SCVP
   HOME

TheInfoList



Click Here for Items Related To - SCVP
OR:
SCVP on:   [Wikipedia]   [Google]   [Amazon]

The Server-based Certificate
Validation Validation may refer to: * Data validation, in computer science, ensuring that data inserted into an application satisfies defined formats and other input criteria * Forecast verification, validating and verifying prognostic output from a numerica ...
Protocol (SCVP) is an
Internet protocol The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet. IP h ...
for determining the path between an
X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...
digital certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes information about the key, i ...
and a trusted root (
Delegated Path Discovery Delegated Path Discovery (DPD) is a method for querying a trusted server for information about a public key certificate. DPD allows clients to obtain collated certificate information from a trusted DPD server. This information may then be used ...
) and the validation of that path (
Delegated Path Validation Delegated Path Validation (DPV) is a method for offloading to a trusted server the work involved in validating a public key certificate. Combining certificate information supplied by the DPV client with certificate path and revocation status info ...
) according to a particular validation policy.


Overview

When a relying party receives a digital certificate and needs to decide whether to trust the certificate, it first needs to determine whether the certificate can be linked to a trusted certificate. This process may involve chaining the certificate back through several issuers, such as the following case: Equifax Secure eBusiness CA-1 ACME Co Certificate Authority Joe User Currently, the creation of this chain of certificates is performed by the application receiving the signed message. The process is termed "path discovery" and the resulting chain is called a "certification path". Many Windows applications, such as Outlook, use
Cryptographic Application Programming Interface The Microsoft Windows platform specific Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI) is an application programming interface included with Microsoft Windo ...
(CAPI) for path discovery. CAPI is capable of building certification paths using any certificates that are installed in Windows certificate stores or provided by the relying party application. The Equifax CA certificate, for example, comes installed in Windows as a trusted certificate. If CAPI knows about the ACME Co CA certificate or if it is included in a signed email and made available to CAPI by Outlook, CAPI can create the certification path above. However, if CAPI cannot find the ACME Co CA certificate, it has no way to verify that Joe User is trusted. SCVP provides us with a standards-based client-server protocol for solving this problem using
Delegated Path Discovery Delegated Path Discovery (DPD) is a method for querying a trusted server for information about a public key certificate. DPD allows clients to obtain collated certificate information from a trusted DPD server. This information may then be used ...
, or DPD. When using DPD, a relying party asks a server for a certification path that meets its needs. The SCVP client's request contains the certificate that it is attempting to trust and a set of trusted certificates. The SCVP server's response contains a set of certificates making up a valid path between the certificate in question and one of the trusted certificates. The response may also contain proof of revocation status, such as
OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative t ...
responses, for the certificates in the path. Once a certification path has been constructed, it needs to be validated. An algorithm for validating certification paths is defined in RFC 5280 section 6 (signatures, expiration, name constraints, policy constraints, basic constraints, etc.). Again, this could be done locally by the client or by the SCVP server with
Delegated Path Validation Delegated Path Validation (DPV) is a method for offloading to a trusted server the work involved in validating a public key certificate. Combining certificate information supplied by the DPV client with certificate path and revocation status info ...
. SCVP facilitates Federated PKIs, such as one with a Bridge Certificate Authority.


External links

* RFC 5055 - Server-Based Certificate Validation Protocol (SCVP) (December 2007 Proposed Standard) Cryptographic protocols Internet Standards Internet protocols {{Internet-stub