's certificate and mark X as - resulting from a mapping. (X maps to G) in reverse to yield {Y,Xm} - (same as {Xm,Y}) - - 3) Intersect the result {Xm,Y} with B{X,Y} to yield the set {Xm,Y} - - 4) A's certificate expresses the inhibit policy mapping constraint, - so eliminate any policies in the current set that were propagated - due to mapping (which is Xm) to yield {Y} - - 5) Intersect that result, {Y} with A{X,Y,Z} to yield the final set - {Y} - - If in our example, the policy set had gone to empty at any point (and - require-explicit-policy was set), the path building would back up and - try to traverse another branch of the tree. This is analogous to the - path-building functionality utilized in the reverse direction when - the policy set goes to empty. - -4.3. Assigning Scores for Forward Policy Chaining - - Assuming the path-building module is maintaining the current forward - policy set, weights may be assigned using the following procedure: - - 1) For each CA certificate being scored: - - a. Copy the current forward policy set. - - b. Process policy mappings in the CA certificate in order to - "un-map" policies, if any. - - c. Intersect the resulting set with CA certificate's policies. - - The larger the policy set yielded, the larger the score for that CA - certificate. - - 2) If an initial acceptable set was supplied, intersect this set with - the resulting set for each CA certificate from (1). - - The larger the resultant set, the higher the score is for this - certificate. - - - - -Cooper, et al. Informational [Page 63] - -RFC 4158 Certification Path Building September 2005 - - - Other scoring schemes may work better if the operating environment - dictates. - -5. Avoiding Path-Building Errors - - This section defines some errors that may occur during the path- - building process, as well as ways to avoid these errors when - developing path-building functions. - -5.1. Dead Ends - - When building certification paths in a non-hierarchical PKI - structure, a simple path-building algorithm could fail prematurely - without finding an existing path due to a "dead end". Consider the - example in Figure 14. - - +----+ +---+ - | TA | | Z | - +----+ +---+ - | | - | | - V V - +---+ +---+ - | C |<-----| Y | - +---+ +---+ - | - | - V - +--------+ - | Target | - +--------+ - - Figure 14 - Dead End Example - - Note that in the example, C has two certificates: one issued by Y, - and the other issued by the Trust Anchor. Suppose that a simple - "find issuer" algorithm is used, and the order in which the path - builder found the certificates was Target(C), C(Y), Y(Z), Z(Z). In - this case, Z has no certificates issued by any other entities, and so - the simplistic path-building process stops. Since Z is not the - relying party's trust anchor, the certification path is not complete, - and will not validate. This example shows that in anything but the - simplest PKI structure, additional path-building logic will need to - handle the cases in which entities are issued multiple certificates - from different issuers. The path-building algorithm will also need - to have the ability to traverse back up the decision tree and try - another path in order to be robust. - - - - -Cooper, et al. Informational [Page 64] - -RFC 4158 Certification Path Building September 2005 - - -5.2. Loop Detection - - In a non-hierarchical PKI structure, a path-building algorithm may - become caught in a loop without finding an existing path. Consider - the example below: - - +----+ - | TA | - +----+ - | - | - +---+ +---+ - | A | ->| Z | - +---+ / +---+ - | / | - | / | - V / V - +---+ +---+ - | B |<-----| Y | - +---+ +---+ - | - | - V - +--------+ - | Target | - +--------+ - - Figure 15 - Loop Example - - Let us suppose that in this example the simplest "find issuer" - algorithm is used, and the order in which certificates are retrieved - is Target(B), B(Y), Y(Z), Z(B), B(Y), Y(Z), Z(B), B(Y), ... A loop - has formed that will cause the correct path (Target, B, A) to never - be found. The certificate processing system will need to recognize - loops created by duplicate certificates (which are prohibited in a - path by [X.509]) before they form to allow the certification path- - building process to continue and find valid paths. The authors of - this document recommend that the loop detection not only detect the - repetition of a certificate in the path, but also detect the presence - of the same subject name / subject alternative name/ subject public - key combination occurring twice in the path. A name/key pair should - only need to appear once in the path. (See Section 2.4.2 for more - information on the reasoning behind this recommendation.) - - - - - - - - -Cooper, et al. Informational [Page 65] - -RFC 4158 Certification Path Building September 2005 - - -5.3. Use of Key Identifiers - - Inconsistent and/or incompatible approaches to computing the subject - key identifier and authority key identifier in public key - certificates can cause failures in certification path-building - algorithms that use those fields to identify certificates, even - though otherwise valid certification paths may exist. Path-building - implementations should use existing key identifiers and not attempt - to re-compute subject key identifiers. It is extremely important - that Key Identifiers be used only as sorting criteria or hints. KIDs - are not required to match during certification path validation and - cannot be used to eliminate certificates. This is of critical - importance for interoperating across domains and multi-vendor - implementations where the KIDs may not be calculated in the same - fashion. - - Path-building and processing implementations should not rely on the - form of authority key identifier that uses the authority DN and - serial number as a restrictive matching rule, because cross- - certification can lead to this value not being matched by the cross- - certificates. - -5.4. Distinguished Name Encoding - - Certification path-building software should not rely on DNs being - encoded as PrintableString. Although frequently encoded as - PrintableString, DNs may also appear as other types, including - BMPString or UTF8String. As a result, software systems that are - unable to process BMPString and UTF8String encoded DNs may be unable - to build and validate some certification paths. - - Furthermore, [RFC3280] compliant certificates are required to encode - DNs as UTF8String as of January 1, 2004. Certification path-building - software should be prepared to handle "name rollover" certificates as - described in [RFC3280]. Note that the inclusion of a "name rollover" - certificate in a certification path does not constitute repetition of - a DN and key. Implementations that include the "name rollover" - certificate in the path should ensure that the DNs with differing - encoding are regarded as dissimilar. (Implementations may instead - handle matching DNs of different encodings and will therefore not - need to include "name rollover" certificates in the path.) - - - - - - - - - - -Cooper, et al. Informational [Page 66] - -RFC 4158 Certification Path Building September 2005 - - -6. Retrieval Methods - - Building a certification path requires the availability of the - certificates and CRLs that make up the path. There are many - different methods for obtaining these certificates and CRLs. This - section lists a few of the common ways to perform this retrieval, as - well as some suggested approaches for improving performance. This - section is not intended to provide a complete reference for - certificate and CRL retrieval methods or optimizations that would be - useful in certification path building. - -6.1. Directories Using LDAP - - Most applications utilize the Lightweight Directory Access Protocol - (LDAP) when retrieving data from directories following the X.500 - model. Applications may encounter directories which support either - LDAP v2 [RFC1777] or LDAP v3 [RFC3377]. - - The LDAP v3 specification defines one attribute retrieval option, the - "binary" option. When specified in an LDAP retrieval request, this - option was intended to force the directory to ignore any string-based - representations of BER-encoded directory information, and send the - requested attribute(s) in BER format. Since all PKI objects of - concern are BER-encoded objects, the "binary" option should be used. - However, not all directories support the "binary" option. Therefore, - applications should be capable of requesting attributes with and - without the "binary" option. For example, if an application wishes - to retrieve the userCertificate attribute, the application should - request "userCertificate;binary". If the desired information is not - returned, robust implementations may opt to request "userCertificate" - as well. - - The following attributes should be considered by PKI application - developers when performing certificate retrieval from LDAP sources: - - userCertificate: contains certificates issued by one or more - certification authorities with a subject DN that matches that of - the directory entry. This is a multi-valued attribute and all - values should be received and considered during path building. - Although typically it is expected that only end entity - certificates will be stored in this attribute, (e.g., this is the - attribute an application would request to find a person's - encryption certificate) implementers may opt to search this - attribute when looking in CA entries to make their path builder - more robust. If it is empty, the overhead added by including this - attribute when already requesting one or both of the two below is - marginal. - - - - -Cooper, et al. Informational [Page 67] - -RFC 4158 Certification Path Building September 2005 - - - cACertificate: contains self-issued certificates (if any) and any - certificates issued to this certification authority by other - certification authorities in the same realm. (Realm is dependent - upon local policy.) This is a multi-valued attribute and all - values should be received and considered during path building. - - crossCertificatePair: in conformant implementations, the - crossCertificatePair