1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
|
<pre>Network Working Group M. Cooper
Request for Comments: 4158 Orion Security Solutions
Category: Informational Y. Dzambasow
A&N Associates
P. Hesse
Gemini Security Solutions
S. Joseph
Van Dyke Technologies
R. Nicholas
BAE Systems
September 2005
<span class="h1">Internet X.509 Public Key Infrastructure:</span>
<span class="h1">Certification Path Building</span>
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document provides guidance and recommendations to developers
building X.509 public-key certification paths within their
applications. By following the guidance and recommendations defined
in this document, an application developer is more likely to develop
a robust X.509 certificate-enabled application that can build valid
certification paths across a wide range of PKI environments.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Motivation .................................................<a href="#page-4">4</a>
<a href="#section-1.2">1.2</a>. Purpose ....................................................<a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. Terminology ................................................<a href="#page-5">5</a>
<a href="#section-1.4">1.4</a>. Notation ...................................................<a href="#page-8">8</a>
<a href="#section-1.5">1.5</a>. Overview of PKI Structures .................................<a href="#page-8">8</a>
<a href="#section-1.5.1">1.5.1</a>. Hierarchical Structures .............................<a href="#page-8">8</a>
<a href="#section-1.5.2">1.5.2</a>. Mesh Structures ....................................<a href="#page-10">10</a>
<a href="#section-1.5.3">1.5.3</a>. Bi-Lateral Cross-Certified Structures ..............<a href="#page-11">11</a>
<a href="#section-1.5.4">1.5.4</a>. Bridge Structures ..................................<a href="#page-13">13</a>
<a href="#section-1.6">1.6</a>. Bridge Structures and Certification Path Processing .......<a href="#page-14">14</a>
<span class="grey">Cooper, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<a href="#section-2">2</a>. Certification Path Building ....................................<a href="#page-15">15</a>
<a href="#section-2.1">2.1</a>. Introduction to Certification Path Building ...............<a href="#page-15">15</a>
<a href="#section-2.2">2.2</a>. Criteria for Path Building ................................<a href="#page-16">16</a>
<a href="#section-2.3">2.3</a>. Path-Building Algorithms ..................................<a href="#page-17">17</a>
<a href="#section-2.4">2.4</a>. How to Build a Certification Path .........................<a href="#page-21">21</a>
<a href="#section-2.4.1">2.4.1</a>. Certificate Repetition .............................<a href="#page-23">23</a>
<a href="#section-2.4.2">2.4.2</a>. Introduction to Path-Building Optimization .........<a href="#page-24">24</a>
2.5. Building Certification Paths for Revocation Signer
Certificates ..............................................<a href="#page-30">30</a>
<a href="#section-2.6">2.6</a>. Suggested Path-Building Software Components ...............<a href="#page-31">31</a>
<a href="#section-2.7">2.7</a>. Inputs to the Path-Building Module ........................<a href="#page-33">33</a>
<a href="#section-2.7.1">2.7.1</a>. Required Inputs ....................................<a href="#page-33">33</a>
<a href="#section-2.7.2">2.7.2</a>. Optional Inputs ....................................<a href="#page-34">34</a>
<a href="#section-3">3</a>. Optimizing Path Building .......................................<a href="#page-35">35</a>
<a href="#section-3.1">3.1</a>. Optimized Path Building ...................................<a href="#page-35">35</a>
<a href="#section-3.2">3.2</a>. Sorting vs. Elimination ...................................<a href="#page-38">38</a>
<a href="#section-3.3">3.3</a>. Representing the Decision Tree ............................<a href="#page-41">41</a>
<a href="#section-3.3.1">3.3.1</a>. Node Representation for CA Entities ................<a href="#page-41">41</a>
<a href="#section-3.3.2">3.3.2</a>. Using Nodes to Iterate Over All Paths ..............<a href="#page-42">42</a>
<a href="#section-3.4">3.4</a>. Implementing Path-Building Optimization ...................<a href="#page-45">45</a>
<a href="#section-3.5">3.5</a>. Selected Methods for Sorting Certificates .................<a href="#page-46">46</a>
<a href="#section-3.5.1">3.5.1</a>. basicConstraints Is Present and cA Equals True .....<a href="#page-47">47</a>
<a href="#section-3.5.2">3.5.2</a>. Recognized Signature Algorithms ....................<a href="#page-48">48</a>
<a href="#section-3.5.3">3.5.3</a>. keyUsage Is Correct ................................<a href="#page-48">48</a>
<a href="#section-3.5.4">3.5.4</a>. Time (T) Falls within the Certificate Validity .....<a href="#page-48">48</a>
<a href="#section-3.5.5">3.5.5</a>. Certificate Was Previously Validated ...............<a href="#page-49">49</a>
<a href="#section-3.5.6">3.5.6</a>. Previously Verified Signatures .....................<a href="#page-49">49</a>
<a href="#section-3.5.7">3.5.7</a>. Path Length Constraints ............................<a href="#page-50">50</a>
<a href="#section-3.5.8">3.5.8</a>. Name Constraints ...................................<a href="#page-50">50</a>
<a href="#section-3.5.9">3.5.9</a>. Certificate Is Not Revoked .........................<a href="#page-51">51</a>
<a href="#section-3.5.10">3.5.10</a>. Issuer Found in the Path Cache ....................<a href="#page-52">52</a>
<a href="#section-3.5.11">3.5.11</a>. Issuer Found in the Application Protocol ..........<a href="#page-52">52</a>
<a href="#section-3.5.12">3.5.12</a>. Matching Key Identifiers (KIDs) ...................<a href="#page-52">52</a>
<a href="#section-3.5.13">3.5.13</a>. Policy Processing .................................<a href="#page-53">53</a>
<a href="#section-3.5.14">3.5.14</a>. Policies Intersect the Sought Policy Set ..........<a href="#page-54">54</a>
<a href="#section-3.5.15">3.5.15</a>. Endpoint Distinguished Name (DN) Matching .........<a href="#page-55">55</a>
<a href="#section-3.5.16">3.5.16</a>. Relative Distinguished Name (RDN) Matching ........<a href="#page-55">55</a>
3.5.17. Certificates are Retrieved from
cACertificate Directory Attribute .................<a href="#page-56">56</a>
<a href="#section-3.5.18">3.5.18</a>. Consistent Public Key and Signature Algorithms ....<a href="#page-56">56</a>
<a href="#section-3.5.19">3.5.19</a>. Similar Issuer and Subject Names ..................<a href="#page-57">57</a>
<a href="#section-3.5.20">3.5.20</a>. Certificates in the Certification Cache ...........<a href="#page-57">57</a>
<a href="#section-3.5.21">3.5.21</a>. Current CRL Found in Local Cache ..................<a href="#page-58">58</a>
3.6. Certificate Sorting Methods for Revocation Signer
Certification Paths .......................................<a href="#page-58">58</a>
<a href="#section-3.6.1">3.6.1</a>. Identical Trust Anchors ............................<a href="#page-58">58</a>
<a href="#section-3.6.2">3.6.2</a>. Endpoint Distinguished Name (DN) Matching ..........<a href="#page-59">59</a>
<a href="#section-3.6.3">3.6.3</a>. Relative Distinguished Name (RDN) Matching .........<a href="#page-59">59</a>
<span class="grey">Cooper, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<a href="#section-3.6.4">3.6.4</a>. Identical Intermediate Names .......................<a href="#page-60">60</a>
<a href="#section-4">4</a>. Forward Policy Chaining ........................................<a href="#page-60">60</a>
<a href="#section-4.1">4.1</a>. Simple Intersection .......................................<a href="#page-61">61</a>
<a href="#section-4.2">4.2</a>. Policy Mapping ............................................<a href="#page-62">62</a>
<a href="#section-4.3">4.3</a>. Assigning Scores for Forward Policy Chaining ..............<a href="#page-63">63</a>
<a href="#section-5">5</a>. Avoiding Path-Building Errors ..................................<a href="#page-64">64</a>
<a href="#section-5.1">5.1</a>. Dead Ends .................................................<a href="#page-64">64</a>
<a href="#section-5.2">5.2</a>. Loop Detection ............................................<a href="#page-65">65</a>
<a href="#section-5.3">5.3</a>. Use of Key Identifiers ....................................<a href="#page-66">66</a>
<a href="#section-5.4">5.4</a>. Distinguished Name Encoding ...............................<a href="#page-66">66</a>
<a href="#section-6">6</a>. Retrieval Methods ..............................................<a href="#page-67">67</a>
<a href="#section-6.1">6.1</a>. Directories Using LDAP ....................................<a href="#page-67">67</a>
<a href="#section-6.2">6.2</a>. Certificate Store Access via HTTP .........................<a href="#page-69">69</a>
<a href="#section-6.3">6.3</a>. Authority Information Access ..............................<a href="#page-69">69</a>
<a href="#section-6.4">6.4</a>. Subject Information Access ................................<a href="#page-70">70</a>
<a href="#section-6.5">6.5</a>. CRL Distribution Points ...................................<a href="#page-70">70</a>
<a href="#section-6.6">6.6</a>. Data Obtained via Application Protocol ....................<a href="#page-71">71</a>
<a href="#section-6.7">6.7</a>. Proprietary Mechanisms ....................................<a href="#page-71">71</a>
<a href="#section-7">7</a>. Improving Retrieval Performance ................................<a href="#page-71">71</a>
<a href="#section-7.1">7.1</a>. Caching ...................................................<a href="#page-72">72</a>
<a href="#section-7.2">7.2</a>. Retrieval Order ...........................................<a href="#page-73">73</a>
<a href="#section-7.3">7.3</a>. Parallel Fetching and Prefetching .........................<a href="#page-73">73</a>
<a href="#section-8">8</a>. Security Considerations ........................................<a href="#page-74">74</a>
<a href="#section-8.1">8.1</a>. General Considerations for Building a Certification Path ..74
8.2. Specific Considerations for Building Revocation
Signer Paths ..............................................<a href="#page-75">75</a>
<a href="#section-9">9</a>. Acknowledgements ...............................................<a href="#page-78">78</a>
<a href="#section-10">10</a>. Normative References ..........................................<a href="#page-78">78</a>
<a href="#section-11">11</a>. Informative References ........................................<a href="#page-78">78</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
[<a id="ref-X.509">X.509</a>] public key certificates have become an accepted method for
securely binding the identity of an individual or device to a public
key, in order to support public key cryptographic operations such as
digital signature verification and public key-based encryption.
However, prior to using the public key contained in a certificate, an
application first has to determine the authenticity of that
certificate, and specifically, the validity of all the certificates
leading to a trusted public key, called a trust anchor. Through
validating this certification path, the assertion of the binding made
between the identity and the public key in each of the certificates
can be traced back to a single trust anchor.
The process by which an application determines this authenticity of a
certificate is called certification path processing. Certification
path processing establishes a chain of trust between a trust anchor
and a certificate. This chain of trust is composed of a series of
<span class="grey">Cooper, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
certificates known as a certification path. A certification path
begins with a certificate whose signature can be verified using a
trust anchor and ends with the target certificate. Path processing
entails building and validating the certification path to determine
whether a target certificate is appropriate for use in a particular
application context. See <a href="./rfc3280#section-3.2">Section 3.2 of [RFC3280]</a> for more
information on certification paths and trust.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Motivation</span>
Many other documents (such as [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>]) cover certification path
validation requirements and procedures in detail but do not discuss
certification path building because the means used to find the path
does not affect its validation. This document therefore is an effort
to provide useful guidance for developers of certification path-
building implementations.
Additionally, the need to develop complex certification paths is
increasing. Many PKIs are now using complex structures (see <a href="#section-1.5">Section</a>
<a href="#section-1.5">1.5</a>) rather than simple hierarchies. Additionally, some enterprises
are gradually moving away from trust lists filled with many trust
anchors, and toward an infrastructure with one trust anchor and many
cross-certified relationships. This document provides helpful
information for developing certification paths in these more
complicated situations.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Purpose</span>
This document provides information and guidance for certification
path building. There are no requirements or protocol specifications
in this document. This document provides many options for performing
certification path building, as opposed to just one particular way.
This document draws upon the authors' experiences with existing
complex certification paths to offer insights and recommendations to
developers who are integrating support for [<a href="#ref-X.509">X.509</a>] certificates into
their applications.
In addition, this document suggests using an effective general
approach to path building that involves a depth first tree traversal.
While the authors believe this approach offers the balance of
simplicity in design with very effective and infrastructure-neutral
path-building capabilities, the algorithm is no more than a suggested
approach. Other approaches (e.g., breadth first tree traversals)
exist and may be shown to be more effective under certain conditions.
Certification path validation is described in detail in both [<a href="#ref-X.509">X.509</a>]
and [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] and is not repeated in this document.
<span class="grey">Cooper, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
This document does not provide guidance for building the
certification path from an end entity certificate to a proxy
certificate as described in [<a href="./rfc3820" title=""Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile"">RFC3820</a>].
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Terminology</span>
Terms used throughout this document will be used in the following
ways:
Building in the Forward direction: The process of building a
certification path from the target certificate to a trust anchor.
'Forward' is the former name of the crossCertificatePair element
'issuedToThisCA'.
Building in the Reverse direction: The process of building a
certification path from a trust anchor to the target certificate.
'Reverse' is the former name of the crossCertificatePair element
'issuedByThisCA'.
Certificate: A digital binding that cannot be counterfeited between
a named entity and a public key.
Certificate Graph: A graph that represents the entire PKI (or all
cross-certified PKIs) in which all named entities are viewed as
nodes and all certificates are viewed as arcs between nodes.
Certificate Processing System: An application or device that
performs the functions of certification path building and
certification path validation.
Certification Authority (CA): An entity that issues and manages
certificates.
Certification Path: An ordered list of certificates starting with a
certificate signed by a trust anchor and ending with the target
certificate.
Certification Path Building: The process used to assemble the
certification path between the trust anchor and the target
certificate.
Certification Path Validation: The process that verifies the binding
between the subject and the subject-public-key defined in the
target certificate, using a trust anchor and set of known
constraints.
<span class="grey">Cooper, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Certificate Revocation List (CRL): A signed, time stamped list
identifying a set of certificates that are no longer considered
valid by the certificate issuer.
CRL Signer Certificate: The specific certificate that may be used for
verifying the signature on a CRL issued by, or on behalf of, a
specific CA.
Cross-Certificate: A certificate issued by one CA to another CA for
the purpose of establishing a trust relationship between the two
CAs.
Cross-Certification: The act of issuing cross-certificates.
Decision Tree: When the path-building software has multiple
certificates to choose from, and must make a decision, the
collection of possible choices is called a decision tree.
Directory: Generally used to refer an LDAP accessible repository for
certificates and PKI information. The term may also be used
generically to refer to any certificate storing repository.
End Entity: The holder of a private key and corresponding
certificate, whose identity is defined as the Subject of the
certificate. Human end entities are often called "subscribers".
Is-revocation-signer indicator: A boolean flag furnished to the
path-building software. If set, this indicates that the target
certificate is a Revocation Signer certificate for a specific CA.
For example, if building a certification path for an indirect CRL
Signer certificate, this flag would be set.
Local PKI: The set of PKI components and data (certificates,
directories, CRLs, etc.) that are created and used by the
certificate using organization. In general, this concept refers
to the components that are in close proximity to the certificate
using application. The assumption is that the local data is more
easily accessible and/or inexpensive to retrieve than non-local
PKI data.
Local Realm: See Local PKI.
Node (in a certificate graph): The collection of certificates having
identical subject distinguished names.
Online Certificate Status Protocol (OCSP): An Internet protocol used
by a client to obtain the revocation status of a certificate from
a server.
<span class="grey">Cooper, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
OCSP Response Signer Certificate: The specific certificate that may
be used for verifying the signature on an OCSP response. This
response may be provided by the CA, on behalf of the CA, or by a
different signer as determined by the Relying Party's local
policy.
Public Key Infrastructure (PKI): The set of hardware, software,
personnel, policy, and procedures used by a CA to issue and manage
certificates.
Relying Party (RP): An application or entity that processes
certificates for the purpose of 1) verifying a digital signature,
2) authenticating another entity, or 3) establishing confidential
communications.
Revocation Signer Certificate: Refers collectively to either a CRL
Signer Certificate or OCSP Response Signer Certificate.
Target Certificate: The certificate that is to be validated by a
Relying Party. It is the "Certificate targeted for validation".
Although frequently this is the End Entity or a leaf node in the
PKI structure, this could also be a CA certificate if a CA
certificate is being validated. (e.g., This could be for the
purpose of building and validating a certification path for the
signer of a CRL.)
Trust (of public keys): In the scope of this document, a public key
is considered trustworthy if the certificate containing the public
key can be validated according to the procedures in [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>].
Trust List: A list of trust anchors.
Trust Anchor: The combination of a trusted public key and the name of
the entity to which the corresponding private key belongs.
Trust Anchor Certificate: A self-signed certificate for a trust
anchor that is used in certification path processing.
User: An individual that is using a certificate processing system.
This document refers to some cases in which users may or may not
be prompted with information or requests, depending upon the
implementation of the certificate processing system.
<span class="grey">Cooper, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h3"><a class="selflink" id="section-1.4" href="#section-1.4">1.4</a>. Notation</span>
This document makes use of a few common notations that are used in
the diagrams and examples.
The first is the arrow symbol (->) which represents the issuance of a
certificate from one entity to another. For example, if entity H
were to issue a certificate to entity K, this is denoted as H->K.
Sometimes it is necessary to specify the subject and issuer of a
given certificate. If entity H were to issue a certificate to entity
K this can be denoted as K(H).
These notations can be combined to denote complicated certification
paths such as C(D)->B(C)->A(B).
