GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc4158

Network Working Group M. Cooper Request for Comments: 4158 Orion Security Solutions Category: Informational Y. Dzambasow

                                                        A&N Associates
                                                              P. Hesse
                                             Gemini Security Solutions
                                                             S. Joseph
                                                 Van Dyke Technologies
                                                           R. Nicholas
                                                           BAE Systems
                                                        September 2005
             Internet X.509 Public Key Infrastructure:
                    Certification Path Building

Status of This Memo

 This memo provides information for the Internet community.  It does
 not specify an Internet standard of any kind.  Distribution of this
 memo is unlimited.

Copyright Notice

 Copyright (C) The Internet Society (2005).

Abstract

 This document provides guidance and recommendations to developers
 building X.509 public-key certification paths within their
 applications.  By following the guidance and recommendations defined
 in this document, an application developer is more likely to develop
 a robust X.509 certificate-enabled application that can build valid
 certification paths across a wide range of PKI environments.

Table of Contents

 1. Introduction ....................................................3
    1.1. Motivation .................................................4
    1.2. Purpose ....................................................4
    1.3. Terminology ................................................5
    1.4. Notation ...................................................8
    1.5. Overview of PKI Structures .................................8
         1.5.1. Hierarchical Structures .............................8
         1.5.2. Mesh Structures ....................................10
         1.5.3. Bi-Lateral Cross-Certified Structures ..............11
         1.5.4. Bridge Structures ..................................13
    1.6. Bridge Structures and Certification Path Processing .......14

Cooper, et al. Informational [Page 1] RFC 4158 Certification Path Building September 2005

 2. Certification Path Building ....................................15
    2.1. Introduction to Certification Path Building ...............15
    2.2. Criteria for Path Building ................................16
    2.3. Path-Building Algorithms ..................................17
    2.4. How to Build a Certification Path .........................21
         2.4.1. Certificate Repetition .............................23
         2.4.2. Introduction to Path-Building Optimization .........24
    2.5. Building Certification Paths for Revocation Signer
         Certificates ..............................................30
    2.6. Suggested Path-Building Software Components ...............31
    2.7. Inputs to the Path-Building Module ........................33
         2.7.1. Required Inputs ....................................33
         2.7.2. Optional Inputs ....................................34
 3. Optimizing Path Building .......................................35
    3.1. Optimized Path Building ...................................35
    3.2. Sorting vs. Elimination ...................................38
    3.3. Representing the Decision Tree ............................41
         3.3.1. Node Representation for CA Entities ................41
         3.3.2. Using Nodes to Iterate Over All Paths ..............42
    3.4. Implementing Path-Building Optimization ...................45
    3.5. Selected Methods for Sorting Certificates .................46
         3.5.1. basicConstraints Is Present and cA Equals True .....47
         3.5.2. Recognized Signature Algorithms ....................48
         3.5.3. keyUsage Is Correct ................................48
         3.5.4. Time (T) Falls within the Certificate Validity .....48
         3.5.5. Certificate Was Previously Validated ...............49
         3.5.6. Previously Verified Signatures .....................49
         3.5.7. Path Length Constraints ............................50
         3.5.8. Name Constraints ...................................50
         3.5.9. Certificate Is Not Revoked .........................51
         3.5.10. Issuer Found in the Path Cache ....................52
         3.5.11. Issuer Found in the Application Protocol ..........52
         3.5.12. Matching Key Identifiers (KIDs) ...................52
         3.5.13. Policy Processing .................................53
         3.5.14. Policies Intersect the Sought Policy Set ..........54
         3.5.15. Endpoint Distinguished Name (DN) Matching .........55
         3.5.16. Relative Distinguished Name (RDN) Matching ........55
         3.5.17. Certificates are Retrieved from
                 cACertificate Directory Attribute .................56
         3.5.18. Consistent Public Key and Signature Algorithms ....56
         3.5.19. Similar Issuer and Subject Names ..................57
         3.5.20. Certificates in the Certification Cache ...........57
         3.5.21. Current CRL Found in Local Cache ..................58
    3.6. Certificate Sorting Methods for Revocation Signer
         Certification Paths .......................................58
         3.6.1. Identical Trust Anchors ............................58
         3.6.2. Endpoint Distinguished Name (DN) Matching ..........59
         3.6.3. Relative Distinguished Name (RDN) Matching .........59

