Hello Vineet: On October 15, 2008 02:40:52 pm Vineet Kumar wrote: > I was browsing through NIST's "Conformance Testing of Relying Party > Client Certificate Path Processing Logic" document where I am not > sure whether "Test 19" has the correct conformance expectation: > --- Test 19-- > The following path should not be successfully validated; it contains a > path without > revocation data: > Trust Anchor CP.01.01, Trust Anchor CRL CP.01.01, Intermediate > Certificate CP.05.01, > End Certificate CP.05.01 > ---- > So - what the chain is is:
Trust Anchor (with a CRL that could have the Intermediate Cert in it) Intermediate Cert (with *no* CRL that could have the end certificate in it) End Certificate. > What the above test-case says is the following: > 1. There is a 3 level cert-chain: > TrustAnchor(root)-->IntermediateCert#37-->EndCert#38 > 2. There is a CRL signed by the same root as above and having only one > entry: that of an intermediate CA Ca1-06.01(#39) not part of the above > chain. > > But then this is what RFC3280(Certs & CRL Policies) says: > 6.3.2 Initialization and Revocation State Variables ....... > (b) cert_status: ..... This variable is initialized to the > special value UNREVOKED. > > 6.3.3 CRL Processing > > This algorithm begins by assuming the certificate is not revoked. > The algorithm checks one or more CRLs until either the certificate > status is determined to be revoked or sufficient CRLs have been > checked to cover all reason codes. > > > Taking the snips from sections 6.3.2 and 6.3.3 above, it is evident > that absence of a cert's entry from the CRL means accept the cert. But > the doc says reject it because "it contains a path without > revocation data". What am I missing? > Well, as I hinted at above, there is no revocation information available for the end certificate itself (the Intermediate Certificate is not publishing a CRL). Thus, if you are using strict revocation information checking, the above chain should fail, because you can't look up the status of the end certificate. If you want a good example of code for a PDVal tool that implements all of the tests in the NIST suite, please take a look at Pathfinder - it's available at: http://www.carillon.ca/tools.php Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