<span class="h3"><a class="selflink" id="section-1.5" href="#section-1.5">1.5</a>. Overview of PKI Structures</span>
When verifying [<a href="#ref-X.509">X.509</a>] public key certificates, often the application
performing the verification has no knowledge of the underlying Public
Key Infrastructure (PKI) that issued the certificate. PKI structures
can range from very simple, hierarchical structures to complex
structures such as mesh architectures involving multiple bridges (see
<a href="#section-1.5.4">Section 1.5.4</a>). These structures define the types of certification
paths that might be built and validated by an application [<a href="#ref-MINHPKIS" title=""Managing Interoperability in Non-Hierarchical Public Key Infrastructures"">MINHPKIS</a>].
This section describes four common PKI structures.
<span class="h4"><a class="selflink" id="section-1.5.1" href="#section-1.5.1">1.5.1</a>. Hierarchical Structures</span>
A hierarchical PKI, depicted in Figure 1, is one in which all of the
end entities and relying parties use a single "Root CA" as their
trust anchor. If the hierarchy has multiple levels, the Root CA
certifies the public keys of intermediate CAs (also known as
subordinate CAs). These CAs then certify end entities'
(subscribers') public keys or may, in a large PKI, certify other CAs.
In this architecture, certificates are issued in only one direction,
and a CA never certifies another CA "superior" to itself. Typically,
only one superior CA certifies each CA.
<span class="grey">Cooper, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+---------+
+---| Root CA |---+
| +---------+ |
| |
| |
v v
+----+ +----+
+-----| CA | +-----| CA |------+
| +----+ | +----+ |
| | |
v v v
+----+ +----+ +----+
+--| CA |-----+ | CA |-+ +---| CA |---+
| +----+ | +----+ | | +----+ |
| | | | | | | |
| | | | | | | |
v v v v v v v v
+----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
| EE | | EE | | EE | | EE | | EE | | EE | | EE | | EE |
+----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
Figure 1 - Sample Hierarchical PKI
Certification path building in a hierarchical PKI is a
straightforward process that simply requires the relying party to
successively retrieve issuer certificates until a certificate that
was issued by the trust anchor (the "Root CA" in Figure 1) is
located.
A widely used variation on the single-rooted hierarchical PKI is the
inclusion of multiple CAs as trust anchors. (See Figure 2.) Here,
end entity certificates are validated using the same approach as with
any hierarchical PKI. The difference is that a certificate will be
accepted if it can be verified back to any of the set of trust
anchors. Popular web browsers use this approach, and are shipped
with trust lists containing dozens to more than one hundred CAs.
While this approach simplifies the implementation of a limited form
of certificate verification, it also may introduce certain security
vulnerabilities. For example, the user may have little or no idea of
the policies or operating practices of the various trust anchors, and
may not be aware of which root was used to verify a given
certificate. Additionally, the compromise of any trusted CA private
key or the insertion of a rogue CA certificate to the trust list may
compromise the entire system. Conversely, if the trust list is
properly managed and kept to a reasonable size, it can be an
efficient solution to building and validating certification paths.
<span class="grey">Cooper, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+-------------------------------------------------------+
| Trust List |
| |
| +---------+ +---------+ +---------+ |
| +--| Root CA | | Root CA | | Root CA | |
| | +---------+ +---------+ +---------+ |
| | | | | |
+--|------|----------------|---------------- |----------+
| | | |
| | | |
| | v |
| | +----+ |
| | +----| CA |---+ |
| | | +----+ | |
| | | | |
| | v v v
| | +----+ +----+ +----+
| | | CA |---+ | CA |-+ | CA |---+
| | +----+ | +----+ | +----+ |
| | | | | | | |
| | | | | | | |
v v v v v v v v
+----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
| EE | | EE | | EE | | EE | | EE | | EE | | EE | | EE |
+----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
Figure 2 - Multi-Rooted Hierarchical PKI
<span class="h4"><a class="selflink" id="section-1.5.2" href="#section-1.5.2">1.5.2</a>. Mesh Structures</span>
In a typical mesh style PKI (depicted in Figure 3), each end entity
trusts the CA that issued their own certificate(s). Thus, there is
no 'Root CA' for the entire PKI. The CAs in this environment have
peer relationships; they are neither superior nor subordinate to one
another. In a mesh, CAs in the PKI cross-certify. That is, each CA
issues a certificate to, and is issued a certificate by, peer CAs in
the PKI. The figure depicts a mesh PKI that is fully cross-certified
(sometimes called a full mesh). However, it is possible to architect
and deploy a mesh PKI with a mixture of uni-directional and bi-
directional cross-certifications (called a partial mesh). Partial
meshes may also include CAs that are not cross-certified with other
CAs in the mesh.
<span class="grey">Cooper, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+---------------------------------+
| |
+-----------+----------------------+ |
| v v |
| +-------+ +------+ |
| +--->| CA B |<------------->| CA C |<--+ |
| | +-------+ +------+ | |
| | | ^ ^ | | |
| | v | | | | |
| | +----+ | | | | |
| | | EE | +----+ +--------+ v | |
| | +----+ | | +----+ | |
| | | | | EE | | |
v v v v +----+ v v
+------+ +------+ +------+
| CA E |<----------->| CA A |<----------->| CA D |
+------+ +------+ +------+
| ^ ^ ^ ^ |
| | | | | |
v | +------------------------------------+ | v
+----+ | | +----+
| EE | | +------+ | | EE |
+----+ +----------------| CA F |-----------------+ +----+
+------+
Figure 3 - Mesh PKI
Certification path building in a mesh PKI is more complex than in a
hierarchical PKI due to the likely existence of multiple paths
between a relying party's trust anchor and the certificate to be
verified. These multiple paths increase the potential for creating
"loops", "dead ends", or invalid paths while building the
certification path between a trust anchor and a target certificate.
In addition, in cases where no valid path exists, the total number of
paths traversed by the path-building software in order to conclude
"no path exists" can grow exceedingly large. For example, if
ignoring everything except the structure of the graph, the Mesh PKI
figure above has 22 non-self issued CA certificates and a total of
5,092,429 certification paths between CA F and the EE issued by CA D
without repeating any certificates.
<span class="h4"><a class="selflink" id="section-1.5.3" href="#section-1.5.3">1.5.3</a>. Bi-Lateral Cross-Certified Structures</span>
PKIs can be connected via cross-certification to enable the relying
parties of each to verify and accept certificates issued by the other
PKI. If the PKIs are hierarchical, cross-certification will
typically be accomplished by each Root CA issuing a certificate for
the other PKI's Root CA. This results in a slightly more complex,
<span class="grey">Cooper, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
but still essentially hierarchical environment. If the PKIs are mesh
style, then a CA within each PKI is selected, more or less
arbitrarily, to establish the cross-certification, effectively
creating a larger mesh PKI. Figure 4 depicts a hybrid situation
resulting from a hierarchical PKI cross-certifying with a mesh PKI.
PKI 1 and 2 cross-certificates
+-------------------------------+
| |
| v
| +---------+
| +----| Root CA |---+
| | +---------+ |
| | PKI 1 |
| v v
| +------+ +------+
v PKI 2 +-| CA |-+ | CA |
+------+ | +------+ | +------+
+------->| CA |<-----+ | | | | |
| +------+ | | | | | |
| | | | v v v v v
| | | | +----+ +----+ +----+ +----+ +----+
| v v | | EE | | EE | | EE | | EE | | EE |
| +----+ +----+ | +----+ +----+ +----+ +----+ +----+
| | EE | | EE | |
| +----+ +----+ |
v v
+------+ +------+
| CA |<-------------->| CA |------+
+------+ +------+ |
| | | | |
| | | | |
v v v v v
+----+ +----+ +----+ +----+ +----+
| EE | | EE | | EE | | EE | | EE |
+----+ +----+ +----+ +----+ +----+
Figure 4 - Hybrid PKI
In current implementations, this situation creates a concern that the
applications used under the hierarchical PKIs will not have path
building capabilities robust enough to handle this more complex
certificate graph. As the number of cross-certified PKIs grows, the
number of the relationships between them grows exponentially. Two
principal concerns about cross-certification are the creation of
unintended certification paths through transitive trust, and the
dilution of assurance when a high-assurance PKI with restrictive
operating policies is cross-certified with a PKI with less
<span class="grey">Cooper, et al. Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
restrictive policies. (Proper name constraints and certificate
policies processing can help mitigate the problem of assurance
dilution.)
<span class="h4"><a class="selflink" id="section-1.5.4" href="#section-1.5.4">1.5.4</a>. Bridge Structures</span>
Another approach to the interconnection of PKIs is the use of a
"bridge" certification authority (BCA). A BCA is a nexus to
establish trust paths among multiple PKIs. The BCA cross-certifies
with one CA in each participating PKI. Each PKI only cross-certifies
with one other CA (i.e., the BCA), and the BCA cross-certifies only
once with each participating PKI. As a result, the number of cross
certified relationships in the bridged environment grows linearly
with the number of PKIs whereas the number of cross-certified
relationships in mesh architectures grows exponentially. However,
when connecting PKIs in this way, the number and variety of PKIs
involved results in a non-hierarchical environment, such as the one
as depicted in Figure 5. (Note: as discussed in <a href="#section-2.3">Section 2.3</a>, non-
hierarchical PKIs can be considered hierarchical, depending upon
perspective.)
<span class="grey">Cooper, et al. Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
PKI 1 cross-certified with Bridge
+-------------------------------+
| |
v v
+-----------+ +---------+
| Bridge CA | +---| Root CA |-----+
+-----------+ | +---------+ |
^ | PKI 1 |
PKI 2 cross|cert with Bridge v v
| +------+ +------+
v PKI 2 +-| CA |-+ | CA |
+------+ | +------+ | +------+
+------->| CA |<-----+ | | | | |
| +------+ | | | | | |
| | | | v v v v v
| | | | +----+ +----+ +----+ +----+ +----+
| v v | | EE | | EE | | EE | | EE | | EE |
| +----+ +----+ | +----+ +----+ +----+ +----+ +----+
| | EE | | EE | |
| +----+ +----+ |
v v
+------+ +------+
| CA |<-------------->| CA |------+
+------+ +------+ |
| | | | |
| | | | |
v v v v v
+----+ +----+ +----+ +----+ +----+
| EE | | EE | | EE | | EE | | EE |
+----+ +----+ +----+ +----+ +----+
Figure 5 - Cross-Certification with a Bridge CA
<span class="h3"><a class="selflink" id="section-1.6" href="#section-1.6">1.6</a>. Bridge Structures and Certification Path Processing</span>
Developers building certificate-enabled applications intended for
widespread use throughout various sectors are encouraged to consider
supporting a Bridge PKI structure because implementation of
certification path processing functions to support a Bridge PKI
structure requires support of all the PKI structures (e.g.,
hierarchical, mesh, hybrid) which the Bridge may connect. An
application that can successfully build valid certification paths in
all Bridge PKIs will therefore have implemented all of the processing
logic required to support the less complicated PKI structures. Thus,
if an application fully supports the Bridge PKI structure, it can be
deployed in any standards-compliant PKI environment and will perform
the required certification path processing properly.
<span class="grey">Cooper, et al. Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Certification Path Building</span>
Certification path building is the process by which the certificate
processing system obtains the certification path between a trust
anchor and the target certificate. Different implementations can
build the certification path in different ways; therefore, it is not
the intent of this document to recommend a single "best" way to
perform this function. Rather, guidance is provided on the technical
issues that surround the path-building process, and on the
capabilities path-building implementations need in order to build
certification paths successfully, irrespective of PKI structures.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Introduction to Certification Path Building</span>
A certification path is an ordered list of certificates starting with
a certificate that can be validated by one of the relying party's
trust anchors, and ending with the certificate to be validated. (The
certificate to be validated is referred to as the "target
certificate" throughout this document.) Though not required, as a
matter of convenience these trust anchors are typically stored in
trust anchor certificates. The intermediate certificates that
comprise the certification path may be retrieved by any means
available to the validating application. These sources may include
LDAP, HTTP, SQL, a local cache or certificate store, or as part of
the security protocol itself as is common practice with signed S/MIME
messages and SSL/TLS sessions.
Figure 6 shows an example of a certification path. In this figure,
the horizontal arrows represent certificates, and the notation B(A)
signifies a certificate issued to B, signed by A.
+---------+ +-----+ +-----+ +-----+ +--------+
| Trust |----->| CA |---->| CA |---->| CA |---->| Target |
| Anchor | : | A | : | B | : | C | : | EE |
+---------+ : +-----+ : +-----+ : +-----+ : +--------+
: : : :
: : : :
Cert 1 Cert 2 Cert 3 Cert 4
A(Trust Anchor) B(A) C(B) Target(C)
Figure 6 - Example Certification Path
Unlike certification path validation, certification path building is
not addressed by the standards that define the semantics and
structure of a PKI. This is because the validation of a
certification path is unaffected by the method in which the
certification path was built. However, the ability to build a valid
certification path is of paramount importance for applications that
<span class="grey">Cooper, et al. Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
rely on a PKI. Without valid certification paths, certificates
cannot be validated according to [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] and therefore cannot be
trusted. Thus, the ability to build a path is every bit as important
as the ability to validate it properly.
There are many issues that can complicate the path-building process.
For example, building a path through a cross-certified environment
could require the path-building module to traverse multiple PKI
domains spanning multiple directories, using multiple algorithms, and
employing varying key lengths. A path-building client may also need
to manage a number of trust anchors, partially populated directory
entries (e.g., missing issuedToThisCA entries in the
crossCertificatePair attribute), parsing of certain certificate
extensions (e.g., authorityInformationAccess) and directory
attributes (e.g., crossCertificatePair), and error handling such as
loop detection.
In addition, a developer has to decide whether to build paths from a
trust anchor (the reverse direction) to the target certificate or
from the target certificate (the forward direction) to a trust
anchor. Some implementations may even decide to use both. The
choice a developer makes should be dependent on the environment and
the underlying PKI for that environment. More information on making
this choice can be found in <a href="#section-2.3">Section 2.3</a>.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Criteria for Path Building</span>
From this point forward, this document will be discussing specific
algorithms and mechanisms to assist developers of certification
path-building implementations. To provide justification for these
mechanisms, it is important to denote what the authors considered the
criteria for a path-building implementation.
Criterion 1: The implementation is able to find all possible paths,
excepting paths containing repeated subject name/public key pairs.
This means that all potentially valid certification paths between the
trust anchor and the target certificate which may be valid paths can
be built by the algorithm. As discussed in <a href="#section-2.4.2">Section 2.4.2</a>, we
recommend that subject names and public key pairs are not repeated in
paths.
Criterion 2: The implementation is as efficient as possible. An
efficient certification path-building implementation is defined to be
one that builds paths that are more likely to validate following
[<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>], before building paths that are not likely to validate,
with the understanding that there is no way to account for all
possible configurations and infrastructures. This criterion is
intended to ensure implementations that can produce useful error
<span class="grey">Cooper, et al. Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
information. If a particular path is entirely valid except for a
single expired certificate, this is most likely the 'right' path. If
other paths are developed that are invalid for multiple obscure
reasons, this provides little useful information.
The algorithms and mechanisms discussed henceforth are chosen because
the authors consider them to be good methods for meeting the above
criteria.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Path-Building Algorithms</span>
It is intuitive for people familiar with the Bridge CA concept or
mesh type PKIs to view path building as traversing a complex graph.
However, from the simplest viewpoint, writing a path-building module
can be nothing more than traversal of a spanning tree, even in a very
complex cross-certified environment. Complex environments as well as
hierarchical PKIs can be represented as trees because certificates
are not permitted to repeat in a path. If certificates could be
repeated, loops can be formed such that the number of paths and
number of certificates in a path both increase without bound (e.g., A
issues to B, B issues to C, and C issues to A). Figure 7 below
illustrates this concept from the trust anchor's perspective.
<span class="grey">Cooper, et al. Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+---------+ +---------+
| Trust | | Trust |
| Anchor | | Anchor |
+---------+ +---------+
| | | |
v v v v
+---+ +---+ +---+ +---+
| A |<-->| C | +--| A | | C |--+
+---+ +---+ | +---+ +---+ |
| | | | | |
| +---+ | v v v v
+->| B |<-+ +---+ +---+ +---+ +---+
+---+ | B | | C | | A | | B |
| +---+ +---+ +---+ +---+
v | | | |
+----+ v v v v
| EE | +----+ +---+ +---+ +----+
+----+ | EE | | B | | B | | EE |
+----+ +---+ +---+ +----+
A certificate graph with | |
bi-directional cross-cert. v v
between CAs A and C. +----+ +----+
| EE | | EE |
+----+ +----+
The same certificate graph
rendered as a tree - the
way path-building software
could see it.
Figure 7 - Simple Certificate Graph - From Anchor Tree Depiction
When viewed from this perspective, all PKIs look like hierarchies
emanating from the trust anchor. An infrastructure can be depicted
in this way regardless of its complexity. In Figure 8, the same
graph is depicted from the end entity (EE) (the target certificate in
this example). It would appear this way if building in the forward
(from EE or from target) direction. In this example, without knowing
any particulars of the certificates, it appears at first that
building from EE has a smaller decision tree than building from the
trust anchor. While it is true that there are fewer nodes in the
tree, it is not necessarily more efficient in this example.
<span class="grey">Cooper, et al. Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+---------+ +---------+
| Trust | | Trust |
| Anchor | | Anchor |
+---------+ +---------+
^ ^
| |
| |
+---+ +---+
| A | | C |
+---+ +---+
+---------+ ^ ^ +---------+
| Trust | | | | Trust |
| Anchor | | | | Anchor |
+---------+ | | +---------+
^ | | ^
| +---+ +---+ |
+-------| C | | A |---------+
+---+ +---+
^ ^
| |
| +---+ |
+---------| B |------+
+---+
^
|
|
+----+
| EE |
+----+
The same certificate graph rendered
as a tree but from the end entity
rather than the trust anchor.
Figure 8 - Certificate Graph - From Target Certificate Depiction
Suppose a path-building algorithm performed no optimizations. That
is, the algorithm is only capable of detecting that the current
certificate in the tree was issued by the trust anchor, or that it
issued the target certificate (EE). From the tree above, building
from the target certificate will require going through two
intermediate certificates before encountering a certificate issued by
the trust anchor 100% of the time (e.g., EE chains to B, which then
chains to C, which is issued by the Trust Anchor). The path-building
module would not chain C to A because it can recognize that C has a
certificate issued by the Trust Anchor (TA).