Cooper, et al. Informational [Page 2] RFC 4158 Certification Path Building September 2005

         3.6.4. Identical Intermediate Names .......................60
 4. Forward Policy Chaining ........................................60
    4.1. Simple Intersection .......................................61
    4.2. Policy Mapping ............................................62
    4.3. Assigning Scores for Forward Policy Chaining ..............63
 5. Avoiding Path-Building Errors ..................................64
    5.1. Dead Ends .................................................64
    5.2. Loop Detection ............................................65
    5.3. Use of Key Identifiers ....................................66
    5.4. Distinguished Name Encoding ...............................66
 6. Retrieval Methods ..............................................67
    6.1. Directories Using LDAP ....................................67
    6.2. Certificate Store Access via HTTP .........................69
    6.3. Authority Information Access ..............................69
    6.4. Subject Information Access ................................70
    6.5. CRL Distribution Points ...................................70
    6.6. Data Obtained via Application Protocol ....................71
    6.7. Proprietary Mechanisms ....................................71
 7. Improving Retrieval Performance ................................71
    7.1. Caching ...................................................72
    7.2. Retrieval Order ...........................................73
    7.3. Parallel Fetching and Prefetching .........................73
 8. Security Considerations ........................................74
    8.1. General Considerations for Building a Certification Path ..74
    8.2. Specific Considerations for Building Revocation
         Signer Paths ..............................................75
 9. Acknowledgements ...............................................78
 10. Normative References ..........................................78
 11. Informative References ........................................78

1. Introduction

 [X.509] public key certificates have become an accepted method for
 securely binding the identity of an individual or device to a public
 key, in order to support public key cryptographic operations such as
 digital signature verification and public key-based encryption.
 However, prior to using the public key contained in a certificate, an
 application first has to determine the authenticity of that
 certificate, and specifically, the validity of all the certificates
 leading to a trusted public key, called a trust anchor.  Through
 validating this certification path, the assertion of the binding made
 between the identity and the public key in each of the certificates
 can be traced back to a single trust anchor.
 The process by which an application determines this authenticity of a
 certificate is called certification path processing.  Certification
 path processing establishes a chain of trust between a trust anchor
 and a certificate.  This chain of trust is composed of a series of

Cooper, et al. Informational [Page 3] RFC 4158 Certification Path Building September 2005

 certificates known as a certification path.  A certification path
 begins with a certificate whose signature can be verified using a
 trust anchor and ends with the target certificate.  Path processing
 entails building and validating the certification path to determine
 whether a target certificate is appropriate for use in a particular
 application context.  See Section 3.2 of [RFC3280] for more
 information on certification paths and trust.

1.1. Motivation

 Many other documents (such as [RFC3280]) cover certification path
 validation requirements and procedures in detail but do not discuss
 certification path building because the means used to find the path
 does not affect its validation.  This document therefore is an effort
 to provide useful guidance for developers of certification path-
 building implementations.
 Additionally, the need to develop complex certification paths is
 increasing.  Many PKIs are now using complex structures (see Section
 1.5) rather than simple hierarchies.  Additionally, some enterprises
 are gradually moving away from trust lists filled with many trust
 anchors, and toward an infrastructure with one trust anchor and many
 cross-certified relationships.  This document provides helpful
 information for developing certification paths in these more
 complicated situations.

1.2. Purpose

 This document provides information and guidance for certification
 path building.  There are no requirements or protocol specifications
 in this document.  This document provides many options for performing
 certification path building, as opposed to just one particular way.
 This document draws upon the authors' experiences with existing
 complex certification paths to offer insights and recommendations to
 developers who are integrating support for [X.509] certificates into
 their applications.
 In addition, this document suggests using an effective general
 approach to path building that involves a depth first tree traversal.
 While the authors believe this approach offers the balance of
 simplicity in design with very effective and infrastructure-neutral
 path-building capabilities, the algorithm is no more than a suggested
 approach.  Other approaches (e.g., breadth first tree traversals)
 exist and may be shown to be more effective under certain conditions.
 Certification path validation is described in detail in both [X.509]
 and [RFC3280] and is not repeated in this document.

