Delegated Path Validation

Delegated Path Validation (DPV) is a cryptographic method used to offload the task of validating the certification path of digital certificates from the client to a trusted server. This process is integral to various security protocols that rely on Public Key Infrastructure (PKI). DPV aim to enhance the efficiency of certification path validation by leveraging a server dedicated to this task, which provides validation results to the client. This approach is particularly useful in resource-constrained environments where clients may not have the computational power to perform extensive certificate validation themselves.^[1]

Certificate path validation[edit]

Certificate path validation is a crucial process in PKI that ensures the authenticity and trustworthiness of a digital certificate. This process is standardized in RFC 5280 and involves verifying a chain of certificates, starting from the certificate being validated (the end-entity certificate) up to a trusted root certificate authority (CA).^[2] The validation process includes several key steps:

Building the Path: The client constructs a path from the end-entity certificate to a trusted root certificate by following the chain of issuer and subject fields in each certificate.
Checking Signatures: Each certificate in the chain is checked to ensure that it is correctly signed by its issuer, verifying the integrity and authenticity of each certificate.
Verifying Expiration Dates: The validity period of each certificate is checked to ensure none of the certificates in the path are expired.
Checking Revocation Status: Each certificate is checked against Certificate Revocation List (CRL) or online status protocols (such as OCSP) to ensure it has not been revoked.
Applying Policies: Any additional policies specified by the relying party are applied to ensure the certificate path complies with required security standards and practices.

If all these checks are successfully passed, the certificate path is considered valid, and the end-entity certificate can be trusted.^[2]

Validation policy[edit]

DPV allows a server to handle the entire process of path validation based on a set of predefined rules known as a validation policy. ^[1] This policy may involve multiple trust anchors. A trust anchor is characterized by a public key, a Certificate Authority (CA) name, and a validity period; it may also have additional constraints.^[3] A self-signed certificate can be used to designate the public key, issuer name, and the validity period for a trust anchor. Additional constraints for trust anchors can be defined, such as certification policy constraints or naming constraints. These constraints can also be part of self-signed certificates. For successful path validation, a valid certification path must be established between the end-entity certificate and a trust anchor, ensuring that none of the certificates in the path are expired or revoked, and all constraints on the path must be met.^[1] A validation policy consists of three main components:

Certification path requirements: These define the sequence of trust anchors needed to start the certification path processing and the initial conditions for validation.
Revocation requirements: These specify the checks needed on the end-entity and CA certificates to ensure they have not been revoked.
End-entity certificate specific requirements: These may require the end-entity certificate to include specific extensions with certain types or values.

Protocol requirements[edit]

RFC 3379 specifies several key requirements to ensure effective and secure delegated path validation.

Firstly, if a client requests a specific validation policy that the DPV server does not support, the server must return an error. This ensures that the client is aware that the requested policy cannot be applied. If the client does not specify a validation policy, the server must indicate which validation policy was used in the response. This transparency allows clients to understand the basis on which the validation was performed.^[1]

Validation policies can be complex and may include parameters such as root self-signed certificates. The DPV protocol must allow clients to include these policy-dependent parameters in their requests. However, it is expected that most clients will either reference a validation policy suitable for their application or accept the DPV server's default validation policy.^[1]

Clients can also request that the DPV server determines the certificate's validity at a specific time other than the current time. In such cases, the server must obtain revocation status information relevant to the specified validation time. If the necessary revocation status information is unavailable, the server must return a status indicating that the certificate is invalid, possibly providing additional details about the reason for invalidity.^[1]

For the validation to proceed, the certificate must be either directly provided in the request or unambiguously referenced by details such as the CA distinguished name, certificate serial number, and certificate hash. This ensures that the correct certificate is validated.^[1]

The DPV client must be capable of providing the validation server with useful certificates and revocation information related to each certificate being validated. This includes OCSP responses, CRLs, and delta CRLs, which are critical for checking the current status of certificates.^[1]

The DPV server must have access to the certificate that needs validation. If the certificate is not provided in the request, the server must obtain it and verify that it matches the reference provided by the client. In the response, the server must include either the certificate or a clear reference to it, especially in cases involving CA key compromises.^[1]

The response from the DPV server must indicate one of the following statuses:

The certificate is valid according to the validation policy.
The certificate is not valid according to the validation policy.
The validity of the certificate is unknown according to the validation policy.
The validity could not be determined due to an error.