<span class="grey">Cooper, et al. Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
On the other hand, in the first tree (Figure 7: from anchor
depiction), there is a 50% probability of building a path longer than
needed (e.g., TA to A to C to B to EE rather than the shorter TA to A
to B to EE). However, even given our simplistic example, the path-
building software, when at A, could be designed to recognize that B's
subject distinguished name (DN) matches the issuer DN of the EE.
Given this one optimization, the builder could prefer B to C. (B's
subject DN matches that of the EE's issuer whereas C's subject DN
does not.) So, for this example, assuming the issuedByThisCA
(reverse) and issuedToThisCA (forward) elements were fully populated
in the directory and our path-building module implemented the
aforementioned DN matching optimization method, path building from
either the trust anchor or the target certificate could be made
roughly equivalent. A list of possible optimization methods is
provided later in this document.
A more complicated example is created when the path-building software
encounters a situation when there are multiple certificates from
which to choose while building a path. We refer to this as a large
decision tree, or a situation with high fan-out. This might occur if
an implementation has multiple trust anchors to choose from, and is
building in the reverse (from trust anchor) direction. Or, it may
occur in either direction if a Bridge CA is encountered. Large
decision trees are the enemy of efficient path-building software. To
combat this problem, implementations should make careful decisions
about the path-building direction, and should utilize optimizations
such as those discussed in <a href="#section-3.1">Section 3.1</a> when confronted with a large
decision tree.
Irrespective of the path-building approach for any path-building
algorithm, cases can be constructed that make the algorithm perform
poorly. The following questions should help a developer decide from
which direction to build certification paths for their application:
1) What is required to accommodate the local PKI environment and the
PKI environments with which interoperability will be required?
a. If using a directory, is the directory [<a href="./rfc2587" title=""Internet X.509 Public Key Infrastructure LDAPv2 Schema"">RFC2587</a>] compliant
(specifically, are the issuedToThisCA [forward] cross-
certificates and/or the cACertificate attributes fully
populated in the directory)? If yes, you are able to build in
the forward direction.
b. If using a directory, does the directory contain all the
issuedByThisCA (reverse) cross-certificates in the
crossCertificatePair attribute, or, alternately, are all
certificates issued from each CA available via some other
means? If yes, it is possible to build in the reverse
<span class="grey">Cooper, et al. Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
direction. Note: [<a href="./rfc2587" title=""Internet X.509 Public Key Infrastructure LDAPv2 Schema"">RFC2587</a>] does not require the issuedByThisCA
(reverse) cross-certificates to be populated; if they are
absent it will not be possible to build solely in the reverse
direction.
c. Are all issuer certificates available via some means other than
a directory (e.g., the authorityInformationAccess extension is
present and populated in all certificates)? If yes, you are
able to build in the forward direction.
2) How many trust anchors will the path-building and validation
software be using?
a. Are there (or will there be) multiple trust anchors in the
local PKI? If yes, forward path building may offer better
performance.
b. Will the path-building and validation software need to place
trust in trust anchors from PKIs that do not populate reverse
cross-certificates for all intermediate CAs? If no, and the
local PKI populates reverse cross-certificates, reverse path
building is an option.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. How to Build a Certification Path</span>
As was discussed in the prior section, path building is essentially a
tree traversal. It was easy to see how this is true in a simple
example, but how about a more complicated one? Before taking a look
at more a complicated scenario, it is worthwhile to address loops and
what constitutes a loop in a certification path. [<a href="#ref-X.509">X.509</a>] specifies
that the same certificate may not repeat in a path. In a strict
sense, this works well as it is not possible to create an endless
loop without repeating one or more certificates in the path.
However, this requirement fails to adequately address Bridged PKI
environments.
<span class="grey">Cooper, et al. Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+---+ +---+
| F |--->| H |
+---+ +---+
^ ^ ^
| \ \
| \ \
| v v
| +---+ +---+
| | G |--->| I |
| +---+ +---+
| ^
| /
| /
+------+ +-----------+ +------+ +---+ +---+
| TA W |<----->| Bridge CA |<------>| TA X |-->| L |-->| M |
+------+ +-----------+ +------+ +---+ +---+
^ ^ \ \
/ \ \ \
/ \ \ \
v v v v
+------+ +------+ +---+ +---+
| TA Y | | TA Z | | J | | N |
+------+ +------+ +---+ +---+
/ \ / \ | |
/ \ / \ | |
/ \ / \ v v
v v v v +---+ +----+
+---+ +---+ +---+ +---+ | K | | EE |
| A |<--->| C | | O | | P | +---+ +----+
+---+ +---+ +---+ +---+
\ / / \ \
\ / / \ \
\ / v v v
v v +---+ +---+ +---+
+---+ | Q | | R | | S |
| B | +---+ +---+ +---+
+---+ |
/\ |
/ \ |
v v v
+---+ +---+ +---+
| E | | D | | T |
+---+ +---+ +---+
Figure 9 - Four Bridged PKIs
<span class="grey">Cooper, et al. Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Figure 9 depicts four root certification authorities cross-certified
with a Bridge CA (BCA). While multiple trust anchors are shown in
the Figure, our examples all consider TA Z as the trust anchor. The
other trust anchors serve different relying parties. By building
certification paths through the BCA, trust can be extended across the
four infrastructures. In Figure 9, the BCA has four certificates
issued to it; one issued from each of the trust anchors in the graph.
If stored in the BCA directory system, the four certificates issued
to the BCA would be stored in the issuedToThisCA (forward) entry of
four different crossCertificatePair structures. The BCA also has
issued four certificates, one to each of the trust anchors. If
stored in the BCA directory system, those certificates would be
stored in the issuedByThisCA (reverse) entry of the same four
crossCertificatePair structures. (Note that the cross-certificates
are stored as matched pairs in the crossCertificatePair attribute.
For example, a crossCertificatePair structure might contain both A(B)
and B(A), but not contain A(C) and B(A).) The four
crossCertificatePair structures would then be stored in the BCA's
directory entry in the crossCertificatePair attribute.
<span class="h4"><a class="selflink" id="section-2.4.1" href="#section-2.4.1">2.4.1</a>. Certificate Repetition</span>
[<a id="ref-X.509">X.509</a>] requires that certificates are not repeated when building
paths. For instance, from the figure above, do not build the path TA
Z->BCA->Y->A->C->A->C->B->D. Not only is the repetition unnecessary
to build the path from Z to D, but it also requires the reuse of a
certificate (the one issued from C to A), which makes the path non-
compliant with [<a href="#ref-X.509">X.509</a>].
What about the following path from TA Z to EE?
TA Z->BCA->Y->BCA->W->BCA->X->L->N->EE
Unlike the first example, this path does not require a developer to
repeat any certificates; therefore, it is compliant with [<a href="#ref-X.509">X.509</a>].
Each of the BCA certificates is issued from a different source and is
therefore a different certificate. Suppose now that the bottom left
PKI (in Figure 9) had double arrows between Y and C, as well as
between Y and A. The following path could then be built:
TA Z->BCA->Y->A->C->Y->BCA->W->BCA->X->L->N->EE
A path such as this could become arbitrarily complex and traverse
every cross-certified CA in every PKI in a cross-certified
environment while still remaining compliant with [<a href="#ref-X.509">X.509</a>]. As a
practical matter, the path above is not something an application
would typically want or need to build for a variety of reasons:
<span class="grey">Cooper, et al. Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
- First, certification paths like the example above are generally
not intended by the PKI designers and should not be necessary in
order to validate any given certificate. If a convoluted path
such as the example above is required (there is no corresponding
simple path) in order to validate a given certificate, this is
most likely indicative of a flaw in the PKI design.
- Second, the longer a path becomes, the greater the potential
dilution of trust in the certification path. That is, with each
successive link in the infrastructure (i.e., certification by
CAs and cross-certification between CAs) some amount of
assurance may be considered lost.
- Third, the longer and more complicated a path, the less likely
it is to validate because of basic constraints, policies or
policy constraints, name constraints, CRL availability, or even
revocation.
- Lastly, and certainly not least important from a developer's or
user's perspective, is performance. Allowing paths like the one
above dramatically increases the number of possible paths for
every certificate in a mesh or cross-certified environment.
Every path built may require one or more of the following:
validation of certificate properties, CPU intensive signature
validations, CRL retrievals, increased network load, and local
memory caching. Eliminating the superfluous paths can greatly
improve performance, especially in the case where no path
exists.
There is a special case involving certificates with the same
distinguished names but differing encodings required by [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>].
This case should not be considered a repeated certificate. See
<a href="#section-5.4">Section 5.4</a> for more information.
<span class="h4"><a class="selflink" id="section-2.4.2" href="#section-2.4.2">2.4.2</a>. Introduction to Path-Building Optimization</span>
How can these superfluous paths be eliminated? Rather than only
disallowing identical certificates from repeating, it is recommended
that a developer disallow the same public key and subject name pair
from being repeated. For maximum flexibility, the subject name
should collectively include any subject alternative names. Using
this approach, all of the intended and needed paths should be
available, and the excess and diluted paths should be eliminated.
For example, using this approach, only one path exists from the TA Z
to EE in the diagram above: TA Z->BCA->X->L->N->EE.
<span class="grey">Cooper, et al. Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Given the simplifying rule of not repeating pairs of subject names
(including subject alternative names) and public keys, and only using
certificates found in the cACertificate and forward (issuedToThisCA)
element of the crossCertificatePair attributes, Figure 10 depicts the
forward path-building decision tree from the EE to all reachable
nodes in the graph. This is the ideal graph for a path builder
attempting to build a path from TA Z to EE.
+------+ +-----------+ +------+ +---+
| TA W |<------| Bridge CA |<-------| TA X |<--| L |
+------+ +-----------+ +------+ +---+
/ \ ^
/ \ \
/ \ \
v v \
+------+ +------+ +---+
| TA Y | | TA Z | | N |
+------+ +------+ +---+
^
\
\
+----+
| EE |
+----+
Figure 10 - Forward (From Entity) Decision Tree
It is not possible to build forward direction paths into the
infrastructures behind CAs W, Y, and Z, because W, Y, and Z have not
been issued certificates by their subordinate CAs. (The subordinate
CAs are F and G, A and C, and O and P, respectively.) If simplicity
and speed are desirable, the graph in Figure 10 is a very appealing
way to structure the path-building algorithm. Finding a path from
the EE to one of the four trust anchors is reasonably simple.
Alternately, a developer could choose to build in the opposite
direction, using the reverse cross-certificates from any one of the
four trust anchors around the BCA. The graph in Figure 11 depicts
all possible paths as a tree emanating from TA Z. (Note: it is not
recommended that implementations attempt to determine all possible
paths, this would require retrieval and storage of all PKI data
including certificates and CRLs! This example is provided to
demonstrate the complexity which might be encountered.)
<span class="grey">Cooper, et al. Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+---+ +---+
| I |--->| H |
+---+ +---+
^
| +---+ +---+
| | H |--->| I |
| +---+ +---+
+---+ ^
| G | / +---+ +---+ +---+
+---+ / | F |--->| H |--->| I |
^ / +---+ +---+ +---+
\ / ^
\/ /
+---+ +---+ +---+ +---+ +---+
| F | | G |--->| I |--->| H | | M |
+---+ +---+ +---+ +---+ +---+
^ ^ ^
| / |
+------+ +-----------+ +------+ +---+
| TA W |<------| Bridge CA |-------->| TA X |-->| L |
+------+ +-----------+ +------+ +---+
/ ^ \ \
v \ v v
+------+ +------+ +---+ +---+
| TA Y | | TA Z | | J | | N |
+------+ +------+ +---+ +---+
/ \ / \ \ \
v v v v v v
+---+ +---+ +---+ +---+ +---+ +----+
| A | | C | | O | | P | | K | | EE |
+---+ +---+ +---+ +---+ +---+ +----+
/ \ / \ / \ \
v v v v v v v
+---+ +---+ +---+ +---+ +---+ +---+ +---+
| B | | C | | A | | B | | Q | | R | | S |
+---+ +---+ +---+ +---+ +---+ +---+ +---+
/ \ \ \ \ \ \
v v v v v v v
+---+ +---+ +---+ +---+ +---+ +---+ +---+
| E | | D | | B | | B | | E | | D | | T |
+---+ +---+ +---+ +---+ +---+ +---+ +---+
/ | | \
v v v v
+---+ +---+ +---+ +---+
| E | | D | | E | | D |
+---+ +---+ +---+ +---+
Figure 11 - Reverse (From Anchor) Decision Tree
<span class="grey">Cooper, et al. Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Given the relative complexity of this decision tree, it becomes clear
that making the right choices while navigating the tree can make a
large difference in how quickly a valid path is returned. The path-
building software could potentially traverse the entire graph before
choosing the shortest path: TA Z->BCA->X->L->N->EE. With a decision
tree like the one above, the basic depth first traversal approach
introduces obvious inefficiencies in the path-building process. To
compensate for this, a path-building module needs to decide not only
in which direction to traverse the tree, but also which branches of
the tree are more likely to yield a valid path.
The path-building algorithm then ideally becomes a tree traversal
algorithm with weights or priorities assigned to each branch point to
guide the decision making. If properly designed, such an approach
would effectively yield the "best path first" more often than not.
(The terminology "best path first" is quoted because the definition
of the "best" path may differ from PKI to PKI. That is ultimately to
be determined by the developer, not by this document.) Finding the
"best path first" is an effort to make the implementation efficient,
which is one of our criteria as stated in <a href="#section-2.2">Section 2.2</a>.
So how would a developer go about finding the best path first? Given
the simplifying idea of addressing path building as a tree traversal,
path building could be structured as a depth first search. A simple
example of depth first tree traversal path building is depicted in
Figure 12, with no preference given to sort order.
Note: The arrows in the lower portion of the figure do not indicate
the direction of certificate issuance; they indicate the direction of
the tree traversal from the target certificate (EE).
<span class="grey">Cooper, et al. Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+----+ +----+ +----+
| TA | | TA | | TA |
+----+ +----+ +----+
/ \ ^ ^
/ \ | |
v v +---+ +---+
+---+ +---+ | A | | C |
| A |<->| C | +---+ +---+
+---+ +---+ ^ ^
^ ^ +----+ | | +----+
\ / | TA | | | | TA |
v v +----+ | | +----+
+---+ ^ | | ^
| B | \ | | /
+---+ \ | | /
/ \ +---+ +---+
/ \ | C | | A |
v v +---+ +---+
+---+ +---+ ^ ^
| E | | D | | /
+---+ +---+ | /
+---+
Infrastructure | B |
+---+
^
|
+----+
| EE |
+----+
The Same Infrastructure
Represented as a Tree
<span class="grey">Cooper, et al. Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+----+ +----+
| TA | | TA |
+----+ +----+
^ ^
| |
+---+ +---+
| A | | C |
+---+ +---+
+----+ ^ ^ +----+
| TA | | | | TA |
+----+ | | +----+
^ | | ^
\ | | /
+---+ +---+ +---+ +---+
| C | | C | | A | | A |
+---+ +---+ +---+ +---+
^ ^ ^ ^
| | / /
| | / /
+---+ +---+ +---+ +---+
| B | | B | | B | | B |
+---+ +---+ +---+ +---+
^ ^ ^ ^
| | | |
| | | |
+----+ +----+ +----+ +----+
| EE | | EE | | EE | | EE |
+----+ +----+ +----+ +----+
All possible paths from EE to TA
using a depth first decision tree traversal
Figure 12 - Path Building Using a Depth First Tree Traversal
Figure 12 illustrates that four possible paths exist for this
example. Suppose that the last path (TA->A->B->EE) is the only path
that will validate. This could be for any combination of reasons
such as name constraints, policy processing, validity periods, or
path length constraints. The goal of an efficient path-building
component is to select the fourth path first by testing properties of
the certificates as the tree is traversed. For example, when the
path-building software is at entity B in the graph, it should examine
both choices A and C to determine which certificate is the most
likely best choice. An efficient module would conclude that A is the
more likely correct path. Then, at A, the module compares
terminating the path at TA, or moving to C. Again, an efficient
module will make the better choice (TA) and thereby find the "best
path first".
<span class="grey">Cooper, et al. Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
What if the choice between CA certificates is not binary as it was in
the previous example? What if the path-building software encounters
a branch point with some arbitrary number of CA certificates thereby
creating the same arbitrary number of tree branches? (This would be
typical in a mesh style PKI CA, or at a Bridge CA directory entry, as
each will have multiple certificates issued to itself from other
CAs.) This situation actually does not change the algorithm at all,
if it is structured properly. In our example, rather than treating
each decision as binary (i.e., choosing A or C), the path-building
software should sort all the available possibilities at any given
branch point, and then select the best choice from the list. In the
event the path could not be built through the first choice, then the
second choice should be tried next upon traversing back to that point
in the tree. Continue following this pattern until a path is found
or all CA nodes in the tree have been traversed. Note that the
certificates at any given point in the tree should only be sorted at
the time a decision is first made. Specifically, in the example, the
sorting of A and C is done when the algorithm reached B. There is no
memory resident representation of the entire tree. Just like any
other recursive depth first search algorithm, the only information
the algorithm needs to keep track of is what nodes (entities) in the
tree lie behind it on the current path, and for each of those nodes,
which arcs (certificates) have already been tried.
<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a>. Building Certification Paths for Revocation Signer Certificates</span>
Special consideration is given to building a certification path for
the Revocation Signer certificate because it may or may not be the
same as the Certification Authority certificate. For example, after
a CA performs a key rollover, the new CA certificate will be the CRL
Signer certificate, whereas the old CA certificate is the
Certification Authority certificate for previously issued
certificates. In the case of indirect CRLs, the CRL Signer
certificate will contain a different name and key than the
Certification Authority certificate. In the case of OCSP, the
Revocation Signer certificate may represent an OCSP Responder that is
not the same entity as the Certification Authority.
