Certification Path Validation Algorithm

The certification path validation algorithm is the algorithm which verifies that a given certificate path is valid under a given public key infrastructure (PKI). A path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted certificate authority (CA).

Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. For example, in a hierarchical PKI, a certificate chain starting with a web server certificate might lead to a small CA, then to an intermediate CA, then to a large CA whose trust anchor is present in the relying party's web browser. In a bridged PKI, a certificate chain starting with a user at Company A might lead to Company A's CA certificate, then to a bridge CA, then to company B's CA certificate, then to company B's trust anchor, which a relying party at company B could trust.

RFC 5280 defines a standardized path validation algorithm for X.509 certificates, given a certificate path. (Path discovery, the actual construction of a path, is not covered.) The algorithm takes the following inputs:

• The certificate path to be evaluated;
• The current date/time;
• The list of certificate policy object identifiers (OIDs) acceptable to the relying party (or any);
• The trust anchor of the certificate path; and
• Indicators whether policy mapping is allowed and how/when/whether the "any" policy OID is to be tolerated.

Courtesy of Wikipedia

Cumberland Computer Services., LLC
205-467-4055
https://cumberlandcomputerservices.com/