The following, written by Tim Polk, appeared on the ietf-pkix list ust recently. Might be of interest, no? > Folks, > > NIST, NSA, Getronics, and Cygnacom Solutions have collaborated to develop > an initial test suite for X.509 path validation. We have created seventy > six test paths consisting of X.509 v3 certificates and the corresponding > X.509 v2 CRLs. > > The test cover the fields in the base certificate and four extensions: > basic constraints, key usage, certificate policies, and policy constraints. > At a minimum, implementations must support basic constraints and key usage. > If these extensions are not supported, the implementation will not be able > to process any of the tests. > > The test data is available at > http://csrc.nist.gov/pki/testing/x509paths.html in a three different forms. > You can download all the paths in a compressed tar file, a zip file, or as > a self-extracting executable. We provide the end entity private keys so > that you can perform "live" testing with your applications; we also provide > CMS signed-data messages for use with S/MIME V3 code. > > The certificates and CRLs necessary to perform the tests can also be > retrieved using LDAP. The directory is on the machine seclab7.ncsl.nist.gov > (129.6.20.35) and can be accessed using port 389. The schema specified in > RFC 2587 was used to place the certificates and CRL in the directory. > > This test suite is considered a first step. We hope in the future to test > all the features which are MUSTs or SHOULDs in RFC 2459 or its successor. > At the moment, though the tests are limited to the four extensions > identified above. We also make certain limiting assumptions: > * Certificate serial numbers are always positive in these tests. > * Distinguished names only include the attribute types c, o, ou, and cn, > and all of the attribute values are of type PrintableString. > * All certificates are signed with PKCS #1 RSA and SHA-1. > > At a minimum, we need at add UTF8String in some DNs. Additional algorithms > would also be nice. We will need to cover additional extensions. Another > goal would be to map every path to the set of path validation processing > steps described in son-of-2459. > > We are extremely interested in your feedback on the tests. How can we make > the tests more useful besides extending the range of functionality? For > instance, would the tests more useful in some other format? > > David Copper at NIST is the primary contact for comments, questions, or > suggestions on the evolution of this test suite. His email address is > [EMAIL PROTECTED] > > Thanks, > > Tim Polk -- Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[Fwd: X.509 path validation test suite]
Richard Levitte - VMS Whacker Thu, 25 Jan 2001 01:13:07 -0800