When the Revocation Signer certificate and the Certification
Authority certificate are identical, no additional consideration is
required from a certification path-building standpoint. That is, the
certification path built (and validated) for the Certification
Authority certificate can also be used as the certification path for
the Revocation Signer certificate. In this case, the signature on
the revocation data (e.g., CRL or OCSP response) is verified using
the same certificate, and no other certification path building is
required. An efficient certification path validation algorithm
should first try all possible CRLs issued by the Certification
<span class="grey">Cooper, et al. Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Authority to determine if any of the CRLs (a) cover the certificate
in question, (b) are current, and (c) are signed using the same key
used to sign the certificate.
When the Revocation Signer certificate is not identical to the
Certification Authority certificate, a certification path must be
built (and validated) for the Revocation Signer certificate. In
general, the certification path-building software may build the path
as it would for any other certificate. However, this document also
outlines methods in later sections for greatly improving path
building efficiency for Revocation Signer certificate case.
<span class="h3"><a class="selflink" id="section-2.6" href="#section-2.6">2.6</a>. Suggested Path-Building Software Components</span>
There is no single way to define an interface to a path-building
module. It is not the intent of this document to prescribe a
particular method or semantic; rather, it is up to the implementer to
decide. There are many ways this could be done. For example, a
path-building module could build every conceivable path and return
the entire list to the caller. Or, the module could build until it
finds just one that validates and then terminate the procedure. Or,
it could build paths in an iterative fashion, depending on validation
outside of the builder and successive calls to the builder to get
more paths until one valid path is found or all possible paths have
been found. All of these are possible approaches, and each of these
may offer different benefits to a particular environment or
application.
Regardless of semantics, a path-building module needs to contain the
following components:
1) The logic for building and traversing the certificate graph.
2) Logic for retrieving the necessary certificates (and CRLs and/or
other revocation status information if the path is to be
validated) from the available source(s).
Assuming a more efficient and agile path-building module is desired,
the following is a good starting point and will tie into the
remainder of this document. For a path-building module to take full
advantage of all the suggested optimizations listed in this document,
it will need all of the components listed below.
1) A local certificate and CRL cache.
a. This may be used by all certificate-using components; it does
not need to be specific to the path-building software. A local
cache could be memory resident, stored in an operating system
<span class="grey">Cooper, et al. Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
or application certificate store, stored in a database, or even
stored in individual files on the hard disk. While the
implementation of this cache is beyond the scope of this
document, some design considerations are listed below.
2) The logic for building and traversing the certificate graph/tree.
a. This performs sorting functionality for prioritizing
certificates (thereby optimizing path building) while
traversing the tree.
b. There is no need to build a complete graph prior to commencing
path building. Since path building can be implemented as a
depth first tree traversal, the path builder only needs to
store the current location in the tree along with the points
traversed to the current location. All completed branches can
be discarded from memory and future branches are discovered as
the tree is traversed.
3) Logic for retrieving the necessary certificates from the available
certificate source(s):
a. Local cache.
i. Be able to retrieve all certificates for an entity by
subject name, as well as individual certificates by
issuer and serial number tuple.
ii. Tracking which directory attribute (including
issuedToThisCA <forward> and issuedByThisCA <reverse>
for split crossCertificatePair attributes) each
certificate was found in may be useful. This allows for
functionality such as retrieving only forward cross-
certificates, etc.
iii. A "freshness" timestamp (cache expiry time) can be used
to determine when the directory should be searched
again.
b. LDAPv3 directory for certificates and CRLs.
i. Consider supporting multiple directories for general
queries.
ii. Consider supporting dynamic LDAP connections for
retrieving CRLs using an LDAP URI [<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>] in the CRL
distribution point certificate extension.
<span class="grey">Cooper, et al. Informational [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
iii. Support LDAP referrals. This is typically only a matter
of activating the appropriate flag in the LDAP API.
c. HTTP support for CRL distribution points and authority
information access (AIA) support.
i. Consider HTTPS support, but be aware that this may create
an unbounded recursion when the implementation tries to
build a certification path for the server's certificate if
this in turn requires an additional HTTPS lookup.
4) A certification path cache that stores previously validated
relationships between certificates. This cache should include:
a. A configurable expiration date for each entry. This date can
be configured based upon factors such as the expiry of the
information used to determine the validity of an entry,
bandwidth, assurance level, storage space, etc.
b. Support to store previously verified issuer certificate to
subject certificate relationships.
i. Since the issuer DN and serial number tuple uniquely
identifies a certificate, a pair of these tuples (one for
both the issuer and subject) is an effective method of
storing this relationship.
c. Support for storing "known bad" paths and certificates. Once a
certificate is determined to be invalid, implementations can
decide not to retry path development and validation.
<span class="h3"><a class="selflink" id="section-2.7" href="#section-2.7">2.7</a>. Inputs to the Path-Building Module</span>
[<a id="ref-X.509">X.509</a>] specifically addresses the list of inputs required for path
validation but makes no specific suggestions concerning useful inputs
to path building. However, given that the goal of path building is
to find certification paths that will validate, it follows that the
same inputs used for validation could be used to optimize path
building.
<span class="h4"><a class="selflink" id="section-2.7.1" href="#section-2.7.1">2.7.1</a>. Required Inputs</span>
Setting aside configuration information such as repository or cache
locations, the following are required inputs to the certification
path-building process:
1) The Target Certificate: The certificate that is to be validated.
This is one endpoint for the path. (It is also possible to
<span class="grey">Cooper, et al. Informational [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
provide information used to retrieve a certificate for a target,
rather than the certificate itself.)
2) Trust List: This is the other endpoint of the path, and can
consist of either:
a. Trusted CA certificates
b. Trusted keys and DNs; a certificate is not necessarily required
<span class="h4"><a class="selflink" id="section-2.7.2" href="#section-2.7.2">2.7.2</a>. Optional Inputs</span>
In addition to the inputs listed in <a href="#section-2.7.1">Section 2.7.1</a>, the following
optional inputs can also be useful for optimizing path building.
However, if the path-building software takes advantage of all of the
optimization methods described later in this document, all of the
following optional inputs will be required.
1) Time (T): The time for which the certificate is to be validated
(e.g., if validating a historical signature from one year ago, T
is needed to build a valid path)
a. If not included as an input, the path-building software should
always build for T equal to the current system time.
2) Initial-inhibit-policy-mapping indicator
3) Initial-require-explicit-policy indicator
4) Initial-any-policy-inhibit indicator
5) Initial user acceptable policy set
6) Error handlers (call backs or virtual classes)
7) Handlers for custom certificate extensions
8) Is-revocation-provider indicator
a. IMPORTANT: When building a certification path for an OCSP
Responder certificate specified as part of the local
configuration, this flag should not be set. It is set when
building a certification path for a CRL Signer certificate or
for an OCSP Responder Signer certificate discovered using the
information asserted in an authorityInformationAccess
certificate extension.
<span class="grey">Cooper, et al. Informational [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
9) The complete certification path for the Certification Authority
(if Is-revocation-provider is set)
10) Collection of certificates that may be useful in building the
path
11) Collection of certificate revocation lists and/or other
revocation data
The last two items are a matter of convenience. Alternately,
certificates and revocation information could be placed in a local
cache accessible to the path-building module prior to attempting to
build a path.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Optimizing Path Building</span>
This section recommends methods for optimizing path-building
processes.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Optimized Path Building</span>
Path building can be optimized by sorting the certificates at every
decision point (at every node in the tree) and then selecting the
most promising certificate not yet selected as described in <a href="#section-2.4.2">Section</a>
<a href="#section-2.4.2">2.4.2</a>. This process continues until the path terminates. This is
roughly equivalent to the concept of creating a weighted edge tree,
where the edges are represented by certificates and nodes represent
subject DNs. However, unlike the weighted edge graph concept, a
certification path builder need not have the entire graph available
in order to function efficiently. In addition, the path builder can
be stateless with respect to nodes of the graph not present in the
current path, so the working data set can be relatively small.
The concept of statelessness with respect to nodes not in the current
path is instrumental to using the sorting optimizations listed in
this document. Initially, it may seem that sorting a given group of
certificates for a CA once and then preserving that sorted order for
later use would be an efficient way to write the path builder.
However, maintaining this state can quickly eliminate the efficiency
that sorting provides. Consider the following diagram:
<span class="grey">Cooper, et al. Informational [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+---+
| R |
+---+
^
/
v
+---+ +---+ +---+ +---+ +----+
| A |<----->| E |<---->| D |--->| Z |--->| EE |
+---+ +---+ +---+ +---+ +----+
^ ^ ^ ^
\ / \ /
\ / \ /
v v v v
+---+ +---+
| B |<----->| C |
+---+ +---+
Figure 13 - Example of Path-Building Optimization
In this example, the path builder is building in the forward (from
target) direction for a path between R and EE. The path builder has
also opted to allow subject name and key to repeat. (This will allow
multiple traversals through any of the cross-certified CAs, creating
enough complexity in this small example to illustrate proper state
maintenance. Note that a similarly complex example could be designed
by using multiple keys for each entity and prohibiting repetition.)
The first step is simple; the builder builds the path Z(D)->EE(Z).
Next the builder adds D and faces a decision between two
certificates. (Choose between D(C) or D(E)). The builder now sorts
the two choices in order of priority. The sorting is partially based
upon what is currently in the path.
Suppose the order the builder selects is [D(E), D(C)]. The current
path is now D(E)->Z(D)->EE(Z). Currently the builder has three nodes
in the graph (EE, Z, and D) and should maintain the state, including
sort order of the certificates at D, when adding the next node, E.
When E is added, the builder now has four certificates to sort: E(A),
E(B), E(C), and E(D). In this case, the example builder opts for the
order [E(C), E(B), E(A), E(D)]. The current path is now E(C)->D(E)->
Z(D)->EE(Z) and the path has four nodes; EE, Z, D, and E.
Upon adding the fifth node, C, the builder sorts the certificates
(C(B), C(D), and C(E)) at C, and selects C(E). The path is now
C(E)->E(C)->D(E)->Z(D)->EE(Z) and the path has five nodes: EE, Z, D,
E, and C.
<span class="grey">Cooper, et al. Informational [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Now the builder finds itself back at node E with four certificates.
If the builder were to use the prior sort order from the first
encounter with E, it would have [E(C), E(B), E(A), E(D)]. In the
current path's context, this ordering may be inappropriate. To begin
with, the certificate E(C) is already in the path so it certainly
does not deserve first place.
The best way to handle this situation is for the path builder to
handle this instance of E as a new (sixth) node in the tree. In
other words, there is no state information for this new instance of E
- it is treated just as any other new node. The certificates at the
new node are sorted based upon the current path content and the first
certificate is then selected. For example, the builder may examine
E(B) and note that it contains a name constraint prohibiting "C". At
this point in the decision tree, E(B) could not be added to the path
and produce a valid result since "C" is already in the path. As a
result, the certificate E(B) should placed at the bottom of the
prioritized list.
Alternatively, E(B) could be eliminated from this new node in the
tree. It is very important to see that this certificate is
eliminated only at this node and only for the current path. If path
building fails through C and traverses back up the tree to the first
instance of E, E(B) could still produce a valid path that does not
include C; specifically R->A->B->E->D->Z->EE. Thus the state at any
node should not alter the state of previous or subsequent nodes.
(Except for prioritizing certificates in the subsequent nodes.)
In this example, the builder should also note that E(C) is already in
the path and should make it last or eliminate it from this node since
certificates cannot be repeated in a path.
If the builder eliminates both certificates E(B) and E(C) at this
node, it is now only left to select between E(A) and E(D). Now the
path has six nodes: EE, Z, D, E(1), C, and E(2). E(1) has four
certificates, and E(2) has two, which the builder sorts to yield
[E(A), E(D)]. The current path is now E(A)->C(E)->E(C)->D(E)->
Z(D)->EE(Z). A(R) will be found when the seventh node is added to
the path and the path terminated because one of the trust anchors has
been found.
In the event the first path fails to validate, the path builder will
still have the seven nodes and associated state information to work
with. On the next iteration, the path builder is able to traverse
back up the tree to a working decision point, such as A, and select
the next certificate in the sorted list at A. In this example, that
would be A(B). (A(R) has already been tested.) This would dead end,
and the builder traverse back up to the next decision point, E(2)
<span class="grey">Cooper, et al. Informational [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
where it would try D(E). This process repeats until the traversal
backs all the way up to EE or a valid path is found. If the tree
traversal returns to EE, all possible paths have been exhausted and
the builder can conclude no valid path exists.
This approach of sorting certificates in order to optimize path
building will yield better results than not optimizing the tree
traversal. However, the path-building process can be further
streamlined by eliminating certificates, and entire branches of the
tree as a result, as paths are built.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Sorting vs. Elimination</span>
Consider a situation when building a path in which three CA
certificates are found for a given target certificate and must be
prioritized. When the certificates are examined, as in the previous
example, one of the three has a name constraint present that will
invalidate the path built thus far. When sorting the three
certificates, that one would certainly go to the back of the line.
However, the path-building software could decide that this condition
eliminates the certificate from consideration at this point in the
graph, thereby reducing the number of certificate choices by 33% at
this point.
NOTE: It is important to understand that the elimination of a
certificate only applies to a single decision point during the tree
traversal. The same certificate may appear again at another point in
the tree; at that point it may or may not be eliminated. The
previous section details an example of this behavior.
Elimination of certificates could potentially eliminate the traversal
of a large, time-consuming infrastructure that will never lead to a
valid path. The question of whether to sort or eliminate is one that
pits the flexibility of the software interface against efficiency.
To be clear, if one eliminates invalid paths as they are built,
returning only likely valid paths, the end result will be an
efficient path-building module. The drawback to this is that unless
the software makes allowances for it, the calling application will
not be able to see what went wrong. The user may only see the
unrevealing error message: "No certification path found."
On the other hand, the path-building module could opt to not rule out
any certification paths. The path-building software could then
return any and all paths it can build from the certificate graph. It
is then up to the validation engine to determine which are valid and
which are invalid. The user or calling application can then have
complete details on why each and every path fails to validate. The
<span class="grey">Cooper, et al. Informational [Page 38]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-39" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
drawback is obviously one of performance, as an application or end
user may wait for an extended period of time while cross-certified
PKIs are navigated in order to build paths that will never validate.
Neither option is a very desirable approach. One option provides
good performance for users, which is beneficial. The other option
though allows administrators to diagnose problems with the PKI,
directory, or software. Below are some recommendations to reach a
middle ground on this issue.
First, developers are strongly encouraged to output detailed log
information from the path-building software. The log should
explicitly indicate every choice the builder makes and why. It
should clearly identify which certificates are found and used at each
step in building the path. If care is taken to produce a useful log,
PKI administrators and help desk personnel will have ample
information to diagnose a problem with the PKI. Ideally, there would
be a mechanism for turning this logging on and off, so that it is not
running all the time. Additionally, it is recommended that the log
contain information so that a developer or tester can recreate the
paths tried by the path-building software, to assist with diagnostics
and testing.
Secondly, it is desirable to return something useful to the user.
The easiest approach is probably to implement a "dual mode" path-
building module. In the first mode [mode 1], the software eliminates
any and all paths that will not validate, making it very efficient.
In the second mode [mode 2], all the sorting methods are still
applied, but no paths are eliminated based upon the sorting methods.
Having this dual mode allows the module to first fail to find a valid
path, but still return one invalid path (assuming one exists) by
switching over to the second mode long enough to generate a single
path. This provides a middle ground -- the software is very fast,
but still returns something that gives the user a more specific error
than "no path found".
Third, it may be useful to not rule out any paths, but instead limit
the number of paths that may be built given a particular input.
Assuming the path-building module is designed to return the "best
path first", the paths most likely to validate would be returned
before this limit is reached. Once the limit is reached the module
can stop building paths, providing a more rapid response to the
caller than one which builds all possible paths.
Ultimately, the developer determines how to handle the trade-off
between efficiency and provision of information. A developer could
choose the middle ground by opting to implement some optimizations as
elimination rules and others as not. A developer could validate
<span class="grey">Cooper, et al. Informational [Page 39]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-40" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
certificate signatures, or even check revocation status while
building the path, and then make decisions based upon the outcome of
those checks as to whether to eliminate the certificate in question.
This document suggests the following approach:
1) While building paths, eliminate any and all certificates that do
not satisfy all path validation requirements with the following
exceptions:
a. Do not check revocation status if it requires a directory
lookup or network access
b. Do not check digital signatures (see <a href="#section-8.1">Section 8.1</a>, General
Considerations for Building A Certification Path, for
additional considerations).
c. Do not check anything that cannot be checked as part of the
iterative process of traversing the tree.
d. Create a detailed log, if this feature is enabled.
e. If a path cannot be found, the path builder shifts to "mode 2"
and allows the building of a single bad path.
i. Return the path with a failure indicator, as well as
error information detailing why the path is bad.
2) If path building succeeds, validate the path in accordance with
[<a href="#ref-X.509">X.509</a>] and [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] with the following recommendations:
a. For a performance boost, do not re-check items already checked
by the path builder. (Note: if pre-populated paths are supplied
to the path-building system, the entire path has to be fully
re-validated.)
b. If the path validation failed, call the path builder again to
build another path.
i. Always store the error information and path from the
first iteration and return this to the user in the event
that no valid path is found. Since the path-building
software was designed to return the "best path first",
this path should be shown to the user.
