RFC 3379 (rfc3379) - Page 3 of 15


Delegated Path Validation and Delegated Path Discovery Protocol Requirements



Alternative Format: Original Text Document



RFC 3379           DPV and DPD Protocol Requirements      September 2002


   Another motivation for offloading path validation is that it allows
   validation against management-defined validation policies in a
   consistent fashion across an enterprise.  Clients that are able to do
   their own path validation may rely on a trusted server to do path
   validation if centralized management of validation policies is
   needed, or the clients rely on a trusted server to maintain
   centralized records of such activities.

   When a client uses this service, it inherently trusts the server as
   much as it would its own path validation software (if it contained
   such software).  Clients can direct the server to perform path
   validation in accordance with a particular validation policy.

3. Rationale and Benefits for DPD (Delegated Path Discovery)

   DPD is valuable for clients that do much of the PKI processing
   themselves and simply want a server to collect information for them.
   The server is trusted to return the most current information that is
   available to it (which may not be the most current information that
   has been issued).  The client will ultimately perform certification
   path validation.

   A client that performs path validation for itself may get benefit in
   several ways from using a server to acquire certificates, CRLs, and
   OCSP responses [OCSP] as inputs to the validation process.  In this
   context, the client is relying on the server to interact with
   repositories to acquire the data that the client would otherwise have
   to acquire using LDAP, HTTP, FTP [LDAP, FTP&HTTP] or another
   repository access protocol.  Since these data items are digitally
   signed, the client need not trust the server any more than the client
   would trust the repositories.

   DPD provides several benefits.  For example, a single query to a
   server can replace multiple repository queries, and caching by the
   server can reduce latency.  Another benefit to the client system is
   that it need not incorporate a diverse set of software to interact
   with various forms of repositories, perhaps via different protocols,
   nor to perform the graph processing necessary to discover
   certification paths, separate from making the queries to acquire path
   validation data.

4. Delegated Path Validation Protocol Requirements

4.1. Basic Protocol

   The Delegated Path Validation (DPV) protocol allows a server to
   validate one or more public key certificates on behalf of a client
   according to a validation policy.



Pinkas & Housley             Informational