is used to contain all, except self-issued - certificates issued to this certification authority, as well as - certificates issued by this certification authority to other - certification authorities. Each attribute value is a structure - containing two elements. The issuedToThisCA element contains - certificates issued to this certification authority by other - certification authorities. The issuedByThisCA element contains - certificates issued by this certification authority to other - certification authorities. Both elements of the - crossCertificatePair are labeled optional in the ASN.1 definition. - If both elements are present in a single value, the issuer name in - one certificate is required to match the subject name in the other - and vice versa, and the subject public key in one certificate - shall be capable of verifying the digital signature on the other - certificate and vice versa. As this technology has evolved, - different standards have had differing requirements on where - information could be found. For example, the LDAP v2 schema - [RFC2587] states that the issuedToThisCA (once called 'forward') - element of the crossCertificatePair attribute is mandatory and the - issuedByThisCA (once called 'reverse') element is optional. In - contrast, Section 11.2.3 of [X.509] requires the issuedByThisCA - element to be present if the CA issues a certificate to another CA - if the subject is not a subordinate CA in a hierarchy. Conformant - directories behave as required by [X.509], but robust path- - building implementations may want to retrieve all certificates - from the cACertificate and crossCertificatePair attributes to - ensure all possible certification authority certificates are - obtained. - - certificateRevocationList: the certificateRevocationList attribute - contains a certificate revocation list (CRL). A CRL is defined in - [RFC3280] as a time stamped list identifying revoked certificates, - which is signed by a CA or CRL issuer and made freely available in - a public repository. Each revoked certificate is identified in a - CRL by its certificate serial number. There may be one or more - CRLs in this attribute, and the values should be processed in - accordance with [RFC3280]. - - - - - - - -Cooper, et al. Informational [Page 68] - -RFC 4158 Certification Path Building September 2005 - - - authorityRevocationList: the authorityRevocationList attribute also - contains CRLs. These CRLs contain revocation information - regarding certificates issued to other CAs. There may be one or - more CRLs in this attribute, and the values should be processed in - accordance with [RFC3280]. - - Certification path processing systems that plan to interoperate with - varying PKI structures and directory designs should at a minimum be - able to retrieve and process the userCertificate, cACertificate, - crossCertificatePair, certificateRevocationList, and - authorityRevocationList attributes from directory entries. - -6.2. Certificate Store Access via HTTP - - Another possible method of certificate retrieval is using HTTP as an - interface mechanism for retrieving certificates and CRLs from PKI - repositories. A current PKIX document [CERTSTORE] provides a - protocol for a general-purpose interface capability for retrieving - certificates and CRLs from PKI repositories. Since the [CERTSTORE] - document is a work in progress as of the writing of this document, no - details are given here on how to utilize this mechanism for - certificate and CRL retrieval. Instead, refer to the [CERTSTORE] - document or its current version. Certification path processing - systems may wish to implement support for this interface capability, - especially if they will be used in environments that will provide - HTTP-based access to certificates and CRLs. - -6.3. Authority Information Access - - The authority information access (AIA) extension, defined within - [RFC3280], indicates how to access CA information and services for - the issuer of the certificate in which the extension appears. If a - certificate with an AIA extension contains an accessMethod defined - with the id-ad-caIssuers OID, the AIA may be used to retrieve one or - more certificates for the CA that issued the certificate containing - the AIA extension. The AIA will provide a uniform resource - identifier (URI) [RFC3986] when certificates can be retrieved via - LDAP, HTTP, or FTP. The AIA will provide a directoryName when - certificates can be retrieved via directory access protocol (DAP). - The AIA will provide an rfc822Name when certificates can be retrieved - via electronic mail. Additionally, the AIA may specify the location - of an OCSP [RFC2560] responder that is able to provide revocation - information for the certificate. - - If present, AIA may provide forward path-building implementations - with a direct link to a certificate for the issuer of a given - certificate. Therefore, implementations may wish to provide support - for decoding the AIA extension and processing the LDAP, HTTP, FTP, - - - -Cooper, et al. Informational [Page 69] - -RFC 