As stated above, this document recommends that developers do not
validate digital signatures or check revocation status as part of the
path-building process. This recommendation is based on two
<span class="grey">Cooper, et al. Informational [Page 40]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-41" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
assumptions about PKI and its usage. First, signatures in a working
PKI are usually good. Since signature validation is costly in terms
of processor time, it is better to delay signature checking until a
complete path is found and then check the signatures on each
certificate in the certification path starting with the trust anchor
(see <a href="#section-8.1">Section 8.1</a>). Second, it is fairly uncommon in typical
application environments to encounter a revoked certificate;
therefore, most certificates validated will not be revoked. As a
result, it is better to delay retrieving CRLs or other revocation
status information until a complete path has been found. This
reduces the probability of retrieving unneeded revocation status
information while building paths.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Representing the Decision Tree</span>
There are a multitude of ways to implement certification path
building and as many ways to represent the decision tree in memory.
The method described below is an approach that will work well with
the optimization methods listed later in this document. Although
this approach is the best the authors of this document have
implemented, it is by no means the only way to implement it.
Developers should tailor this approach to their own requirements or
may find that another approach suits their environment, programming
language, or programming style.
<span class="h4"><a class="selflink" id="section-3.3.1" href="#section-3.3.1">3.3.1</a>. Node Representation for CA Entities</span>
A "node" in the certification graph is a collection of CA
certificates with identical subject DNs. Minimally, for each node,
in order to fully implement the optimizations to follow, the path-
building module will need to be able to keep track of the following
information:
1. Certificates contained in the node
2. Sorted order of the certificates
3. "Current" certificate indicator
4. The current policy set (It may be split into authority and user
constrained sets, if desired.)
- It is suggested that encapsulating the policy set in an object
with logic for manipulating the set such as performing
intersections, mappings, etc., will simplify implementation.
<span class="grey">Cooper, et al. Informational [Page 41]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-42" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
5. Indicators (requireExplicitPolicy, inhibitPolicyMapping,
anyPolicyInhibit) and corresponding skipCert values
6. A method for indicating which certificates are eliminated or
removing them from the node.
- If nodes are recreated from the cache on demand, it may be
simpler to remove eliminated certificates from the node.
7. A "next" indicator that points to the next node in the current
path
8. A "previous" indicator that points to the previous node in the
current path
<span class="h4"><a class="selflink" id="section-3.3.2" href="#section-3.3.2">3.3.2</a>. Using Nodes to Iterate Over All Paths</span>
In simplest form, a node is created, the certificates are sorted, the
next subject DN required is determined from the first certificate,
and a new node is attached to the certification path via the next
indicator (Number 7 above). This process continues until the path
terminates. (Note: end entity certificates may not contain subject
DNs as allowed by [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>]. Since end entity certificates by
definition do not issue certificates, this has no impact on the
process.)
Keeping in mind that the following algorithm is designed to be
implemented using recursion, consider the example in Figure 12 and
assume that the only path in the diagram is valid for E is TA->A->
B->E:
If our path-building module is building a path in the forward
direction for E, a node is first created for E. There are no
certificates to sort because only one certificate exists, so all
initial values are loaded into the node from E. For example, the
policy set is extracted from the certificate and stored in the node.
Next, the issuer DN (B) is read from E, and new node is created for B
containing both certificates issued to B -- B(A) and B(C). The
sorting rules are applied to these two certificates and the sorting
algorithm returns B(C);B(A). This sorted order is stored and the
current indicator is set to B(C). Indicators are set and the policy
sets are calculated to the extent possible with respect to B(C). The
following diagram illustrates the current state with the current
certificate indicated with a "*".
<span class="grey">Cooper, et al. Informational [Page 42]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-43" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+-------------+ +---------------+
| Node 1 | | Node 2 |
| Subject: E |--->| Subject: B |
| Issuers: B* | | Issuers: C*,A |
+-------------+ +---------------+
Next, a node is created for C and all three certificates are added to
it. The sorting algorithm happens to return the certificates sorted
in the following order: C(TA);C(A);C(B)
+-------------+ +---------------+ +------------------+
| Node 1 | | Node 2 | | Node 3 |
| Subject: E |--->| Subject: B |--->| Subject: C |
| Issuers: B | | Issuers: C*,A | | Issuers: TA*,A,B |
+-------------+ +---------------+ +------------------+
Recognizing that the trust anchor has been found, the path
(TA->C->B->E) is validated but fails. (Remember that the only valid
path happens to be TA->A->B->E.) The path-building module now moves
the current certificate indicator in node 3 to C(A), and adds the
node for A.
+-------------+ +---------------+ +------------------+
| Node 1 | | Node 2 | | Node 3 |
| Subject: E |--->| Subject: B |--->| Subject: C |
| Issuers: B | | Issuers: C*,A | | Issuers: TA,A*,B |
+-------------+ +---------------+ +------------------+
|
v
+------------------+
| Node 4 |
| Subject: A |
| Issuers: TA*,C,B |
+------------------+
The path TA->A->C->B->E is validated and it fails. The path-building
module now moves the current indicator in node 4 to A(C) and adds a
node for C.
<span class="grey">Cooper, et al. Informational [Page 43]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-44" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
+-------------+ +---------------+ +------------------+
| Node 1 | | Node 2 | | Node 3 |
| Subject: E |--->| Subject: B |--->| Subject: C |
| Issuers: B | | Issuers: C*,A | | Issuers: TA,A*,B |
+-------------+ +---------------+ +------------------+
|
v
+------------------+ +------------------+
| Node 5 | | Node 4 |
| Subject: C |<---| Subject: A |
| Issuers: TA*,A,B | | Issuers: TA,C*,B |
+------------------+ +------------------+
At this juncture, the decision of whether to allow repetition of name
and key comes to the forefront. If the certification path-building
module will NOT allow repetition of name and key, there are no
certificates in node 5 that can be used. (C and the corresponding
public key is already in the path at node 3.) At this point, node 5
is removed from the current path and the current certificate
indicator on node 4 is moved to A(B).
If instead, the module is only disallowing repetition of
certificates, C(A) is eliminated from node 5 since it is in use in
node 3, and path building continues by first validating TA->C->A->
C->B->E, and then continuing to try to build paths through C(B).
After this also fails to provide a valid path, node 5 is removed from
the current path and the current certificate indicator on node 4 is
moved to A(B).
+-------------+ +---------------+ +------------------+
| Node 1 | | Node 2 | | Node 3 |
| Subject: E |--->| Subject: B |--->| Subject: C |
| Issuers: B | | Issuers: C*,A | | Issuers: TA,A*,B |
+-------------+ +---------------+ +------------------+
|
v
+------------------+
| Node 4 |
| Subject: A |
| Issuers: TA,C,B* |
+------------------+
Now a new node 5 is created for B. Just as with the prior node 5, if
not repeating name and key, B also offers no certificates that can be
used (B and B's public key is in use in node 2) so the new node 5 is
also removed from the path. At this point all certificates in node 4
have now been tried, so node 4 is removed from the path, and the
current indicator on node 3 is moved to C(B).
<span class="grey">Cooper, et al. Informational [Page 44]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-45" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Also as above, if allowing repetition of name and key, B(C) is
removed from the new node 5 (B(C) is already in use in node 3) and
paths attempted through the remaining certificate B(A). After this
fails, it will lead back to removing node 5 from the path. At this
point all certificates in node 4 have now been tried, so node 4 is
removed from the path, and the current indicator on node 3 is moved
to C(B).
This process continues until all certificates in node 1 (if there
happened to be more than one) have been tried, or until a valid path
has been found. Once the process ends and in the event no valid path
was found, it may be concluded that no path can be found from E to
TA.
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Implementing Path-Building Optimization</span>
The following section describes methods that may be used for
optimizing the certification path-building process by sorting
certificates. Optimization as described earlier seeks to prioritize
a list of certificates, effectively prioritizing (weighting) branches
of the graph/tree. The optimization methods can be used to assign a
cumulative score to each certificate. The process of scoring the
certificates amounts to testing each certificate against the
optimization methods a developer chooses to implement, and then
adding the score for each test to a cumulative score for each
certificate. After this is completed for each certificate at a given
branch point in the builder's decision tree, the certificates can be
sorted so that the highest scoring certificate is selected first, the
second highest is selected second, etc.
For example, suppose the path builder has only these two simple
sorting methods:
1) If the certificate has a subject key ID, +5 to score.
2) If the certificate has an authority key ID, +10 to score.
And it then examined three certificates:
1) Issued by CA 1; has authority key ID; score is 10.
2) Issued by CA 2; has subject key ID; score is 5.
3) Issued by CA 1; has subject key ID and authority key ID; score is
15.
The three certificates are sorted in descending order starting with
the highest score: 3, 1, and 2. The path-building software should
first try building the path through certificate 3. Failing that, it
should try certificate 1. Lastly, it should try building a path
through certificate 2.
<span class="grey">Cooper, et al. Informational [Page 45]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-46" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
The following optimization methods specify tests developers may
choose to perform, but does not suggest scores for any of the
methods. Rather, developers should evaluate each method with respect
to the environment in which the application will operate, and assign
weights to each accordingly in the path-building software.
Additionally, many of the optimization methods are not binary in
nature. Some are tri-valued, and some may be well suited to sliding
or exponential scales. Ultimately, the implementer decides the
relative merits of each optimization with respect to his or her own
software or infrastructure.
Over and above the scores for each method, many methods can be used
to eliminate branches during the tree traversal rather than simply
scoring and weighting them. All cases where certificates could be
eliminated based upon an optimization method are noted with the
method descriptions.
Many of the sorting methods described below are based upon what has
been perceived by the authors as common in PKIs. Many of the methods
are aimed at making path building for the common PKI fast, but there
are cases where most any sorting method could lead to inefficient
path building. The desired behavior is that although one method may
lead the algorithm in the wrong direction for a given situation or
configuration, the remaining methods will overcome the errant
method(s) and send the path traversal down the correct branch of the
tree more often than not. This certainly will not be true for every
environment and configuration, and these methods may need to be
tweaked for further optimization in the application's target
operating environment.
As a final note, the list contained in this document is not intended
to be exhaustive. A developer may desire to define additional
sorting methods if the operating environment dictates the need.
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. Selected Methods for Sorting Certificates</span>
The reader should draw no specific conclusions as to the relative
merits or scores for each of the following methods based upon the
order in which they appear. The relative merit of any sorting
criteria is completely dependent on the specifics of the operating
environment. For most any method, an example can be created to
demonstrate the method is effective and a counter-example could be
designed to demonstrate that it is ineffective.
Each sorting method is independent and may (or may not) be used to
assign additional scores to each certificate tested. The implementer
decides which methods to use and what weights to assign them. As
noted previously, this list is also not exhaustive.
<span class="grey">Cooper, et al. Informational [Page 46]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-47" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
In addition, name chaining (meaning the subject name of the issuer
certificate matches the issuer name of the issued certificate) is not
addressed as a sorting method since adherence to this is required in
order to build the decision tree to which these methods will be
applied. Also, unaddressed in the sorting methods is the prevention
of repeating certificates. Path builders should handle name chaining
and certificate repetition irrespective of the optimization approach.
Each sorting method description specifies whether the method may be
used to eliminate certificates, the number of possible numeric values
(sorting weights) for the method, components from <a href="#section-2.6">Section 2.6</a> that
are required for implementing the method, forward and reverse methods
descriptions, and finally a justification for inclusion of the
method.
With regard to elimination of certificates, it is important to
understand that certificates are eliminated only at a given decision
point for many methods. For example, the path built up to
certificate X may be invalidated due to name constraints by the
addition of certificate Y. At this decision point only, Y could be
eliminated from further consideration. At some future decision
point, while building this same path, the addition of Y may not
invalidate the path.
For some other sorting methods, certificates could be eliminated from
the process entirely. For example, certificates with unsupported
signature algorithms could not be included in any path and validated.
Although the path builder may certainly be designed to operate in
this fashion, it is sufficient to always discard certificates only
for a given decision point regardless of cause.
<span class="h4"><a class="selflink" id="section-3.5.1" href="#section-3.5.1">3.5.1</a>. basicConstraints Is Present and cA Equals True</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: None
Forward Method: Certificates with basicConstraints present and
cA=TRUE, or those designated as CA certificates out-of-band have
priority. Certificates without basicConstraints, with
basicConstraints and cA=FALSE, or those that are not designated as CA
certificates out-of-band may be eliminated or have zero priority.
Reverse Method: Same as forward except with regard to end entity
certificates at the terminus of the path.
Justification: According to [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>], basicConstraints is required
to be present with cA=TRUE in all CA certificates, or must be
<span class="grey">Cooper, et al. Informational [Page 47]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-48" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
verified via an out-of-band mechanism. A valid path cannot be built
if this condition is not met.
<span class="h4"><a class="selflink" id="section-3.5.2" href="#section-3.5.2">3.5.2</a>. Recognized Signature Algorithms</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: None
Forward Method: Certificates containing recognized signature and
public key algorithms [<a href="#ref-PKIXALGS" title=""Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation Lists (CRL) Profile"">PKIXALGS</a>] have priority.
Reverse Method: Same as forward.
Justification: If the path-building software is not capable of
processing the signatures associated with the certificate, the
certification path cannot be validated.
<span class="h4"><a class="selflink" id="section-3.5.3" href="#section-3.5.3">3.5.3</a>. keyUsage Is Correct</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: None
Forward Method: If keyUsage is present, certificates with
keyCertSign set have 100% priority. If keyUsage is present and
keyCertSign is not set, the certificate may be eliminated or have
zero priority. All others have zero priority.
Reverse Method: Same as forward except with regard to end entity
certificates at the terminus of the path.
Justification: A valid certification path cannot be built through a
CA certificate with inappropriate keyUsage. Note that
digitalSignature is not required to be set in a CA certificate.
<span class="h4"><a class="selflink" id="section-3.5.4" href="#section-3.5.4">3.5.4</a>. Time (T) Falls within the Certificate Validity</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: None
Forward Method: Certificates that contain the required time (T)
within their validity period have 100% priority. Otherwise, the
certificate is eliminated or has priority zero.
Reverse Method: Same as forward.
<span class="grey">Cooper, et al. Informational [Page 48]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-49" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Justification: A valid certification path cannot be built if T falls
outside of the certificate validity period.
NOTE: Special care should be taken to return a meaningful error to
the caller, especially in the event the target certificate does not
meet this criterion, if this sorting method is used for elimination.
(e.g., the certificate is expired or is not yet valid).
<span class="h4"><a class="selflink" id="section-3.5.5" href="#section-3.5.5">3.5.5</a>. Certificate Was Previously Validated</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: Certification Path Cache
Forward Method: A certificate that is present in the certification
path cache has priority.
Reverse Method: Does not apply. (The validity of a certificate vs.
unknown validity does not infer anything about the correct direction
in the decision tree. In other words, knowing the validity of a CA
certificate does not indicate that the target is more likely found
through that path than another.)
Justification: Certificates in the path cache have been validated
previously. Assuming the initial constraints have not changed, it is
highly likely that the path from that certificate to a trust anchor
is still valid. (Changes to the initial constraints may cause a
certificate previously considered valid to no longer be considered
valid.)
Note: It is important that items in the path cache have appropriate
life times. For example, it could be inappropriate to cache a
relationship beyond the period the related CRL will be trusted by the
application. It is also critical to consider certificates and CRLs
farther up the path when setting cache lifetimes. For example, if
the issuer certificate expires in ten days, but the issued
certificate is valid for 20 days, caching the relationship beyond 10
days would be inappropriate.
<span class="h4"><a class="selflink" id="section-3.5.6" href="#section-3.5.6">3.5.6</a>. Previously Verified Signatures</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: Path Cache
Forward Method: If a previously verified relationship exists in the
path cache between the subject certificate and a public key present
in one or more issuer certificates, all the certificates containing
<span class="grey">Cooper, et al. Informational [Page 49]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-50" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
said public key have higher priority. Other certificates may be
eliminated or set to zero priority.
Reverse Method: If known bad signature relationships exist between
certificates, these relationships can be used to eliminate potential
certificates from the decision tree. Nothing can be concluded about
the likelihood of finding a given target certificate down one branch
versus another using known good signature relationships.
Justification: If the public key in a certificate (A) was previously
used to verify a signature on a second certificate (B), any and all
certificates containing the same key as (A) may be used to verify the
signature on (B). Likewise, any certificates that do not contain the
same key as (A) cannot be used to verify the signature on (B). This
forward direction method is especially strong for multiply cross-
certified CAs after a key rollover has occurred.
<span class="h4"><a class="selflink" id="section-3.5.7" href="#section-3.5.7">3.5.7</a>. Path Length Constraints</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: None
Forward Method: Certificates with basic constraints present and
containing a path length constraint that would invalidate the current
path (the current length is known since the software is building from
the target certificate) may be eliminated or set to zero priority.
Otherwise, the priority is 100%.
Reverse Method: This method may be applied in reverse. To apply it,
the builder keeps a current path length constraint variable and then
sets zero priority for (or eliminates) certificates that would
violate the constraint.
Justification: A valid path cannot be built if the path length
constraint has been violated.
<span class="h4"><a class="selflink" id="section-3.5.8" href="#section-3.5.8">3.5.8</a>. Name Constraints</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: None
Forward Method: Certificates that contain nameConstraints that would
be violated by certificates already in the path to this point are
given zero priority or eliminated.
<span class="grey">Cooper, et al. Informational [Page 50]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-51" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Reverse Method: Certificates that will allow successful processing
of any name constraints present in the path to this point are given
higher priority.
Justification: A valid path cannot be built if name constraints are
violated.
<span class="h4"><a class="selflink" id="section-3.5.9" href="#section-3.5.9">3.5.9</a>. Certificate Is Not Revoked</span>
May be used to eliminate certificates: No
Number of possible values: Three
Components required: CRL Cache
Forward Method: If a current CRL for a certificate is present in the
CRL cache, and the certificate serial number is not on the CRL, the
certificate has priority. If the certificate serial number is
present on the CRL, it has zero priority. If an (acceptably fresh)
OCSP response is available for a certificate, and identifies the
certificate as valid, the certificate has priority. If an OCSP
response is available for a certificate, and identifies the
certificate as invalid, the certificate has zero priority.
Reverse Method: Same as Forward.
