Path Discovery and Validation Working Group

Path Discovery & Validation Mission Statement

The Path Discovery and Validation Working Group (PD-Val WG) is a working group of the Federal PKI Policy Authority. Its mission is to make recommendations to the Federal PKI (FPKI) community on infrastructure and desktop solutions that will facilitate bridge-enabled certificate validation. Recommendations are based on the applicant's test results received from the FPKI Lab.

What is Path Discovery & Validation?

Certificate validation consists of two phases: trust path discovery and trust path validation. Trust path discovery is the process of discovering a chain of cross-certificates and CA certificates running from the relying party's trust anchor to the end-entity's certificate. A trust path may be discovered dynamically each time as needed or it may be constructed once and stored (or "cached"); PDVAL products may vary in how they choose to implement this operation. Trust path validation is the process of examining each certificate that comprises the trust path and consulting the issuing CA's CRL or OCSP responder to determine each certificate's validity status at that moment. It is expected that even if a trust path is cached, all certificates in the trust path are validated in real-time at the beginning of each transaction.

Path Discovery & Validation Testing

The Public Key Interoperability Test Suite (PKITS) is a comprehensive X.509 path test suite developed by NIST in conjunction with BAE Systems and NSA. The PKITS path discovery and validation test suite ensures that vendor products and/or services have been implemented according to RFC 3280 and work in a bridge environment. Click here for approved products/services.

Federal PKI Hint List

The Federal PKI Policy Authority has established a "hint list" to assist the user in selecting an appropriate credential. Final acceptance of the credential is subject to: trust path validation through a trust anchor on the "trust list"; and certificate path validation.

This "hint list" contains Certificate Authority (CA) names (i.e., the issuer's DN) that is sent to the user's web browser in the CertificateRequest message of an SSL/TLS session during session establishment when PKI-based client authentication is required.

For assistance on how to bridge-enable your web server with the hint list, please refer to the Bridge-Enabling Web Servers document.

Path Discovery & Validation Test Suite (NIST web site)

Qualified Validation List (QVL)
 



Related Items





 

Critical Links

  • Latest Developments

    New and updated guidance within the Identity Management arena.

    Learn More about Identity Management ›

  • Government Smart Card Interagency Advisory Board (IAB)

    The IAB welcomes Federal partners, members of the vendor community, and any non-Federal government agencies that share the goal of federated and interoperable credentials.

    Go To IAB page ›

  • FIPS 201 Evaluation Program

    Determines if a product/service defined by FIPS 201 documentation complies with mandated requirements and for use by agencies in the acquisition of FIPS 201 products/services.

    Go To FIPS 201 Evaluation Program site ›

 
CIO.gov  ·   Data.gov  ·   GSA.gov  ·   Open Government  ·   Recovery.gov  ·   USA.gov  ·   Whitehouse.gov
Accessibility  ·   Plug-Ins  ·   Privacy  ·   Links  ·   Contact Us