Cooper, et al. Informational [Page 4] RFC 4158 Certification Path Building September 2005

 This document does not provide guidance for building the
 certification path from an end entity certificate to a proxy
 certificate as described in [RFC3820].

1.3. Terminology

 Terms used throughout this document will be used in the following
 ways:
 Building in the Forward direction: The process of building a
    certification path from the target certificate to a trust anchor.
    'Forward' is the former name of the crossCertificatePair element
    'issuedToThisCA'.
 Building in the Reverse direction: The process of building a
    certification path from a trust anchor to the target certificate.
    'Reverse' is the former name of the crossCertificatePair element
    'issuedByThisCA'.
 Certificate:  A digital binding that cannot be counterfeited between
    a named entity and a public key.
 Certificate Graph:  A graph that represents the entire PKI (or all
    cross-certified PKIs) in which all named entities are viewed as
    nodes and all certificates are viewed as arcs between nodes.
 Certificate Processing System:  An application or device that
    performs the functions of certification path building and
    certification path validation.
 Certification Authority (CA):  An entity that issues and manages
    certificates.
 Certification Path:  An ordered list of certificates starting with a
    certificate signed by a trust anchor and ending with the target
    certificate.
 Certification Path Building:  The process used to assemble the
    certification path between the trust anchor and the target
    certificate.
 Certification Path Validation:  The process that verifies the binding
    between the subject and the subject-public-key defined in the
    target certificate, using a trust anchor and set of known
    constraints.

Cooper, et al. Informational [Page 5] RFC 4158 Certification Path Building September 2005

 Certificate Revocation List (CRL):  A signed, time stamped list
    identifying a set of certificates that are no longer considered
    valid by the certificate issuer.
 CRL Signer Certificate: The specific certificate that may be used for
    verifying the signature on a CRL issued by, or on behalf of, a
    specific CA.
 Cross-Certificate:  A certificate issued by one CA to another CA for
    the purpose of establishing a trust relationship between the two
    CAs.
 Cross-Certification:  The act of issuing cross-certificates.
 Decision Tree:  When the path-building software has multiple
    certificates to choose from, and must make a decision, the
    collection of possible choices is called a decision tree.
 Directory:  Generally used to refer an LDAP accessible repository for
    certificates and PKI information.  The term may also be used
    generically to refer to any certificate storing repository.
 End Entity:  The holder of a private key and corresponding
    certificate, whose identity is defined as the Subject of the
    certificate.  Human end entities are often called "subscribers".
 Is-revocation-signer indicator:  A boolean flag furnished to the
    path-building software.  If set, this indicates that the target
    certificate is a Revocation Signer certificate for a specific CA.
    For example, if building a certification path for an indirect CRL
    Signer certificate, this flag would be set.
 Local PKI:  The set of PKI components and data (certificates,
    directories, CRLs, etc.) that are created and used by the
    certificate using organization.  In general, this concept refers
    to the components that are in close proximity to the certificate
    using application.  The assumption is that the local data is more
    easily accessible and/or inexpensive to retrieve than non-local
    PKI data.
 Local Realm: See Local PKI.
 Node (in a certificate graph): The collection of certificates having
    identical subject distinguished names.
 Online Certificate Status Protocol (OCSP): An Internet protocol used
    by a client to obtain the revocation status of a certificate from
    a server.

Cooper, et al. Informational [Page 6] RFC 4158 Certification Path Building September 2005