Alternately, the certificate may be eliminated if the CRL or OCSP
response is verified. That is, fully verify the CRL or OCSP response
signature and relationship to the certificate in question in
accordance with [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>]. While this is viable, the signature
verification required makes it less attractive as an elimination
method. It is suggested that this method only be used for sorting
and that CRLs and OCSP responses are validated post path building.
Justification: Certificates known to be not revoked can be
considered more likely to be valid than certificates for which the
revocation status is unknown. This is further justified if CRL or
OCSP response validation is performed post path validation - CRLs or
OCSP responses are only retrieved when complete paths are found.
NOTE: Special care should be taken to allow meaningful errors to
propagate to the caller, especially in cases where the target
certificate is revoked. If a path builder eliminates certificates
using CRLs or OCSP responses, some status information should be
preserved so that a meaningful error may be returned in the event no
path is found.
<span class="grey">Cooper, et al. Informational [Page 51]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-52" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h4"><a class="selflink" id="section-3.5.10" href="#section-3.5.10">3.5.10</a>. Issuer Found in the Path Cache</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: Certification Path Cache
Forward Method: A certificate whose issuer has an entry (or entries)
in the path cache has priority.
Reverse Method: Does not apply.
Justification: Since the path cache only contains entries for
certificates that were previously validated back to a trust anchor,
it is more likely than not that the same or a new path may be built
from that point to the (or one of the) trust anchor(s). For
certificates whose issuers are not found in the path cache, nothing
can be concluded.
NOTE: This method is not the same as the method named "Certificate
Was Previously Validated". It is possible for this sorting method to
evaluate to true while the other method could evaluate to zero.
<span class="h4"><a class="selflink" id="section-3.5.11" href="#section-3.5.11">3.5.11</a>. Issuer Found in the Application Protocol</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: Certification Path Cache
Forward Method: If the issuer of a certificate sent by the target
through the application protocol (SSL/TLS, S/MIME, etc.), matches the
signer of the certificate you are looking at, then that certificate
has priority.
Reverse Method: If the subject of a certificate matches the issuer
of a certificate sent by the target through the application protocol
(SSL/TLS, S/MIME, etc.), then that certificate has priority.
Justification: The application protocol may contain certificates
that the sender considers valuable to certification path building,
and are more likely to lead to a path to the target certificate.
<span class="h4"><a class="selflink" id="section-3.5.12" href="#section-3.5.12">3.5.12</a>. Matching Key Identifiers (KIDs)</span>
May be used to eliminate certificates: No
Number of possible values: Three
Components required: None
Forward Method: Certificates whose subject key identifier (SKID)
<span class="grey">Cooper, et al. Informational [Page 52]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-53" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
matches the current certificate's authority key identifier (AKID)
have highest priority. Certificates without a SKID have medium
priority. Certificates whose SKID does not match the current
certificate's AKID (if both are present) have zero priority. If the
current certificate expresses the issuer name and serial number in
the AKID, certificates that match both these identifiers have highest
priority. Certificates that match only the issuer name in the AKID
have medium priority.
Reverse Method: Certificates whose AKID matches the current
certificate's SKID have highest priority. Certificates without an
AKID have medium priority. Certificates whose AKID does not match
the current certificate's SKID (if both are present) have zero
priority. If the certificate expresses the issuer name and serial
number in the AKID, certificates that match both these identifiers in
the current certificate have highest priority. Certificates that
match only the issuer name in the AKID have medium priority.
Justification: Key Identifier (KID) matching is a very useful
mechanism for guiding path building (that is their purpose in the
certificate) and should therefore be assigned a heavy weight.
NOTE: Although required to be present by [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>], it is extremely
important that KIDs be used only as sorting criteria or as hints
during certification path building. KIDs are not required to match
during certification path validation and cannot be used to eliminate
certificates. This is of critical importance for interoperating
across domains and multi-vendor implementations where the KIDs may
not be calculated in the same fashion.
<span class="h4"><a class="selflink" id="section-3.5.13" href="#section-3.5.13">3.5.13</a>. Policy Processing</span>
May be used to eliminate certificates: Yes
Number of possible values: Three
Components required: None
Forward Method: Certificates that satisfy Forward Policy Chaining
have priority. (See <a href="#section-4">Section 4</a> entitled "Forward Policy Chaining" for
details.) If the caller provided an initial-policy-set and did not
set the initial-require-explicit flag, the weight of this sorting
method should be increased. If the initial-require-explicit-policy
flag was set by the caller or by a certificate, certificates may be
eliminated.
Reverse Method: Certificates that contain policies/policy mappings
that will allow successful policy processing of the path to this
point have priority. If the caller provided an initial-policy-set
and did not set the initial-require-explicit flag, the weight of this
<span class="grey">Cooper, et al. Informational [Page 53]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-54" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
sorting method should be increased. Certificates may be eliminated
only if initial-require-explicit was set by the caller or if
require-explicit-policy was set by a certificate in the path to this
point.
Justification: In a policy-using environment, certificates that
successfully propagate policies are more likely part of an intended
certification path than those that do not.
When building in the forward direction, it is always possible that a
certificate closer to the trust anchor will set the require-
explicit-policy indicator; so giving preference to certification
paths that propagate policies may increase the probability of finding
a valid path first. If the caller (or a certificate in the current
path) has specified or set the initial-require-explicit-policy
indicator as true, this sorting method can also be used to eliminate
certificates when building in the forward direction.
If building in reverse, it is always possible that a certificate
farther along the path will set the require-explicit-policy
indicator; so giving preference to those certificates that propagate
policies will serve well in that case. In the case where require-
explicit-policy is set by certificates or the caller, certificates
can be eliminated with this method.
<span class="h4"><a class="selflink" id="section-3.5.14" href="#section-3.5.14">3.5.14</a>. Policies Intersect the Sought Policy Set</span>
May be used to eliminate certificates: No
Number of possible values: Additive
Components required: None
Forward Method: Certificates that assert policies found in the
initial-acceptable-policy-set have priority. Each additional
matching policy could have an additive affect on the total score.
Alternately, this could be binary; it matches 1 or more, or matches
none.
Reverse Method: Certificates that assert policies found in the
target certificate or map policies to those found in the target
certificate have priority. Each additional matching policy could
have an additive affect on the total score. Alternately, this could
be binary; it matches 1 or more, or matches none.
Justification: In the forward direction, as the path draws near to
the trust anchor in a cross-certified environment, the policies
asserted in the CA certificates will match those in the caller's
domain. Since the initial acceptable policy set is specified in the
<span class="grey">Cooper, et al. Informational [Page 54]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-55" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
caller's domain, matches may indicate that the path building is
drawing nearer to a desired trust anchor. In the reverse direction,
finding policies that match those of the target certificate may
indicate that the path is drawing near to the target's domain.
<span class="h4"><a class="selflink" id="section-3.5.15" href="#section-3.5.15">3.5.15</a>. Endpoint Distinguished Name (DN) Matching</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: None
Forward Method: Certificates whose issuer exactly matches a trust
anchor subject DN have priority.
Reverse Method: Certificates whose subject exactly matches the
target entity issuer DN have priority.
Justification: In the forward direction, if a certificate's issuer
DN matches a trust anchor's DN [<a href="#ref-X.501">X.501</a>], then it may complete the
path. In the reverse direction, if the certificate's subject DN
matches the issuer DN of the target certificate, it may be the last
certificate required to complete the path.
<span class="h4"><a class="selflink" id="section-3.5.16" href="#section-3.5.16">3.5.16</a>. Relative Distinguished Name (RDN) Matching</span>
May be used to eliminate certificates: No
Number of possible values: Sliding Scale
Components required: None
Forward Method: Certificates that match more ordered RDNs between
the issuer DN and a trust anchor DN have priority. When all the RDNs
match, this yields the highest priority.
Reverse Method: Certificates with subject DNs that match more RDNs
with the target's issuer DN have higher priority. When all the RDNs
match, this yields the highest priority.
Justification: In PKIs the DNs are frequently constructed in a tree
like fashion. Higher numbers of matches may indicate that the trust
anchor is to be found in that direction within the tree. Note that
in the case where all the RDNs match [<a href="#ref-X.501">X.501</a>], this sorting method
appears to mirror the preceding one. However, this sorting method
should be capable of producing a 100% weight even if the issuer DN
has more RDNs than the trust anchor. The Issuer DN need only contain
all the RDNs (in order) of the trust anchor.
NOTE: In the case where all RDNs match, this sorting method mirrors
the functionality of the preceding one. This allows for partial
<span class="grey">Cooper, et al. Informational [Page 55]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-56" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
matches to be weighted differently from exact matches. Additionally,
this method can require a lot of processing if many trust anchors are
present.
<span class="h4"><a class="selflink" id="section-3.5.17" href="#section-3.5.17">3.5.17</a>. Certificates are Retrieved from cACertificate Directory</span>
<span class="h4"> Attribute</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: Certificate Cache with flags for the attribute
from where the certificate was retrieved and Remote Certificate
Storage/Retrieval using a directory
Forward Method: Certificates retrieved from the cACertificate
directory attribute have priority over certificates retrieved from
the crossCertificatePair attribute. (See [<a href="./rfc2587" title=""Internet X.509 Public Key Infrastructure LDAPv2 Schema"">RFC2587</a>].)
Reverse Method: Does not apply.
Justification: The cACertificate directory attribute contains
certificates issued from local sources and self issued certificates.
By using the cACertificate directory attribute before the
crossCertificatePair attribute, the path-building algorithm will
(depending on the local PKI configuration) tend to demonstrate a
preference for the local PKI before venturing to external cross-
certified PKIs. Most of today's PKI applications spend most of their
time processing information from the local (user's own) PKI, and the
local PKI is usually very efficient to traverse due to proximity and
network speed.
<span class="h4"><a class="selflink" id="section-3.5.18" href="#section-3.5.18">3.5.18</a>. Consistent Public Key and Signature Algorithms</span>
May be used to eliminate certificates: Yes
Number of possible values: Binary
Components required: None
Forward Method: If the public key in the issuer certificate matches
the algorithm used to sign the subject certificate, then it has
priority. (Certificates with unmatched public key and signature
algorithms may be eliminated.)
Reverse Method: If the public key in the current certificate matches
the algorithm used to sign the subject certificate, then it has
priority. (Certificates with unmatched public key and signature
algorithms may be eliminated.)
Justification: Since the public key and signature algorithms are not
consistent, the signature on the subject certificate will not verify
<span class="grey">Cooper, et al. Informational [Page 56]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-57" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
successfully. For example, if the issuer certificate contains an RSA
public key, then it could not have issued a subject certificate
signed with the DSA-with-SHA-1 algorithm.
<span class="h4"><a class="selflink" id="section-3.5.19" href="#section-3.5.19">3.5.19</a>. Similar Issuer and Subject Names</span>
May be used to eliminate certificates: No
Number of possible values: Sliding Scale
Components required: None
Forward Method: Certificates encountered with a subject DN that
matches more RDNs with the issuer DN of the target certificate have
priority.
Reverse Method: Same as forward.
Justification: As it is generally more efficient to search the local
domain prior to branching to cross-certified domains, using
certificates with similar names first tends to make a more efficient
path builder. Cross-certificates issued from external domains will
generally match fewer RDNs (if any), whereas certificates in the
local domain will frequently match multiple RDNs.
<span class="h4"><a class="selflink" id="section-3.5.20" href="#section-3.5.20">3.5.20</a>. Certificates in the Certification Cache</span>
May be used to eliminate certificates: No
Number of possible values: Three
Components required: Local Certificate Cache and Remote Certificate
Storage/Retrieval (e.g., LDAP directory as the repository)
Forward Method: A certificate whose issuer certificate is present in
the certificate cache and populated with certificates has higher
priority. A certificate whose issuer's entry is fully populated with
current data (all certificate attributes have been searched within
the timeout period) has higher priority.
Reverse Method: If the subject of a certificate is present in the
certificate cache and populated with certificates, then it has higher
priority. If the entry is fully populated with current data (all
certificate attributes have been searched within the timeout period)
then it has higher priority.
Justification: The presence of required directory values populated
in the cache increases the likelihood that all the required
certificates and CRLs needed to complete the path from this
certificate to the trust anchor (or target if building in reverse)
are present in the cache from a prior path being developed, thereby
<span class="grey">Cooper, et al. Informational [Page 57]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-58" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
eliminating the need for directory access to complete the path. In
the event no path can be found, the performance cost is low since the
certificates were likely not retrieved from the network.
<span class="h4"><a class="selflink" id="section-3.5.21" href="#section-3.5.21">3.5.21</a>. Current CRL Found in Local Cache</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components Required: CRL Cache
Forward Method: Certificates have priority if the issuer's CRL entry
exists and is populated with current data in the CRL cache.
Reverse Method: Certificates have priority if the subject's CRL
entry exists and is populated with current data in the CRL cache.
Justification: If revocation is checked only after a complete path
has been found, this indicates that a complete path has been found
through this entity at some past point, so a path still likely
exists. This also helps reduce remote retrievals until necessary.
<span class="h3"><a class="selflink" id="section-3.6" href="#section-3.6">3.6</a>. Certificate Sorting Methods for Revocation Signer Certification</span>
<span class="h3"> Paths</span>
Unless using a locally-configured OCSP responder or some other
locally-configured trusted revocation status service, certificate
revocation information is expected to be provided by the PKI that
issued the certificate. It follows that when building a
certification path for a Revocation Signer certificate, it is
desirable to confine the building algorithm to the PKI that issued
the certificate. The following sorting methods seek to order
possible paths so that the intended Revocation Signer certification
path is found first.
These sorting methods are not intended to be used in lieu of the ones
described in the previous section; they are most effective when used
in conjunction with those in <a href="#section-3.5">Section 3.5</a>. Some sorting criteria below
have identical names as those in the preceding section. This
indicates that the sorting criteria described in the preceding
section are modified slightly when building the Revocation Signer
certification path.
<span class="h4"><a class="selflink" id="section-3.6.1" href="#section-3.6.1">3.6.1</a>. Identical Trust Anchors</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: Is-revocation-signer indicator and the
Certification Authority's trust anchor
<span class="grey">Cooper, et al. Informational [Page 58]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-59" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Forward Method: Not applicable.
Reverse Method: Path building should begin from the same trust
anchor used to validate the Certification Authority before trying any
other trust anchors. If any trust anchors exist with a different
public key but an identical subject DN to that of the Certification
Authority's trust anchor, they should be tried prior to those with
mismatched names.
Justification: The revocation information for a given certificate
should be produced by the PKI that issues the certificate.
Therefore, building a path from a different trust anchor than the
Certification Authority's is not desirable.
<span class="h4"><a class="selflink" id="section-3.6.2" href="#section-3.6.2">3.6.2</a>. Endpoint Distinguished Name (DN) Matching</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: Is-revocation-signer indicator and the
Certification Authority's trust anchor
Forward Method: Operates identically to the sorting method described
in 3.5.15, except that instead of performing the matching against all
trust anchors, the DN matching is performed only against the trust
anchor DN used to validate the CA certificate.
Reverse Method: No change for Revocation Signer's certification
path.
Justification: The revocation information for a given certificate
should be produced by the PKI that issues the certificate.
Therefore, building a path to a different trust anchor than the CA's
is not desirable. This sorting method helps to guide forward
direction path building toward the trust anchor used to validate the
CA certificate.
<span class="h4"><a class="selflink" id="section-3.6.3" href="#section-3.6.3">3.6.3</a>. Relative Distinguished Name (RDN) Matching</span>
May be used to eliminate certificates: No
Number of possible values: Sliding Scale
Components required: Is-revocation-signer indicator and the
Certification Authority's trust anchor
Forward Method: Operates identically to the sorting method described
in 3.5.16 except that instead of performing the RDN matching against
all trust anchors, the matching is performed only against the trust
anchor DN used to validate the CA certificate.
<span class="grey">Cooper, et al. Informational [Page 59]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-60" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Reverse Method: No change for Revocation Signer's certification
path.
Justification: The revocation information for a given certificate
should be produced by the PKI that issues the certificate.
Therefore, building a path to a different trust anchor than the CA's
is not desirable. This sorting method helps to guide forward
direction path building toward the trust anchor used to validate the
CA certificate.
<span class="h4"><a class="selflink" id="section-3.6.4" href="#section-3.6.4">3.6.4</a>. Identical Intermediate Names</span>
May be used to eliminate certificates: No
Number of possible values: Binary
Components required: Is-revocation-signer indicator and the
Certification Authority's complete certification path
Forward Method: If the issuer DN in the certificate matches the
issuer DN of a certificate in the Certification Authority's path, it
has higher priority.
Reverse Method: If the subject DN in the certificate matches the
subject DN of a certificate in the Certification Authority's path, it
has higher priority.
Justification: Following the same path as the Certificate should
deter the path-building algorithm from wandering in an inappropriate
direction. Note that this sorting method is indifferent to whether
the certificate is self-issued. This is beneficial in this situation
because it would be undesirable to lower the priority of a re-key
certificate.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Forward Policy Chaining</span>
It is tempting to jump to the conclusion that certificate policies
offer little assistance to path building when building from the
target certificate. It's easy to understand the "validate as you go"
approach from the trust anchor, and much less obvious that any value
can be derived in the other direction. However, since policy
validation consists of the intersection of the issuer policy set with
the subject policy set and the mapping of policies from the issuer
set to the subject set, policy validation can be done while building
a path in the forward direction as well as the reverse. It is simply
a matter of reversing the procedure. That is not to say this is as
ideal as policy validation when building from the trust anchor, but
it does offer a method that can be used to mostly eliminate what has
long been considered a weakness inherent to building in the forward
(from the target certificate) direction.
