Path Discovery and Validation

Background

There are many communities of interest participating in the FPKI, including federal agencies and outside bodies such as universities, state and local governments, commercial entities, shared service providers, and community-of-interest bridges. The FPKI unifies disparate PKI domains by creating trust paths among the participating PKI domains. Certificates issued from FPKI domains and the associated trust paths are validated by Relying Parties (RPs) internal and external to the FPKI. Due to the complexity of the FPKI certificate trust paths and the interconnected relationships within the FPKI Community, proper validation of FPKI certificates is critical, albeit challenging.

What is Path Discovery and Validation?

Certificate validation consists of two phases: path discovery and path validation, more simply known as Path Discovery and Validation (PD-VAL). Path discovery is the process of discovering a chain of certificates running between the RP's trust anchor and the certificate being validated, as well as the associated Certificate Revocation Lists (CRLs) and/or Online Certificate Status Protocol (OCSP) responses. Path validation is the process of examining each certificate and CRL and/or OCSP response in the path, and determining validation status of the path at a given moment and within the parameters being enforced by the PD-VAL product.  A path may be discovered dynamically as needed, or it may be made up of stored (or "cached") data. Vendors may vary in how they choose to implement PD-VAL in their products.

Path Discovery and Validation Testing

To help ensure the quality of certificate path validations in the complex FPKI environment, the FPKI Management Authority (FPKIMA) has been given the responsibility to execute PD-VAL Product Conformance Testing. This conformance testing is applicable for any software product that performs path discovery and/or path validation on X.509 certificates. The tests can be used to ensure a product conforms to the PD-VAL requirements appropriate for the FPKI environment. This conformance testing is a prerequisite for product approval.

The PD-VAL Product Conformance Testing uses the National Institute of Standards and Technology (NIST) Public Key Infrastructure (PKI) test suites, consisting of the path validation testing program and the path discovery testing program.

Click here to access the FPKI PD-VAL Product List (PPL)



Documents