RFC 3379 (rfc3379) - Page 2 of 15
Delegated Path Validation and Delegated Path Discovery Protocol Requirements
Alternative Format: Original Text Document
RFC 3379 DPV and DPD Protocol Requirements September 2002
A third request/response pair allows clients to obtain references for
the policies supported by a DPV or DPD server.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document (in uppercase, as shown) are to be interpreted as described
in [RFC 2119].
2. Rationale and Benefits for DPV (Delegated Path Validation)
DPV allows a server to perform a real time certificate validation for
a validation time T, where T may be the current time or a time in the
recent past.
In order to validate a certificate, a chain of multiple certificates,
called a certification path, may be needed, comprising a certificate
of the public key owner (the end entity) signed by one CA, and zero
or more additional certificates of CAs signed by other CAs.
Offloading path validation to a server may be required by a client
that lacks the processing, and/or communication capabilities to fetch
the necessary certificates and revocation information, perform
certification path construction, and perform local path validation.
In constrained execution environments, such as telephones and PDAs,
memory and processing limitations may preclude local implementation
of complete, PKIX-compliant certification path validation [PKIX-1].
In applications where minimum latency is critical, delegating
validation to a trusted server can offer significant advantages. The
time required to send the target certificate to the validation
server, receive the response, and authenticate the response, can be
considerably less than the time required for the client to perform
certification path discovery and validation. Even if a certification
path were readily available to the client, the processing time
associated with signature verification for each certificate in the
path might (especially when validating very long paths or using a
limited processor) be greater than the delay associated with use of a
validation server.
Pinkas & Housley Informational