If the certificate is not valid, the server must also provide the reason for this determination. Common reasons include the inability to construct a certification path, the constructed path failing the validation algorithm, or the certificate not being valid at the requested time, such as before its validity period begins or during a suspension.^[1]

Additionally, the DPV protocol must allow clients to request that the server includes extra information in its response. This extra information helps relying parties who do not trust the DPV server to be confident that the certificate validation was performed correctly. The DPV response must be bound to the DPV request, which can be achieved by including a one-way hash of the request in the response. This binding ensures that all request parameters were considered in building the response.^[1]

To ensure the client trusts the DPV server, the response must be authenticated. For the client to prove to third parties that the certificate validation was handled correctly, the DPV response must be digitally signed, except when reporting an error. The DPV server's certificate must authenticate the server, adding another layer of trust and security to the validation process.^[1]

Relaying, Re-direction and Multicasting[edit]

In certain network environments, particularly those with firewalls, a DPV server may encounter difficulties in obtaining all the necessary information to process a validation request. To address this, a DPV server can be configured to leverage the services of other DPV servers. In such scenarios, the client remains unaware that the primary DPV server is utilizing additional servers to fulfill the request. Essentially, the primary DPV server acts as a client to another DPV server, facilitating a more comprehensive validation process. Unlike end clients, DPV servers typically have more substantial computing and memory resources, enabling them to employ relaying, re-direction, or multicasting mechanisms.^[1]

The protocols designed to support these operations may include optional fields and extensions to facilitate relaying, re-direction, or multicasting between DPV servers. However, it is not expected that DPV clients will support these features. If a protocol incorporates such functionalities, it must also provide mechanisms to ensure compatibility with DPV clients and servers that do not support these advanced features, ensuring adherence to the basic protocol requirements.^[1]

Security implications[edit]

The DPV protocol must incorporate mechanisms to prevent replay attacks, ensuring that malicious entities cannot reuse validation requests to gain unauthorized access.^[1] Importantly, this replay prevention must not depend on synchronized clocks between the client and server, which can be a vulnerability if clocks are not accurately aligned.^[4]

When a certificate is validated successfully according to the specified policy, the DPV server should include this information in the response if requested by the client. However, if the certificate is found to be invalid or if the server cannot determine its validity, the server may choose to omit this information to avoid unnecessary disclosure of potentially sensitive details.^[1]

The revocation status information used by the DPV server pertains to the validation time specified in the client's request. This validation time might differ from the actual time when the certificate's private key was used to sign a document or transaction.^[1] Therefore, the DPV client should adjust the validation time to account for several delays:

The time it takes for the certificate holder (end-entity) to realize that their private key has been or might be compromised.
The time needed for the end-entity to report the key compromise to the relevant authorities.
The time required for the revocation authority to process the revocation request submitted by the end-entity.
The time taken by the revocation authority to update and distribute the new revocation status information.

By considering these factors, the DPV protocol try to ensure that the revocation status information accurately reflects the current validity of the certificate, enhancing the overall security and reliability of the validation process.^[1]

References[edit]

^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q ^r RFC 3379 (September 2002), chapter 4, Delegated Path Validation and Delegated Path Discovery Protocol Requirements.
^ ^a ^b RFC 5280 (May 2008), chapter 6, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
^ Ma, Zane; Austgen, James; Mason, Joshua; Durumeric, Zakir; Bailey, Michael (2021-11-02). "Tracing your roots: exploring the TLS trust anchor ecosystem". Proceedings of the 21st ACM Internet Measurement Conference. IMC '21. New York, NY, USA: Association for Computing Machinery: 179–194. doi:10.1145/3487552.3487813. ISBN 978-1-4503-9129-0.
^ Syverson, P. (1994). "A taxonomy of replay attacks [cryptographic protocols]". Proceedings The Computer Security Foundations Workshop VII. IEEE Comput. Soc. Press: 187–191. doi:10.1109/CSFW.1994.315935. ISBN 978-0-8186-6230-0.

External links[edit]

"Distributed delegated path discovery and validation". Google Patents. Retrieved 2024-07-09.
Braun, William. "Certification Path Validation". docs.hidglobal.com. Retrieved 2024-07-11.

[RFC3379-1] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q ^r RFC 3379 (September 2002), chapter 4, Delegated Path Validation and Delegated Path Discovery Protocol Requirements.

[RFC5280-2] RFC 5280 (May 2008), chapter 6, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

[3] Ma, Zane; Austgen, James; Mason, Joshua; Durumeric, Zakir; Bailey, Michael (2021-11-02). "Tracing your roots: exploring the TLS trust anchor ecosystem". Proceedings of the 21st ACM Internet Measurement Conference. IMC '21. New York, NY, USA: Association for Computing Machinery: 179–194. doi:10.1145/3487552.3487813. ISBN 978-1-4503-9129-0.

[4] Syverson, P. (1994). "A taxonomy of replay attacks [cryptographic protocols]". Proceedings The Computer Security Foundations Workshop VII. IEEE Comput. Soc. Press: 187–191. doi:10.1109/CSFW.1994.315935. ISBN 978-0-8186-6230-0.

[1]

[2]

[3]

[4]