SCVP
Encyclopedia
The Server-based Certificate Validation Protocol (SCVP) is an Internet protocol
for determining the path between a X.509
digital certificate and a trusted root (Delegated Path Discovery
) and the validation of that path (Delegated Path Validation
) according to a particular validation policy.
Equifax Secure eBusiness CA-1
ACME Co Certificate Authority
Joe User
Currently, the creation of this chain of certificates is performed by the application receiving the signed message. The process is termed "path discovery" and the resulting chain is called a "certification path". Many Windows applications, such as Outlook, use CAPI
for path discovery.
CAPI is capable of building certification paths using any certificates that are installed in Windows certificate stores or provided by the relying party application. The Equifax CA certificate, for example, comes installed in Windows as a trusted certificate. If CAPI knows about the ACME Co CA certificate or if it is included in a signed email and made available to CAPI by Outlook, CAPI can create the certification path above. However, if CAPI cannot find the ACME Co CA certificate, it has no way to verify that Joe User is trusted.
SCVP provides us with a standards-based client-server protocol for solving this problem using Delegated Path Discovery
, or DPD. When using DPD, a relying party asks a server for a certification path that meets its needs. The SCVP client's request contains the certificate that it is attempting to trust and a set of trusted certificates. The SCVP server's response contains a set of certificates making up a valid path between the certificate in question and one of the trusted certificates. The response may also contain proof of revocation status, such as OCSP responses, for the certificates in the path.
Once a certification path has been constructed, it needs to be validated. An algorithm for validating certification paths is defined in RFC 5280 section 6 (signatures, expiration, name constraints, policy constraints, basic constraints, etc.). Again, this could be done locally by the client or by the SCVP server with Delegated Path Validation
.
SCVP facilitates Federated PKIs, such as one with a Bridge Certificate Authority.
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
for determining the path between a X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
digital certificate and a trusted root (Delegated Path Discovery
Delegated Path Discovery
Delegated Path Discovery is a method for querying a trusted server for information about a public key certificate.DPD allows clients to obtain collated certificate information from a trusted DPD server. This information may then be used by the client to validate the subject certificate.The...
) and the validation of that path (Delegated Path Validation
Delegated Path Validation
Delegated Path Validation is a method for offloading to a trusted server the work involved in validating a public key certificate.Combining certificate information supplied by the DPV client with certificate path and revocation status information obtained by itself, a DPV server is able to apply...
) according to a particular validation policy.
Overview
When a relying party receives a digital certificate and needs to decide whether to trust the certificate, it first needs to determine whether the certificate can be linked to a trusted certificate. This process may involve chaining the certificate back through several issuers, such as the following case:Equifax Secure eBusiness CA-1
ACME Co Certificate Authority
Joe User
Currently, the creation of this chain of certificates is performed by the application receiving the signed message. The process is termed "path discovery" and the resulting chain is called a "certification path". Many Windows applications, such as Outlook, use CAPI
Cryptographic Application Programming Interface
The Cryptographic Application Programming Interface is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography...
for path discovery.
CAPI is capable of building certification paths using any certificates that are installed in Windows certificate stores or provided by the relying party application. The Equifax CA certificate, for example, comes installed in Windows as a trusted certificate. If CAPI knows about the ACME Co CA certificate or if it is included in a signed email and made available to CAPI by Outlook, CAPI can create the certification path above. However, if CAPI cannot find the ACME Co CA certificate, it has no way to verify that Joe User is trusted.
SCVP provides us with a standards-based client-server protocol for solving this problem using Delegated Path Discovery
Delegated Path Discovery
Delegated Path Discovery is a method for querying a trusted server for information about a public key certificate.DPD allows clients to obtain collated certificate information from a trusted DPD server. This information may then be used by the client to validate the subject certificate.The...
, or DPD. When using DPD, a relying party asks a server for a certification path that meets its needs. The SCVP client's request contains the certificate that it is attempting to trust and a set of trusted certificates. The SCVP server's response contains a set of certificates making up a valid path between the certificate in question and one of the trusted certificates. The response may also contain proof of revocation status, such as OCSP responses, for the certificates in the path.
Once a certification path has been constructed, it needs to be validated. An algorithm for validating certification paths is defined in RFC 5280 section 6 (signatures, expiration, name constraints, policy constraints, basic constraints, etc.). Again, this could be done locally by the client or by the SCVP server with Delegated Path Validation
Delegated Path Validation
Delegated Path Validation is a method for offloading to a trusted server the work involved in validating a public key certificate.Combining certificate information supplied by the DPV client with certificate path and revocation status information obtained by itself, a DPV server is able to apply...
.
SCVP facilitates Federated PKIs, such as one with a Bridge Certificate Authority.