 OCSP Response Signer Certificate:  The specific certificate that may
    be used for verifying the signature on an OCSP response.  This
    response may be provided by the CA, on behalf of the CA, or by a
    different signer as determined by the Relying Party's local
    policy.
 Public Key Infrastructure (PKI):  The set of hardware, software,
    personnel, policy, and procedures used by a CA to issue and manage
    certificates.
 Relying Party (RP):  An application or entity that processes
    certificates for the purpose of 1) verifying a digital signature,
    2) authenticating another entity, or 3) establishing confidential
    communications.
 Revocation Signer Certificate:  Refers collectively to either a CRL
    Signer Certificate or OCSP Response Signer Certificate.
 Target Certificate:  The certificate that is to be validated by a
    Relying Party.  It is the "Certificate targeted for validation".
    Although frequently this is the End Entity or a leaf node in the
    PKI structure, this could also be a CA certificate if a CA
    certificate is being validated. (e.g., This could be for the
    purpose of building and validating a certification path for the
    signer of a CRL.)
 Trust (of public keys): In the scope of this document, a public key
    is considered trustworthy if the certificate containing the public
    key can be validated according to the procedures in [RFC3280].
 Trust List: A list of trust anchors.
 Trust Anchor: The combination of a trusted public key and the name of
    the entity to which the corresponding private key belongs.
 Trust Anchor Certificate:  A self-signed certificate for a trust
    anchor that is used in certification path processing.
 User:  An individual that is using a certificate processing system.
    This document refers to some cases in which users may or may not
    be prompted with information or requests, depending upon the
    implementation of the certificate processing system.

Cooper, et al. Informational [Page 7] RFC 4158 Certification Path Building September 2005

1.4. Notation

 This document makes use of a few common notations that are used in
 the diagrams and examples.
 The first is the arrow symbol (->) which represents the issuance of a
 certificate from one entity to another.  For example, if entity H
 were to issue a certificate to entity K, this is denoted as H->K.
 Sometimes it is necessary to specify the subject and issuer of a
 given certificate.  If entity H were to issue a certificate to entity
 K this can be denoted as K(H).
 These notations can be combined to denote complicated certification
 paths such as C(D)->B(C)->A(B).

1.5. Overview of PKI Structures

 When verifying [X.509] public key certificates, often the application
 performing the verification has no knowledge of the underlying Public
 Key Infrastructure (PKI) that issued the certificate.  PKI structures
 can range from very simple, hierarchical structures to complex
 structures such as mesh architectures involving multiple bridges (see
 Section 1.5.4).  These structures define the types of certification
 paths that might be built and validated by an application [MINHPKIS].
 This section describes four common PKI structures.

1.5.1. Hierarchical Structures

 A hierarchical PKI, depicted in Figure 1, is one in which all of the
 end entities and relying parties use a single "Root CA" as their
 trust anchor.  If the hierarchy has multiple levels, the Root CA
 certifies the public keys of intermediate CAs (also known as
 subordinate CAs).  These CAs then certify end entities'
 (subscribers') public keys or may, in a large PKI, certify other CAs.
 In this architecture, certificates are issued in only one direction,
 and a CA never certifies another CA "superior" to itself.  Typically,
 only one superior CA certifies each CA.

Cooper, et al. Informational [Page 8] RFC 4158 Certification Path Building September 2005

                             +---------+
                         +---| Root CA |---+
                         |   +---------+   |
                         |                 |
                         |                 |
                         v                 v
                      +----+            +----+
                +-----| CA |      +-----| CA |------+
                |     +----+      |     +----+      |
                |                 |                 |
                v                 v                 v
             +----+            +----+            +----+
          +--| CA |-----+      | CA |-+      +---| CA |---+
          |  +----+     |      +----+ |      |   +----+   |
          |     |       |       |     |      |    |       |
          |     |       |       |     |      |    |       |
          v     v       v       v     v      v    v       v
       +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
       | EE | | EE | | EE | | EE | | EE | | EE | | EE | | EE |
       +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
                  Figure 1 - Sample Hierarchical PKI
 Certification path building in a hierarchical PKI is a
 straightforward process that simply requires the relying party to
 successively retrieve issuer certificates until a certificate that
 was issued by the trust anchor (the "Root CA" in Figure 1) is
 located.
 A widely used variation on the single-rooted hierarchical PKI is the
 inclusion of multiple CAs as trust anchors.  (See Figure 2.)  Here,
 end entity certificates are validated using the same approach as with
 any hierarchical PKI.  The difference is that a certificate will be
 accepted if it can be verified back to any of the set of trust
 anchors.  Popular web browsers use this approach, and are shipped
 with trust lists containing dozens to more than one hundred CAs.
 While this approach simplifies the implementation of a limited form
 of certificate verification, it also may introduce certain security
 vulnerabilities.  For example, the user may have little or no idea of
 the policies or operating practices of the various trust anchors, and
 may not be aware of which root was used to verify a given
 certificate.  Additionally, the compromise of any trusted CA private
 key or the insertion of a rogue CA certificate to the trust list may
 compromise the entire system.  Conversely, if the trust list is
 properly managed and kept to a reasonable size, it can be an
 efficient solution to building and validating certification paths.