<span class="grey">Cooper, et al. Informational [Page 60]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-61" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Simple Intersection</span>
The most basic form of policy processing is the intersection of the
policy sets from the first CA certificate through the target
certificate. Fortunately, the intersection of policy sets will
always yield the same final set regardless of the order of
intersection. This allows processing of policy set intersections in
either direction. For example, if the trust anchor issues a CA
certificate (A) with policies {X,Y,Z}, and that CA issues another CA
certificate (B) with policies {X,Y}, and CA B then issues a third CA
certificate (C) with policy set {Y,G}, one normally calculates the
policy set from the trust anchor as follows:
1) Intersect A{X,Y,Z} with B{X,Y} to yield the set {X,Y}
2) Intersect that result, {X,Y} with C{Y,G} to yield the final set
{Y}
Now it has been shown that certificate C is good for policy Y.
The other direction is exactly the same procedure, only in reverse:
1) Intersect C{Y,G} with B{X,Y} to yield the set {Y}
2) Intersect that result, {Y} with A{X,Y,Z} to yield the final set
{Y}
Just like in the reverse direction, it has been shown that
certificate C is good for policy Y, but this time in the forward
direction.
When building in the forward direction, policy processing is handled
much like it is in reverse -- the software lends preference to
certificates that propagate policies. Neither approach guarantees
that a path with valid policies will be found, but rather both
approaches help guide the path in the direction it should go in order
for the policies to propagate.
If the caller has supplied an initial-acceptable-policy set, there is
less value in using it when building in the forward direction unless
the caller also set inhibit-policy-mapping. In that case, the path
builder can further constrain the path building to propagating
policies that exist in the initial-acceptable-policy-set. However,
even if the inhibit-policy-mapping is not set, the initial-policy-set
can still be used to guide the path building toward the desired trust
anchor.
<span class="grey">Cooper, et al. Informational [Page 61]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-62" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Policy Mapping</span>
When a CA issues a certificate into another domain, an environment
with disparate policy identifiers to its own, the CA may make use of
policy mappings to map equivalence from the local domain's policy to
the non-local domain's policy. If in the prior example, A had
included a policy mapping that mapped X to G in the certificate it
issued to B, C would be good for X and Y:
1) Intersect A{X,Y,Z} with B{X,Y} to yield the set {X,Y}
2) Process Policy Mappings in B's certificate (X maps to G) to yield
{G,Y} (same as {Y,G})
3) Intersect that result, {G,Y} with C{Y,G} to yield the final set
{G,Y}
Since policies are always expressed in the relying party's domain,
the certificate C is said to be good for {X, Y}, not {Y, G}. This is
because "G" doesn't mean anything in the context of the trust anchor
that issued A without the policy mapping.
When building in the forward direction, policies can be "unmapped" by
reversing the mapping procedure. This procedure is limited by one
important aspect: if policy mapping has occurred in the forward
direction, there is no mechanism by which it can be known in advance
whether or not a future addition to the current path will invalidate
the policy chain (assuming one exists) by setting inhibit-policy-
mapping. Fortunately, it is uncommon practice to set this flag. The
following is the procedure for processing policy mapping in the
forward direction:
1) Begin with C's policy set {Y,G}
2) Apply the policy mapping in B's certificate (X maps to G) in
reverse to yield {Y,X} (same as {X,Y})
3) Intersect the result {X,Y} with B{X,Y} to yield the set {X,Y}
4) Intersect that result, {X,Y}, with A{X,Y,Z} to yield the final set
{X,Y}
Just like in the reverse direction, it is determined in the forward
direction that certificate C is good for policies {X,Y}. If during
this procedure, an inhibit-policy-mapping flag was encountered, what
should be done? This is reasonably easy to keep track of as well.
The software simply maintains a flag on any policies that were
propagated as a result of a mapping; just a simple Boolean kept with
<span class="grey">Cooper, et al. Informational [Page 62]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-63" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
the policies in the set. Imagine now that the certificate issued to
A has the inhibit-policy-mapping constraint expressed with a skip
certificates value of zero.
1) Begin with C's policy set {Y,G}
2) Apply the policy mapping in B's certificate and mark X as
resulting from a mapping. (X maps to G) in reverse to yield {Y,Xm}
(same as {Xm,Y})
3) Intersect the result {Xm,Y} with B{X,Y} to yield the set {Xm,Y}
4) A's certificate expresses the inhibit policy mapping constraint,
so eliminate any policies in the current set that were propagated
due to mapping (which is Xm) to yield {Y}
5) Intersect that result, {Y} with A{X,Y,Z} to yield the final set
{Y}
If in our example, the policy set had gone to empty at any point (and
require-explicit-policy was set), the path building would back up and
try to traverse another branch of the tree. This is analogous to the
path-building functionality utilized in the reverse direction when
the policy set goes to empty.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Assigning Scores for Forward Policy Chaining</span>
Assuming the path-building module is maintaining the current forward
policy set, weights may be assigned using the following procedure:
1) For each CA certificate being scored:
a. Copy the current forward policy set.
b. Process policy mappings in the CA certificate in order to
"un-map" policies, if any.
c. Intersect the resulting set with CA certificate's policies.
The larger the policy set yielded, the larger the score for that CA
certificate.
2) If an initial acceptable set was supplied, intersect this set with
the resulting set for each CA certificate from (1).
The larger the resultant set, the higher the score is for this
certificate.
<span class="grey">Cooper, et al. Informational [Page 63]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-64" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Other scoring schemes may work better if the operating environment
dictates.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Avoiding Path-Building Errors</span>
This section defines some errors that may occur during the path-
building process, as well as ways to avoid these errors when
developing path-building functions.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Dead Ends</span>
When building certification paths in a non-hierarchical PKI
structure, a simple path-building algorithm could fail prematurely
without finding an existing path due to a "dead end". Consider the
example in Figure 14.
+----+ +---+
| TA | | Z |
+----+ +---+
| |
| |
V V
+---+ +---+
| C |<-----| Y |
+---+ +---+
|
|
V
+--------+
| Target |
+--------+
Figure 14 - Dead End Example
Note that in the example, C has two certificates: one issued by Y,
and the other issued by the Trust Anchor. Suppose that a simple
"find issuer" algorithm is used, and the order in which the path
builder found the certificates was Target(C), C(Y), Y(Z), Z(Z). In
this case, Z has no certificates issued by any other entities, and so
the simplistic path-building process stops. Since Z is not the
relying party's trust anchor, the certification path is not complete,
and will not validate. This example shows that in anything but the
simplest PKI structure, additional path-building logic will need to
handle the cases in which entities are issued multiple certificates
from different issuers. The path-building algorithm will also need
to have the ability to traverse back up the decision tree and try
another path in order to be robust.
<span class="grey">Cooper, et al. Informational [Page 64]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-65" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Loop Detection</span>
In a non-hierarchical PKI structure, a path-building algorithm may
become caught in a loop without finding an existing path. Consider
the example below:
+----+
| TA |
+----+
|
|
+---+ +---+
| A | ->| Z |
+---+ / +---+
| / |
| / |
V / V
+---+ +---+
| B |<-----| Y |
+---+ +---+
|
|
V
+--------+
| Target |
+--------+
Figure 15 - Loop Example
Let us suppose that in this example the simplest "find issuer"
algorithm is used, and the order in which certificates are retrieved
is Target(B), B(Y), Y(Z), Z(B), B(Y), Y(Z), Z(B), B(Y), ... A loop
has formed that will cause the correct path (Target, B, A) to never
be found. The certificate processing system will need to recognize
loops created by duplicate certificates (which are prohibited in a
path by [<a href="#ref-X.509">X.509</a>]) before they form to allow the certification path-
building process to continue and find valid paths. The authors of
this document recommend that the loop detection not only detect the
repetition of a certificate in the path, but also detect the presence
of the same subject name / subject alternative name/ subject public
key combination occurring twice in the path. A name/key pair should
only need to appear once in the path. (See <a href="#section-2.4.2">Section 2.4.2</a> for more
information on the reasoning behind this recommendation.)
<span class="grey">Cooper, et al. Informational [Page 65]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-66" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Use of Key Identifiers</span>
Inconsistent and/or incompatible approaches to computing the subject
key identifier and authority key identifier in public key
certificates can cause failures in certification path-building
algorithms that use those fields to identify certificates, even
though otherwise valid certification paths may exist. Path-building
implementations should use existing key identifiers and not attempt
to re-compute subject key identifiers. It is extremely important
that Key Identifiers be used only as sorting criteria or hints. KIDs
are not required to match during certification path validation and
cannot be used to eliminate certificates. This is of critical
importance for interoperating across domains and multi-vendor
implementations where the KIDs may not be calculated in the same
fashion.
Path-building and processing implementations should not rely on the
form of authority key identifier that uses the authority DN and
serial number as a restrictive matching rule, because cross-
certification can lead to this value not being matched by the cross-
certificates.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. Distinguished Name Encoding</span>
Certification path-building software should not rely on DNs being
encoded as PrintableString. Although frequently encoded as
PrintableString, DNs may also appear as other types, including
BMPString or UTF8String. As a result, software systems that are
unable to process BMPString and UTF8String encoded DNs may be unable
to build and validate some certification paths.
Furthermore, [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] compliant certificates are required to encode
DNs as UTF8String as of January 1, 2004. Certification path-building
software should be prepared to handle "name rollover" certificates as
described in [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>]. Note that the inclusion of a "name rollover"
certificate in a certification path does not constitute repetition of
a DN and key. Implementations that include the "name rollover"
certificate in the path should ensure that the DNs with differing
encoding are regarded as dissimilar. (Implementations may instead
handle matching DNs of different encodings and will therefore not
need to include "name rollover" certificates in the path.)
<span class="grey">Cooper, et al. Informational [Page 66]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-67" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Retrieval Methods</span>
Building a certification path requires the availability of the
certificates and CRLs that make up the path. There are many
different methods for obtaining these certificates and CRLs. This
section lists a few of the common ways to perform this retrieval, as
well as some suggested approaches for improving performance. This
section is not intended to provide a complete reference for
certificate and CRL retrieval methods or optimizations that would be
useful in certification path building.
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Directories Using LDAP</span>
Most applications utilize the Lightweight Directory Access Protocol
(LDAP) when retrieving data from directories following the X.500
model. Applications may encounter directories which support either
LDAP v2 [<a href="./rfc1777" title=""Lightweight Directory Access Protocol"">RFC1777</a>] or LDAP v3 [<a href="./rfc3377" title=""Lightweight Directory Access Protocol (v3): Technical Specification"">RFC3377</a>].
The LDAP v3 specification defines one attribute retrieval option, the
"binary" option. When specified in an LDAP retrieval request, this
option was intended to force the directory to ignore any string-based
representations of BER-encoded directory information, and send the
requested attribute(s) in BER format. Since all PKI objects of
concern are BER-encoded objects, the "binary" option should be used.
However, not all directories support the "binary" option. Therefore,
applications should be capable of requesting attributes with and
without the "binary" option. For example, if an application wishes
to retrieve the userCertificate attribute, the application should
request "userCertificate;binary". If the desired information is not
returned, robust implementations may opt to request "userCertificate"
as well.
The following attributes should be considered by PKI application
developers when performing certificate retrieval from LDAP sources:
userCertificate: contains certificates issued by one or more
certification authorities with a subject DN that matches that of
the directory entry. This is a multi-valued attribute and all
values should be received and considered during path building.
Although typically it is expected that only end entity
certificates will be stored in this attribute, (e.g., this is the
attribute an application would request to find a person's
encryption certificate) implementers may opt to search this
attribute when looking in CA entries to make their path builder
more robust. If it is empty, the overhead added by including this
attribute when already requesting one or both of the two below is
marginal.
<span class="grey">Cooper, et al. Informational [Page 67]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-68" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
cACertificate: contains self-issued certificates (if any) and any
certificates issued to this certification authority by other
certification authorities in the same realm. (Realm is dependent
upon local policy.) This is a multi-valued attribute and all
values should be received and considered during path building.
crossCertificatePair: in conformant implementations, the
crossCertificatePair is used to contain all, except self-issued
certificates issued to this certification authority, as well as
certificates issued by this certification authority to other
certification authorities. Each attribute value is a structure
containing two elements. The issuedToThisCA element contains
certificates issued to this certification authority by other
certification authorities. The issuedByThisCA element contains
certificates issued by this certification authority to other
certification authorities. Both elements of the
crossCertificatePair are labeled optional in the ASN.1 definition.
If both elements are present in a single value, the issuer name in
one certificate is required to match the subject name in the other
and vice versa, and the subject public key in one certificate
shall be capable of verifying the digital signature on the other
certificate and vice versa. As this technology has evolved,
different standards have had differing requirements on where
information could be found. For example, the LDAP v2 schema
[<a href="./rfc2587" title=""Internet X.509 Public Key Infrastructure LDAPv2 Schema"">RFC2587</a>] states that the issuedToThisCA (once called 'forward')
element of the crossCertificatePair attribute is mandatory and the
issuedByThisCA (once called 'reverse') element is optional. In
contrast, Section 11.2.3 of [<a href="#ref-X.509">X.509</a>] requires the issuedByThisCA
element to be present if the CA issues a certificate to another CA
if the subject is not a subordinate CA in a hierarchy. Conformant
directories behave as required by [<a href="#ref-X.509">X.509</a>], but robust path-
building implementations may want to retrieve all certificates
from the cACertificate and crossCertificatePair attributes to
ensure all possible certification authority certificates are
obtained.
certificateRevocationList: the certificateRevocationList attribute
contains a certificate revocation list (CRL). A CRL is defined in
[<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] as a time stamped list identifying revoked certificates,
which is signed by a CA or CRL issuer and made freely available in
a public repository. Each revoked certificate is identified in a
CRL by its certificate serial number. There may be one or more
CRLs in this attribute, and the values should be processed in
accordance with [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>].
<span class="grey">Cooper, et al. Informational [Page 68]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-69" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
authorityRevocationList: the authorityRevocationList attribute also
contains CRLs. These CRLs contain revocation information
regarding certificates issued to other CAs. There may be one or
more CRLs in this attribute, and the values should be processed in
accordance with [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>].
Certification path processing systems that plan to interoperate with
varying PKI structures and directory designs should at a minimum be
able to retrieve and process the userCertificate, cACertificate,
crossCertificatePair, certificateRevocationList, and
authorityRevocationList attributes from directory entries.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Certificate Store Access via HTTP</span>
Another possible method of certificate retrieval is using HTTP as an
interface mechanism for retrieving certificates and CRLs from PKI
repositories. A current PKIX document [<a href="#ref-CERTSTORE" title=""Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP"">CERTSTORE</a>] provides a
protocol for a general-purpose interface capability for retrieving
certificates and CRLs from PKI repositories. Since the [<a href="#ref-CERTSTORE" title=""Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP"">CERTSTORE</a>]
document is a work in progress as of the writing of this document, no
details are given here on how to utilize this mechanism for
certificate and CRL retrieval. Instead, refer to the [<a href="#ref-CERTSTORE" title=""Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP"">CERTSTORE</a>]
document or its current version. Certification path processing
systems may wish to implement support for this interface capability,
especially if they will be used in environments that will provide
HTTP-based access to certificates and CRLs.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Authority Information Access</span>
The authority information access (AIA) extension, defined within
[<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>], indicates how to access CA information and services for
the issuer of the certificate in which the extension appears. If a
certificate with an AIA extension contains an accessMethod defined
with the id-ad-caIssuers OID, the AIA may be used to retrieve one or
more certificates for the CA that issued the certificate containing
the AIA extension. The AIA will provide a uniform resource
identifier (URI) [<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>] when certificates can be retrieved via
LDAP, HTTP, or FTP. The AIA will provide a directoryName when
certificates can be retrieved via directory access protocol (DAP).
The AIA will provide an rfc822Name when certificates can be retrieved
via electronic mail. Additionally, the AIA may specify the location
of an OCSP [<a href="./rfc2560" title=""X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP"">RFC2560</a>] responder that is able to provide revocation
information for the certificate.
If present, AIA may provide forward path-building implementations
with a direct link to a certificate for the issuer of a given
certificate. Therefore, implementations may wish to provide support
for decoding the AIA extension and processing the LDAP, HTTP, FTP,
<span class="grey">Cooper, et al. Informational [Page 69]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-70" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
DAP, or e-mail locators. Support for AIA is optional; [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>]
compliant implementations are not required to populate the AIA
extension. However, implementers of path-building and validation
modules are strongly encouraged to support AIA, especially the HTTP
transport; this will provide for usability and interoperability with
many existing PKIs.
<span class="h3"><a class="selflink" id="section-6.4" href="#section-6.4">6.4</a>. Subject Information Access</span>
The subject information access (SIA) extension, defined within
[<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>], indicates how to access information and services for the
subject of the certificate in which the extension appears. If a
certificate with an SIA extension contains an accessMethod defined
with the id-ad-caRepository OID, the SIA may be used to locate one or
more certificates (and possibly CRLs) for entities issued
certificates by the subject. The SIA will provide a uniform resource
identifier (URI) [<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>] when data can be retrieved via LDAP, HTTP,
or FTP. The SIA will provide a directoryName when data can be
retrieved via directory access protocol (DAP). The SIA will provide
an rfc822Name when data can be retrieved via electronic mail.
If present, the SIA extension may provide reverse path-building
implementations with the certificates required to continue building
the path. Therefore, implementations may wish to provide support for
decoding the SIA extension and processing the LDAP, HTTP, FTP, DAP,
or e-mail locators. Support for SIA is optional; [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] compliant
implementations are not required to populate the SIA extension.
However, implementers of path-building and validation modules are
strongly encouraged to support SIA, especially the HTTP transport;
this will provide for usability and interoperability with many
existing PKIs.
<span class="h3"><a class="selflink" id="section-6.5" href="#section-6.5">6.5</a>. CRL Distribution Points</span>
The CRL distribution points (CRLDP) extension, defined within
[<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>], indicates how to access CRL information. If a CRLDP
extension appears within a certificate, the CRL(s) to which the CRLDP
refer are generally the CRLs that would contain revocation
information for the certificate. The CRLDP extension may point to
multiple distribution points from which the CRL information may be
obtained; the certificate processing system should process the CRLDP
extension in accordance with [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>]. The most common distribution
points contain URIs from which the appropriate CRL may be downloaded,
and directory names, which can be queried in a directory to retrieve
the CRL attributes from the corresponding entry.