4158 Certification Path Building September 2005 - - - DAP, or e-mail locators. Support for AIA is optional; [RFC3280] - compliant implementations are not required to populate the AIA - extension. However, implementers of path-building and validation - modules are strongly encouraged to support AIA, especially the HTTP - transport; this will provide for usability and interoperability with - many existing PKIs. - -6.4. Subject Information Access - - The subject information access (SIA) extension, defined within - [RFC3280], indicates how to access information and services for the - subject of the certificate in which the extension appears. If a - certificate with an SIA extension contains an accessMethod defined - with the id-ad-caRepository OID, the SIA may be used to locate one or - more certificates (and possibly CRLs) for entities issued - certificates by the subject. The SIA will provide a uniform resource - identifier (URI) [RFC3986] when data can be retrieved via LDAP, HTTP, - or FTP. The SIA will provide a directoryName when data can be - retrieved via directory access protocol (DAP). The SIA will provide - an rfc822Name when data can be retrieved via electronic mail. - - If present, the SIA extension may provide reverse path-building - implementations with the certificates required to continue building - the path. Therefore, implementations may wish to provide support for - decoding the SIA extension and processing the LDAP, HTTP, FTP, DAP, - or e-mail locators. Support for SIA is optional; [RFC3280] compliant - implementations are not required to populate the SIA extension. - However, implementers of path-building and validation modules are - strongly encouraged to support SIA, especially the HTTP transport; - this will provide for usability and interoperability with many - existing PKIs. - -6.5. CRL Distribution Points - - The CRL distribution points (CRLDP) extension, defined within - [RFC3280], indicates how to access CRL information. If a CRLDP - extension appears within a certificate, the CRL(s) to which the CRLDP - refer are generally the CRLs that would contain revocation - information for the certificate. The CRLDP extension may point to - multiple distribution points from which the CRL information may be - obtained; the certificate processing system should process the CRLDP - extension in accordance with [RFC3280]. The most common distribution - points contain URIs from which the appropriate CRL may be downloaded, - and directory names, which can be queried in a directory to retrieve - the CRL attributes from the corresponding entry. - - - - - - -Cooper, et al. Informational [Page 70] - -RFC 4158 Certification Path Building September 2005 - - - If present, CRLDP can provide certificate processing implementations - with a link to CRL information for a given certificate. Therefore, - implementations may wish to provide support for decoding the CRLDP - extension and using the information to retrieve CRLs. Support for - CRLDP is optional and [RFC3280] compliant implementations need not - populate the CRLDP extension. However, implementers of path-building - and validation modules are strongly encouraged to support CRLDPs. At - a minimum, developers are encouraged to consider supporting the LDAP - and HTTP transports; this will provide for interoperability across a - wide range of existing PKIs. - -6.6. Data Obtained via Application Protocol - - Many application protocols, such as SSL/TLS and S/MIME, allow one - party to provide certificates and CRLs to another. Data provided in - this method is generally very valuable to path-building software - (will provide direction toward valid paths), and should be stored and - used accordingly. Note: self-signed certificates obtained via - application protocol are not trustworthy; implementations should only - consider the relying party's trust anchors when building paths. - -6.7. Proprietary Mechanisms - - Some certificate issuing systems and certificate processing systems - may utilize proprietary retrieval mechanisms, such as network mapped - drives, databases, or other methods that are not directly referenced - via the IETF standards. Certificate processing systems may wish to - support other proprietary mechanisms, but should only do so in - addition to supporting standard retrieval mechanisms such as LDAP, - AIA, and CRLDP (unless functioning in a closed environment). - -7. Improving Retrieval Performance - - Retrieval performance can be improved through a few different - mechanisms, including the use of caches and setting a specific - retrieval order. This section discusses a few methods by which the - performance of a certificate processing system may be improved during - the retrieval of PKI objects. Certificate processing systems that - are consistently very slow during processing will be disliked by - users and will be slow to be adopted into organizations. Certificate - processing systems are encouraged to do whatever possible to reduce - the delays associated with requesting and retrieving data from - external sources. - - - - - - - - -Cooper, et