RFC 3379 (rfc3379) - Page 3 of 15
Delegated Path Validation and Delegated Path Discovery Protocol Requirements
Alternative Format: Original Text Document
RFC 3379 DPV and DPD Protocol Requirements September 2002
Another motivation for offloading path validation is that it allows
validation against management-defined validation policies in a
consistent fashion across an enterprise. Clients that are able to do
their own path validation may rely on a trusted server to do path
validation if centralized management of validation policies is
needed, or the clients rely on a trusted server to maintain
centralized records of such activities.
When a client uses this service, it inherently trusts the server as
much as it would its own path validation software (if it contained
such software). Clients can direct the server to perform path
validation in accordance with a particular validation policy.
3. Rationale and Benefits for DPD (Delegated Path Discovery)
DPD is valuable for clients that do much of the PKI processing
themselves and simply want a server to collect information for them.
The server is trusted to return the most current information that is
available to it (which may not be the most current information that
has been issued). The client will ultimately perform certification
path validation.
A client that performs path validation for itself may get benefit in
several ways from using a server to acquire certificates, CRLs, and
OCSP responses [OCSP] as inputs to the validation process. In this
context, the client is relying on the server to interact with
repositories to acquire the data that the client would otherwise have
to acquire using LDAP, HTTP, FTP [LDAP, FTP&HTTP] or another
repository access protocol. Since these data items are digitally
signed, the client need not trust the server any more than the client
would trust the repositories.
DPD provides several benefits. For example, a single query to a
server can replace multiple repository queries, and caching by the
server can reduce latency. Another benefit to the client system is
that it need not incorporate a diverse set of software to interact
with various forms of repositories, perhaps via different protocols,
nor to perform the graph processing necessary to discover
certification paths, separate from making the queries to acquire path
validation data.
4. Delegated Path Validation Protocol Requirements
4.1. Basic Protocol
The Delegated Path Validation (DPV) protocol allows a server to
validate one or more public key certificates on behalf of a client
according to a validation policy.
Pinkas & Housley Informational