<span class="grey">Cooper, et al. Informational [Page 70]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-71" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
If present, CRLDP can provide certificate processing implementations
with a link to CRL information for a given certificate. Therefore,
implementations may wish to provide support for decoding the CRLDP
extension and using the information to retrieve CRLs. Support for
CRLDP is optional and [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] compliant implementations need not
populate the CRLDP extension. However, implementers of path-building
and validation modules are strongly encouraged to support CRLDPs. At
a minimum, developers are encouraged to consider supporting the LDAP
and HTTP transports; this will provide for interoperability across a
wide range of existing PKIs.
<span class="h3"><a class="selflink" id="section-6.6" href="#section-6.6">6.6</a>. Data Obtained via Application Protocol</span>
Many application protocols, such as SSL/TLS and S/MIME, allow one
party to provide certificates and CRLs to another. Data provided in
this method is generally very valuable to path-building software
(will provide direction toward valid paths), and should be stored and
used accordingly. Note: self-signed certificates obtained via
application protocol are not trustworthy; implementations should only
consider the relying party's trust anchors when building paths.
<span class="h3"><a class="selflink" id="section-6.7" href="#section-6.7">6.7</a>. Proprietary Mechanisms</span>
Some certificate issuing systems and certificate processing systems
may utilize proprietary retrieval mechanisms, such as network mapped
drives, databases, or other methods that are not directly referenced
via the IETF standards. Certificate processing systems may wish to
support other proprietary mechanisms, but should only do so in
addition to supporting standard retrieval mechanisms such as LDAP,
AIA, and CRLDP (unless functioning in a closed environment).
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Improving Retrieval Performance</span>
Retrieval performance can be improved through a few different
mechanisms, including the use of caches and setting a specific
retrieval order. This section discusses a few methods by which the
performance of a certificate processing system may be improved during
the retrieval of PKI objects. Certificate processing systems that
are consistently very slow during processing will be disliked by
users and will be slow to be adopted into organizations. Certificate
processing systems are encouraged to do whatever possible to reduce
the delays associated with requesting and retrieving data from
external sources.
<span class="grey">Cooper, et al. Informational [Page 71]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-72" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Caching</span>
Certificate processing systems operating in a non-hierarchical PKI
will often need to retrieve certificates and certificate revocation
lists (CRLs) from a source outside the application protocol.
Typically, these objects are retrieved from an X.500 or LDAP
repository, an Internet URI [<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>], or some other non-local
source. Due to the delays associated with establishing connections
as well as network transfers, certificate processing systems ought to
be as efficient as possible when retrieving data from external
sources. Perhaps the best way to improve retrieval efficiency is by
using a caching mechanism. Certificate processing systems can cache
data retrieved from external sources for some period of time, but not
to exceed the useful period of the data (i.e., an expired certificate
need not be cached). Although this comes at a cost of increased
memory/disk consumption by the system, the cost and performance
benefit of reducing network transmissions is great. Also, CRLs are
often issued and available in advance of the nextUpdate date in the
CRL. Implementations may wish to obtain these "fresher" CRLs before
the nextUpdate date has passed.
There are a number of different ways in which caching can be
implemented; the specifics of these methods can be used as
distinguishing characteristics between certificate processing
systems. However, some things that implementers may wish to consider
when developing caching systems are as follows:
- If PKI objects are cached, the certification path-building
mechanism should be able to examine and retrieve from the cache
during path building. This will allow the certificate
processing system to find or eliminate one or more paths quickly
without requiring external contact with a directory or other
retrieval mechanism.
- Sharing caches between multiple users (via a local area network
or LAN) may be useful if many users in one organization
consistently perform PKI operations with another organization.
- Caching not only PKI objects (such as certificates and CRLs) but
also relationships between PKI objects (storing a link between a
certificate and the issuer's certificate) may be useful. This
linking may not always lead to the most correct or best
relationship, but could represent a linking that worked in
another scenario.
- Previously built paths and partial paths are quite useful to
cache, because they will provide information on previous
successes or failures. Additionally, if the cache is safe from
<span class="grey">Cooper, et al. Informational [Page 72]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-73" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
unauthorized modifications, caching validation and signature
checking status for certificates, CRLs, and paths can also be
stored.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Retrieval Order</span>
To optimize efficiency, certificate processing systems are encouraged
to also consider the order in which different PKI objects are
retrieved, as well as the mechanism from which they are retrieved.
If caching is utilized, the caches can be consulted for PKI objects
before attempting other retrieval mechanisms. If multiple caches are
present (such as local disk and network), the caches can be consulted
in the order in which they can be expected to return their result
from fastest to slowest. For example, if a certificate processing
system wishes to retrieve a certificate with a particular subject DN,
the system might first consult the local cache, then the network
cache, and then attempt directory retrieval. The specifics of the
types of retrieval mechanisms and their relative costs are left to
the implementer.
In addition to ordering retrieval mechanisms, the certificate
processing system ought to order the relative merits of the different
external sources from which a PKI object can be retrieved. If the
AIA is present within a certificate, with a URI [<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>] for the
issuer's certificate, the certificate processing system (if able) may
wish to attempt to retrieve the certificate first from local cache
and then by using that URI (because it is expected to point directly
to the desired certificate) before attempting to retrieve the
certificates that may exist within a directory.
If a directory is being consulted, it may be desirable to retrieve
attributes in a particular order. A highly cross-certified PKI
structure will lead to multiple possibilities for certification
paths, which may mean multiple validation attempts before a
successful path is retrieved. Therefore, cACertificate and
userCertificate (which typically contain certificates from within the
same 'realm') could be consulted before attempting to retrieve the
crossCertificatePair values for an entry. Alternately, all three
attributes could be retrieved in one query, but cross-certificates
then tagged as such and used only after exhausting the possibilities
from the cACertificate attribute. The best approach will depend on
the nature of the application and PKI environment.
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. Parallel Fetching and Prefetching</span>
Much of this document has focused on a path-building algorithm that
minimizes the performance impact of network retrievals, by preventing
those retrievals and utilization of caches. Another way to improve
<span class="grey">Cooper, et al. Informational [Page 73]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-74" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
performance would be to allow network retrievals to be performed in
advance (prefetching) or at the same time that other operations are
performed (parallel fetching). For example, if an email application
receives a signed email message, it could download the required
certificates and CRLs prior to the recipient viewing (or attempting
to verify) the message. Implementations that provide the capability
of parallel fetching and/or prefetching, along with a robust cache,
can lead to greatly improved performance or user experience.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. General Considerations for Building a Certification Path</span>
Although certification path building deals directly with security
relevant PKI data, the PKI data itself needs no special handling
because its integrity is secured with the digital signature applied
to it. The only exception to this is the appropriate protection of
the trust anchor public keys. These are to be kept safe and obtained
out of band (e.g., not from an electronic mail message or a
directory) with respect to the path-building module.
The greatest security risks associated with this document revolve
around performing certification path validation while certification
paths are built. It is therefore noted here that fully implemented
certification path validation in accordance with [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] and
[<a href="#ref-X.509">X.509</a>] is required in order for certification path building,
certification path validation, and the certificate using application
to be properly secured. All of the Security Considerations listed in
<a href="./rfc3280#section-9">Section 9 of [RFC3280]</a> apply equally here.
In addition, as with any application that consumes data from
potentially untrusted network locations, certification path-building
components should be carefully implemented so as to reduce or
eliminate the possibility of network based exploits. For example, a
poorly implemented path-building module may not check the length of
the CRLDP URI [<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>] before using the C language strcpy() function
to place the address in a 1024 byte buffer. A hacker could use such
a flaw to create a buffer overflow exploit by encoding malicious
assembly code into the CRLDP of a certificate and then use the
certificate to attempt an authentication. Such an attack could yield
system level control to the attacker and expose the sensitive data
the PKI was meant to protect.
Path building may be used to mount a denial of service (DOS) attack.
This might occur if multiple simple requests could be performed that
cause a server to perform a number of path developments, each taking
time and resources from the server. Servers can help avoid this by
limiting the resources they are willing to devote to path building,
<span class="grey">Cooper, et al. Informational [Page 74]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-75" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
and being able to further limit those resources when the load is
heavy. Standard DOS protections such as systems that identify and
block attackers can also be useful.
A DOS attack can be also created by presenting spurious CA
certificates containing very large public keys. When the system
attempts to use the large public key to verify the digital signature
on additional certificates, a long processing delay may occur. This
can be mitigated by either of two strategies. The first strategy is
to perform signature verifications only after a complete path is
built, starting from the trust anchor. This will eliminate the
spurious CA certificate from consideration before the large public
key is used. The second strategy is to recognize and simply reject
keys longer than a certain size.
A similar DOS attack can occur with very large public keys in end
entity certificates. If a system uses the public key in a
certificate before building and validating that certificate's
certification path, long processing delays may occur. To mitigate
this threat, the public key in an end entity certificate should not
be used for any purpose until a complete certification path for that
certificate is built and validated.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Specific Considerations for Building Revocation Signer</span>
<span class="h3"> Certification Paths</span>
If the CRL Signer certificate (and certification path) is not
identical to the Certification Authority certificate (and
certification path), special care should be exercised when building
the CRL Signer certification path.
If special consideration is not given to building a CRL Signer
certification path, that path could be constructed such that it
terminates with a different root or through a different certification
path to the same root. If this behavior is not prevented, the
relying party may end up checking the wrong revocation data, or even
maliciously substituted data, resulting in denial of service or
security breach.
For example, suppose the following certification path is built for E
and is valid for an example "high assurance" policy.
A->B->C->E
When the building/validation routine attempts to verify that E is not
revoked, C is referred to as the Certification Authority certificate.
The path builder finds that the CRL for checking the revocation
status of E is issued by C2; a certificate with the subject name "C",
<span class="grey">Cooper, et al. Informational [Page 75]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-76" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
but with a different key than the key that was used to sign E. C2 is
referred to as the CRL Signer. An unrestrictive certification path
builder might then build a path such as the following for the CRL
Signer C2 certificate:
X->Y->Z->C2
If a path such as the one above is permitted, nothing can be
concluded about the revocation status of E since C2 is a different CA
from C.
Fortunately, preventing this security problem is not difficult and
the solution also makes building CRL Signer certification paths very
efficient. In the event the CRL Signer certificate is identical to
the Certification Authority certificate, the Certification Authority
certification path should be used to verify the CRL; no additional
path building is required. If the CRL Signer certificate is not
identical to the Certification Authority certificate, a second path
should be built for the CRL Signer certificate in exactly the same
fashion as for any certificate, but with the following additional
guidelines:
1. Trust Anchor: The CRL Signer's certification path should start
with the same trust anchor as the Certification Authority's
certification path. Any trust anchor certificate with a subject
DN matching that of the Certification Authority's trust anchor
should be considered acceptable though lower in priority than the
one with a matching public key and subject DN. While different
trust anchor public keys are acceptable at the beginning of the
CRL signer's certification path and the Certification Authority's
certification path, both keys must be trusted by the relying
party per the recommendations in <a href="#section-8.1">Section 8.1</a>.
2. CA Name Matching: The subject DNs for all CA certificates in the
two certification paths should match on a one-to-one basis
(ignoring self-issued certificates) for the entire length of the
shorter of the two paths.
3. CRL Signer Certification Path Length: The length of the CRL
Signer certification path (ignoring self-issued certificates)
should be equal to or less than the length of the Certification
Authority certification path plus (+) one. This allows a given
Certification Authority to issue a certificate to a
delegated/subordinate CRL Signer. The latter configuration
represents the maximum certification path length for a CRL Signer
certificate.
<span class="grey">Cooper, et al. Informational [Page 76]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-77" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
The reasoning behind the first guideline is readily apparent.
Lacking this and the second guideline, any trusted CA could issue
CRLs for any other CA, even if the PKIs are not related in any
fashion. For example, one company could revoke certificates issued
by another company if the relying party trusted the trust anchors
from both companies. The two guidelines also prevent erroneous CRL
checks since Global uniqueness of names is not guaranteed.
The second guideline prevents roaming certification paths such as the
previously described example CRL Signer certification path for
A->B->C->E. It is especially important that the "ignoring self-
issued certificates" is implemented properly. Self-issued
certificates are cast out of the one-to-one name comparison in order
to allow for key rollover. The path-building algorithm may be
optimized to only consider certificates with the acceptable subject
DN for the given point in the CRL Signer certification path while
building the path.
The third and final guideline ensures that the CRL used is the
intended one. Without a restriction on the length of the CRL Signer
certification path, the path could roam uncontrolled into another
domain and still meet the first two guidelines. For example, again
using the path A->B->C->E, the Certification Authority C, and a CRL
Signer C2, a CRL Signer certification path such as the following
could pass the first two guidelines:
A->B->C->D->X->Y->RogueCA->C2
In the preceding example, the trust anchor is identical for both
paths and the one-to-one name matching test passes for A->B->C.
However, accepting such a path has obvious security consequences, so
the third guideline is used to prevent this situation. Applying the
second and third guideline to the certification path above, the path
builder could have immediately detected this path was not acceptable
(prior to building it) by examining the issuer DN in C2. Given the
length and name guidelines, the path builder could detect that
"RogueCA" is not in the set of possible names by comparing it to the
set of possible CRL Signer issuer DNs, specifically, A, B, or C.
Similar consideration should be given when building the path for the
OCSP Responder certificate when the CA is the OCSP Response Signer or
the CA has delegated the OCSP Response signing to another entity.
<span class="grey">Cooper, et al. Informational [Page 77]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-78" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Acknowledgements</span>
The authors extend their appreciation to David Lemire for his efforts
coauthoring "Managing Interoperability in Non-Hierarchical Public Key
Infrastructures" from which material was borrowed heavily for use in
the introductory sections.
This document has also greatly benefited from the review and
additional technical insight provided by Dr. Santosh Chokhani, Carl
Wallace, Denis Pinkas, Steve Hanna, Alice Sturgeon, Russ Housley, and
Tim Polk.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Normative References</span>
[<a id="ref-RFC3280">RFC3280</a>] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", <a href="./rfc3280">RFC 3280</a>,
April 2002.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Informative References</span>
[<a id="ref-MINHPKIS">MINHPKIS</a>] Hesse, P., and D. Lemire, "Managing Interoperability in
Non-Hierarchical Public Key Infrastructures", 2002
Conference Proceedings of the Internet Society Network
and Distributed System Security Symposium, February 2002.
[<a id="ref-RFC1777">RFC1777</a>] Yeong, W., Howes, T., and S. Kille, "Lightweight
Directory Access Protocol", <a href="./rfc1777">RFC 1777</a>, March 1995.
[<a id="ref-RFC2560">RFC2560</a>] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
Adams, "X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP", <a href="./rfc2560">RFC 2560</a>, June 1999.
[<a id="ref-RFC2587">RFC2587</a>] Boeyen, S., Howes, T., and P. Richard, "Internet X.509
Public Key Infrastructure LDAPv2 Schema", <a href="./rfc2587">RFC 2587</a>, June
1999.
[<a id="ref-RFC3377">RFC3377</a>] Hodges, J. and R. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", <a href="./rfc3377">RFC 3377</a>,
September 2002.
[<a id="ref-RFC3820">RFC3820</a>] Tuecke, S., Welch, V., Engert, D., Pearlman, L., and M.
Thompson, "Internet X.509 Public Key Infrastructure (PKI)
Proxy Certificate Profile", <a href="./rfc3820">RFC 3820</a>, June 2004.
[<a id="ref-RFC3986">RFC3986</a>] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, <a href="./rfc3986">RFC</a>
<a href="./rfc3986">3986</a>, January 2005.
<span class="grey">Cooper, et al. Informational [Page 78]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-79" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
[<a id="ref-X.501">X.501</a>] ITU-T Recommendation X.501: Information Technology - Open
Systems Interconnection - The Directory: Models, 1993.
[<a id="ref-X.509">X.509</a>] ITU-T Recommendation X.509 (2000 E): Information
Technology - Open Systems Interconnection - The
Directory: Authentication Framework, March 2000.
[<a id="ref-PKIXALGS">PKIXALGS</a>] Bassham, L., Polk, W. and R. Housley, "Algorithms and
Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
Lists (CRL) Profile", <a href="./rfc3279">RFC 3279</a>, April 2002.
[<a id="ref-CERTSTORE">CERTSTORE</a>] P. Gutmann, "Internet X.509 Public Key Infrastructure
Operational Protocols: Certificate Store Access via
HTTP", Work in Progress, August 2004.
<span class="grey">Cooper, et al. Informational [Page 79]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-80" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Authors' Addresses
Matt Cooper
Orion Security Solutions, Inc.
1489 Chain Bridge Rd, Ste. 300
McLean, VA 22101, USA
Phone: +1-703-917-0060
EMail: mcooper@orionsec.com
Yuriy Dzambasow
A&N Associates, Inc.
999 Corporate Blvd Ste. 100
Linthicum, MD 21090, USA
Phone: +1-410-859-5449 x107
EMail: yuriy@anassoc.com
Peter Hesse
Gemini Security Solutions, Inc.
4451 Brookfield Corporate Dr. Ste. 200
Chantilly, VA 20151, USA
Phone: +1-703-378-5808 x105
EMail: pmhesse@geminisecurity.com
Susan Joseph
Van Dyke Technologies
6716 Alexander Bell Drive
Columbia, MD 21046
EMail: susan.joseph@vdtg.com
Richard Nicholas
BAE Systems Information Technology
141 National Business Parkway, Ste. 210
Annapolis Junction, MD 20701, USA
Phone: +1-301-939-2722
EMail: richard.nicholas@it.baesystems.com
<span class="grey">Cooper, et al. Informational [Page 80]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-81" ></span>
<span class="grey"><a href="./rfc4158">RFC 4158</a> Certification Path Building September 2005</span>
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Cooper, et al. Informational [Page 81]
</pre>
|