al. Informational [Page 71] - -RFC 4158 Certification Path Building September 2005 - - -7.1. Caching - - Certificate processing systems operating in a non-hierarchical PKI - will often need to retrieve certificates and certificate revocation - lists (CRLs) from a source outside the application protocol. - Typically, these objects are retrieved from an X.500 or LDAP - repository, an Internet URI [RFC3986], or some other non-local - source. Due to the delays associated with establishing connections - as well as network transfers, certificate processing systems ought to - be as efficient as possible when retrieving data from external - sources. Perhaps the best way to improve retrieval efficiency is by - using a caching mechanism. Certificate processing systems can cache - data retrieved from external sources for some period of time, but not - to exceed the useful period of the data (i.e., an expired certificate - need not be cached). Although this comes at a cost of increased - memory/disk consumption by the system, the cost and performance - benefit of reducing network transmissions is great. Also, CRLs are - often issued and available in advance of the nextUpdate date in the - CRL. Implementations may wish to obtain these "fresher" CRLs before - the nextUpdate date has passed. - - There are a number of different ways in which caching can be - implemented; the specifics of these methods can be used as - distinguishing characteristics between certificate processing - systems. However, some things that implementers may wish to consider - when developing caching systems are as follows: - - - If PKI objects are cached, the certification path-building - mechanism should be able to examine and retrieve from the cache - during path building. This will allow the certificate - processing system to find or eliminate one or more paths quickly - without requiring external contact with a directory or other - retrieval mechanism. - - - Sharing caches between multiple users (via a local area network - or LAN) may be useful if many users in one organization - consistently perform PKI operations with another organization. - - - Caching not only PKI objects (such as certificates and CRLs) but - also relationships between PKI objects (storing a link between a - certificate and the issuer's certificate) may be useful. This - linking may not always lead to the most correct or best - relationship, but could represent a linking that worked in - another scenario. - - - Previously built paths and partial paths are quite useful to - cache, because they will provide information on previous - successes or failures. Additionally, if the cache is safe from - - - -Cooper, et al. Informational [Page 72] - -RFC 4158 Certification Path Building September 2005 - - - unauthorized modifications, caching validation and signature - checking status for certificates, CRLs, and paths can also be - stored. - -7.2. Retrieval Order - - To optimize efficiency, certificate processing systems are encouraged - to also consider the order in which different PKI objects are - retrieved, as well as the mechanism from which they are retrieved. - If caching is utilized, the caches can be consulted for PKI objects - before attempting other retrieval mechanisms. If multiple caches are - present (such as local disk and network), the caches can be consulted - in the order in which they can be expected to return their result - from fastest to slowest. For example, if a certificate processing - system wishes to retrieve a certificate with a particular subject DN, - the system might first consult the local cache, then the network - cache, and then attempt directory retrieval. The specifics of the - types of retrieval mechanisms and their relative costs are left to - the implementer. - - In addition to ordering retrieval mechanisms, the certificate - processing system ought to order the relative merits of the different - external sources from which a PKI object can be retrieved. If the - AIA is present within a certificate, with a URI [RFC3986] for the - issuer's certificate, the certificate processing system (if able) may - wish to attempt to retrieve the certificate first from local cache - and then by using that URI (because it is expected to point directly - to the desired certificate) before attempting to retrieve the - certificates that may exist within a directory. - - If a directory is being consulted, it may be desirable to retrieve - attributes in a particular order. A highly cross-certified PKI - structure will lead to multiple possibilities for certification - paths, which may mean multiple validation attempts before a - successful path is retrieved. Therefore, cACertificate and - userCertificate (which typically contain certificates from within the - same 'realm') could be consulted before attempting to retrieve the - crossCertificatePair values for an entry. Alternately, all three - attributes could be retrieved in one query, but cross-certificates - then tagged as such and used only after exhausting the possibilities - from the cACertificate