Internet X.509 Public Key Infrastructure: Certification Path Building
RFC 4158

Document Type RFC - Informational (September 2005; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4158 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to wpolk@nist.gov
Network Working Group                                          M. Cooper
Request for Comments: 4158                      Orion Security Solutions
Category: Informational                                     Y. Dzambasow
                                                          A&N Associates
                                                                P. Hesse
                                               Gemini Security Solutions
                                                               S. Joseph
                                                   Van Dyke Technologies
                                                             R. Nicholas
                                                             BAE Systems
                                                          September 2005

               Internet X.509 Public Key Infrastructure:
                      Certification Path Building

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document provides guidance and recommendations to developers
   building X.509 public-key certification paths within their
   applications.  By following the guidance and recommendations defined
   in this document, an application developer is more likely to develop
   a robust X.509 certificate-enabled application that can build valid
   certification paths across a wide range of PKI environments.

Table of Contents

   1. Introduction ....................................................3
      1.1. Motivation .................................................4
      1.2. Purpose ....................................................4
      1.3. Terminology ................................................5
      1.4. Notation ...................................................8
      1.5. Overview of PKI Structures .................................8
           1.5.1. Hierarchical Structures .............................8
           1.5.2. Mesh Structures ....................................10
           1.5.3. Bi-Lateral Cross-Certified Structures ..............11
           1.5.4. Bridge Structures ..................................13
      1.6. Bridge Structures and Certification Path Processing .......14

Cooper, et al.               Informational                      [Page 1]
RFC 4158              Certification Path Building         September 2005

   2. Certification Path Building ....................................15
      2.1. Introduction to Certification Path Building ...............15
      2.2. Criteria for Path Building ................................16
      2.3. Path-Building Algorithms ..................................17
      2.4. How to Build a Certification Path .........................21
           2.4.1. Certificate Repetition .............................23
           2.4.2. Introduction to Path-Building Optimization .........24
      2.5. Building Certification Paths for Revocation Signer
           Certificates ..............................................30
      2.6. Suggested Path-Building Software Components ...............31
      2.7. Inputs to the Path-Building Module ........................33
           2.7.1. Required Inputs ....................................33
           2.7.2. Optional Inputs ....................................34
   3. Optimizing Path Building .......................................35
      3.1. Optimized Path Building ...................................35
      3.2. Sorting vs. Elimination ...................................38
      3.3. Representing the Decision Tree ............................41
           3.3.1. Node Representation for CA Entities ................41
           3.3.2. Using Nodes to Iterate Over All Paths ..............42
      3.4. Implementing Path-Building Optimization ...................45
      3.5. Selected Methods for Sorting Certificates .................46
           3.5.1. basicConstraints Is Present and cA Equals True .....47
           3.5.2. Recognized Signature Algorithms ....................48
           3.5.3. keyUsage Is Correct ................................48
           3.5.4. Time (T) Falls within the Certificate Validity .....48
           3.5.5. Certificate Was Previously Validated ...............49
           3.5.6. Previously Verified Signatures .....................49
           3.5.7. Path Length Constraints ............................50
           3.5.8. Name Constraints ...................................50
           3.5.9. Certificate Is Not Revoked .........................51
           3.5.10. Issuer Found in the Path Cache ....................52
           3.5.11. Issuer Found in the Application Protocol ..........52
           3.5.12. Matching Key Identifiers (KIDs) ...................52
           3.5.13. Policy Processing .................................53
Show full document text