attribute. The best approach will depend on - the nature of the application and PKI environment. - -7.3. Parallel Fetching and Prefetching - - Much of this document has focused on a path-building algorithm that - minimizes the performance impact of network retrievals, by preventing - those retrievals and utilization of caches. Another way to improve - - - -Cooper, et al. Informational [Page 73] - -RFC 4158 Certification Path Building September 2005 - - - performance would be to allow network retrievals to be performed in - advance (prefetching) or at the same time that other operations are - performed (parallel fetching). For example, if an email application - receives a signed email message, it could download the required - certificates and CRLs prior to the recipient viewing (or attempting - to verify) the message. Implementations that provide the capability - of parallel fetching and/or prefetching, along with a robust cache, - can lead to greatly improved performance or user experience. - -8. Security Considerations - -8.1. General Considerations for Building a Certification Path - - Although certification path building deals directly with security - relevant PKI data, the PKI data itself needs no special handling - because its integrity is secured with the digital signature applied - to it. The only exception to this is the appropriate protection of - the trust anchor public keys. These are to be kept safe and obtained - out of band (e.g., not from an electronic mail message or a - directory) with respect to the path-building module. - - The greatest security risks associated with this document revolve - around performing certification path validation while certification - paths are built. It is therefore noted here that fully implemented - certification path validation in accordance with [RFC3280] and - [X.509] is required in order for certification path building, - certification path validation, and the certificate using application - to be properly secured. All of the Security Considerations listed in - Section 9 of [RFC3280] apply equally here. - - In addition, as with any application that consumes data from - potentially untrusted network locations, certification path-building - components should be carefully implemented so as to reduce or - eliminate the possibility of network based exploits. For example, a - poorly implemented path-building module may not check the length of - the CRLDP URI [RFC3986] before using the C language strcpy() function - to place the address in a 1024 byte buffer. A hacker could use such - a flaw to create a buffer overflow exploit by encoding malicious - assembly code into the CRLDP of a certificate and then use the - certificate to attempt an authentication. Such an attack could yield - system level control to the attacker and expose the sensitive data - the PKI was meant to protect. - - Path building may be used to mount a denial of service (DOS) attack. - This might occur if multiple simple requests could be performed that - cause a server to perform a number of path developments, each taking - time and resources from the server. Servers can help avoid this by - limiting the resources they are willing to devote to path building, - - - -Cooper, et al. Informational [Page 74] - -RFC 4158 Certification Path Building September 2005 - - - and being able to further limit those resources when the load is - heavy. Standard DOS protections such as systems that identify and - block attackers can also be useful. - - A DOS attack can be also created by presenting spurious CA - certificates containing very large public keys. When the system - attempts to use the large public key to verify the digital signature - on additional certificates, a long processing delay may occur. This - can be mitigated by either of two strategies. The first strategy is - to perform signature verifications only after a complete path is - built, starting from the trust anchor. This will eliminate the - spurious CA certificate from consideration before the large public - key is used. The second strategy is to recognize and simply reject - keys longer than a certain size. - - A similar DOS attack can occur with very large public keys in end - entity certificates. If a system uses the public key in a - certificate before building and validating that certificate's - certification path, long processing delays may occur. To mitigate - this threat, the public key in an end entity certificate should not - be used for any purpose until a complete certification path for that - certificate is built and validated. - -8.2. Specific Considerations for Building Revocation Signer - Certification Paths - - If the CRL Signer certificate (and certification path) is not - identical to the Certification Authority certificate (and - certification path), special care should be exercised when building - the CRL Signer certification path. - - If special consideration is not given to building a CRL Signer - certification path, that path could be constructed such that it - terminates with a different root or through a different certification - path to the same root. If this behavior is not prevented, the - relying party may end up checking the wrong revocation data, or even - maliciously substituted data, resulting in denial of service or - security breach. - - For example, suppose the following certification path is built for E - and is valid for an example "high assurance" policy. - - A->B->C->E - - When the building/validation routine attempts to verify that E is not - revoked, C is referred to as the Certification Authority certificate. - The path builder finds that the CRL for checking the revocation - status of E is issued by C2; a certificate with the subject name "C", - - - -Cooper, et al. Informational [Page 75] - -RFC 4158 Certification Path Building September 2005 - - - but with a different key than the key that was used to sign E. C2 is - referred to as the CRL Signer. An unrestrictive certification path - builder might then build a path such as the following for the CRL - Signer C2 certificate: - - X->Y->Z->C2 - - If a path such as the one above is permitted, nothing can be - concluded about the revocation status of E since C2 is a different CA - from C. - - Fortunately, preventing this security problem is not difficult and - the solution also makes building CRL Signer certification paths very - efficient. In the event the CRL Signer certificate is identical to - the Certification Authority certificate, the Certification Authority - certification path should be used to verify the CRL; no additional - path building is required. If the CRL Signer certificate is not - identical to the Certification Authority certificate, a second path - should be built for the CRL Signer certificate in exactly the same - fashion as for any certificate, but with the following additional - guidelines: - - 1. Trust Anchor: The CRL Signer's certification path should start - with the same trust anchor as the Certification Authority's - certification path. Any trust anchor certificate with a subject - DN matching that of the Certification Authority's trust anchor - should be considered acceptable though lower in priority than the - one with a matching public key and subject DN. While different - trust anchor public keys are acceptable at the beginning of the - CRL signer's certification path and the Certification Authority's - certification path, both keys must be trusted by the relying - party per the recommendations in Section 8.1. - - 2. CA Name Matching: The subject DNs for all CA certificates in the - two certification paths should match on a one-to-one basis - (ignoring self-issued certificates) for the entire length of the - shorter of the two paths. - - 3. CRL Signer Certification Path Length: The length of the CRL - Signer certification path (ignoring self-issued certificates) - should be equal to or less than the length of the Certification - Authority certification path plus (+) one. This allows a given - Certification Authority to issue a certificate to a - delegated/subordinate CRL Signer. The latter configuration - represents the maximum certification path length for a CRL Signer - certificate. - - - - - -Cooper, et al. Informational [Page 76] - -RFC 4158 Certification Path Building September 2005 - - - The reasoning behind the first guideline is readily apparent. - Lacking this and the second guideline, any trusted CA could issue - CRLs for any other CA, even if the PKIs are not related in any - fashion. For example, one company could revoke certificates issued - by another company if the relying party trusted the trust anchors - from both companies. The two guidelines also prevent erroneous CRL - checks since Global uniqueness of names is not guaranteed. - - The second guideline prevents roaming certification paths such as the - previously described example CRL Signer certification path for - A->B->C->E. It is especially important that the "ignoring self- - issued certificates" is implemented properly. Self-issued - certificates are cast out of the one-to-one name comparison in order - to allow for key rollover. The path-building algorithm may be - optimized to only consider certificates with the acceptable subject - DN for the given point in the CRL Signer certification path while - building the path. - - The third and final guideline ensures that the CRL used is the - intended one. Without a restriction on the length of the CRL Signer - certification path, the path could roam uncontrolled into another - domain and still meet the first two guidelines. For example, again - using the path A->B->C->E, the Certification Authority C, and a CRL - Signer C2, a CRL Signer certification path such as the following - could pass the first two guidelines: - - A->B->C->D->X->Y->RogueCA->C2 - - In the preceding example, the trust anchor is identical for both - paths and the one-to-one name matching test passes for A->B->C. - However, accepting such a path has obvious security consequences, so - the third guideline is used to prevent this situation. Applying the - second and third guideline to the certification path above, the path - builder could have immediately detected this path was not acceptable - (prior to building it) by examining the issuer DN in C2. Given the - length and name guidelines, the path builder could detect that - "RogueCA" is not in the set of possible names by comparing it to the - set of possible CRL Signer issuer DNs, specifically, A, B, or C. - - Similar consideration should be given when building the path for the - OCSP Responder certificate when the CA is the OCSP Response Signer or - the CA has delegated the OCSP Response signing to another entity. - - - - - - - - - -Cooper, et al. Informational [Page 77] - -RFC 4158 Certification Path Building September 2005 - - -9. Acknowledgements - - The authors extend their appreciation to David Lemire for his efforts - coauthoring "Managing Interoperability in Non-Hierarchical Public Key - Infrastructures" from which material was borrowed heavily for use in - the introductory sections. - - This document has also greatly benefited from the review and - additional technical insight provided by Dr. Santosh Chokhani, Carl - Wallace, Denis Pinkas, Steve Hanna, Alice Sturgeon, Russ Housley, and - Tim Polk. - -10. Normative References - - [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet - X.509 Public Key Infrastructure Certificate and - Certificate Revocation List (CRL) Profile", RFC 3280, - April 2002. - -11. Informative References - - [MINHPKIS] Hesse, P., and D. Lemire, "Managing Interoperability in - Non-Hierarchical Public Key Infrastructures", 2002 - Conference Proceedings of the Internet Society Network - and Distributed System Security Symposium, February 2002. - - [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight - Directory Access Protocol", RFC 1777, March 1995. - - [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. - Adams, "X.509 Internet Public Key Infrastructure Online - Certificate Status Protocol - OCSP", RFC 2560, June 1999. - - [RFC2587] Boeyen, S., Howes, T., and P. Richard, "Internet X.509 - Public Key Infrastructure LDAPv2 Schema", RFC 2587, June - 1999. - - [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access - Protocol (v3): Technical Specification", RFC 3377, - September 2002. - - [RFC3820] Tuecke, S., Welch, V., Engert, D., Pearlman, L., and M. - Thompson, "Internet X.509 Public Key Infrastructure (PKI) - Proxy Certificate Profile", RFC 3820, June 2004. - - [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform - Resource Identifier (URI): Generic Syntax", STD 66, RFC - 3986, January 2005. - - - -Cooper, et al. Informational [Page 78] - -RFC 4158 Certification Path Building September 2005 - - - [X.501] ITU-T Recommendation X.501: Information Technology - Open - Systems Interconnection - The Directory: Models, 1993. - - [X.509] ITU-T Recommendation X.509 (2000 E): Information - Technology - Open Systems Interconnection - The - Directory: Authentication Framework, March 2000. - - [PKIXALGS] Bassham, L., Polk, W. and R. Housley, "Algorithms and - Identifiers for the Internet X.509 Public Key - Infrastructure Certificate and Certificate Revocation - Lists (CRL) Profile", RFC 3279, April 2002. - - [CERTSTORE] P. Gutmann, "Internet X.509 Public Key Infrastructure - Operational Protocols: Certificate Store Access via - HTTP", Work in Progress, August 2004. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Cooper, et al. Informational [Page 79] - -RFC 4158 Certification Path Building September 2005 - - -Authors' Addresses - - Matt Cooper - Orion Security Solutions, Inc. - 1489 Chain Bridge Rd, Ste. 300 - McLean, VA 22101, USA - - Phone: +1-703-917-0060 - EMail: mcooper@orionsec.com - - - Yuriy Dzambasow - A&N Associates, Inc. - 999 Corporate Blvd Ste. 100 - Linthicum, MD 21090, USA - - Phone: +1-410-859-5449 x107 - EMail: yuriy@anassoc.com - - - Peter Hesse - Gemini Security Solutions, Inc. - 4451 Brookfield Corporate Dr. Ste. 200 - Chantilly, VA 20151, USA - - Phone: +1-703-378-5808 x105 - EMail: pmhesse@geminisecurity.com - - - Susan Joseph - Van Dyke Technologies - 6716 Alexander Bell Drive - Columbia, MD 21046 - - EMail: susan.joseph@vdtg.com - - - Richard Nicholas - BAE Systems Information Technology - 141 National Business Parkway, Ste. 210 - Annapolis Junction, MD 20701, USA - - Phone: +1-301-939-2722 - EMail: richard.nicholas@it.baesystems.com - - - - - - - -Cooper, et al. Informational [Page 80] - -RFC 4158 Certification Path Building September 2005 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2005). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors - retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Intellectual Property - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; nor does it represent that it has - made any independent effort to identify any such rights. Information - on the procedures with respect to rights in RFC documents can be - found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use of - such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at ietf- - ipr@ietf.org. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - -Cooper, et al. Informational [Page 81] - |