Cooper, et al. Informational [Page 9] RFC 4158 Certification Path Building September 2005

          +-------------------------------------------------------+
          |                      Trust List                       |
          |                                                       |
          |     +---------+     +---------+      +---------+      |
          |  +--| Root CA |     | Root CA |      | Root CA |      |
          |  |  +---------+     +---------+      +---------+      |
          |  |      |                |                 |          |
          +--|------|----------------|---------------- |----------+
             |      |                |                 |
             |      |                |                 |
             |      |                v                 |
             |      |             +----+               |
             |      |        +----| CA |---+           |
             |      |        |    +----+   |           |
             |      |        |             |           |
             |      |        v             v           v
             |      |     +----+        +----+      +----+
             |      |     | CA |---+    | CA |-+    | CA |---+
             |      |     +----+   |    +----+ |    +----+   |
             |      |       |      |    |      |       |     |
             |      |       |      |    |      |       |     |
             v      v       v      v    v      v       v     v
          +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
          | EE | | EE | | EE | | EE | | EE | | EE | | EE | | EE |
          +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
               Figure 2 - Multi-Rooted Hierarchical PKI

1.5.2. Mesh Structures

 In a typical mesh style PKI (depicted in Figure 3), each end entity
 trusts the CA that issued their own certificate(s).  Thus, there is
 no 'Root CA' for the entire PKI.  The CAs in this environment have
 peer relationships; they are neither superior nor subordinate to one
 another.  In a mesh, CAs in the PKI cross-certify.  That is, each CA
 issues a certificate to, and is issued a certificate by, peer CAs in
 the PKI.  The figure depicts a mesh PKI that is fully cross-certified
 (sometimes called a full mesh).  However, it is possible to architect
 and deploy a mesh PKI with a mixture of uni-directional and bi-
 directional cross-certifications (called a partial mesh).  Partial
 meshes may also include CAs that are not cross-certified with other
 CAs in the mesh.

Cooper, et al. Informational [Page 10] RFC 4158 Certification Path Building September 2005

                        +---------------------------------+
                        |                                 |
            +-----------+----------------------+          |
            |           v                      v          |
            |       +-------+               +------+      |
            |  +--->| CA B  |<------------->| CA C |<--+  |
            |  |    +-------+               +------+   |  |
            |  |      |    ^                  ^  |     |  |
            |  |      v    |                  |  |     |  |
            |  |   +----+  |                  |  |     |  |
            |  |   | EE |  +----+    +--------+  v     |  |
            |  |   +----+       |    |         +----+  |  |
            |  |                |    |         | EE |  |  |
            v  v                v    v         +----+  v  v
          +------+             +------+             +------+
          | CA E |<----------->| CA A |<----------->| CA D |
          +------+             +------+             +------+
           |  ^  ^                                    ^ ^  |
           |  |  |                                    | |  |
           v  |  +------------------------------------+ |  v
       +----+ |                                         | +----+
       | EE | |                +------+                 | | EE |
       +----+ +----------------| CA F |-----------------+ +----+
                               +------+
                         Figure 3 - Mesh PKI
 Certification path building in a mesh PKI is more complex than in a
 hierarchical PKI due to the likely existence of multiple paths
 between a relying party's trust anchor and the certificate to be
 verified.  These multiple paths increase the potential for creating
 "loops", "dead ends", or invalid paths while building the
 certification path between a trust anchor and a target certificate.
 In addition, in cases where no valid path exists, the total number of
 paths traversed by the path-building software in order to conclude
 "no path exists" can grow exceedingly large.  For example, if
 ignoring everything except the structure of the graph, the Mesh PKI
 figure above has 22 non-self issued CA certificates and a total of
 5,092,429 certification paths between CA F and the EE issued by CA D
 without repeating any certificates.

1.5.3. Bi-Lateral Cross-Certified Structures

 PKIs can be connected via cross-certification to enable the relying
 parties of each to verify and accept certificates issued by the other
 PKI.  If the PKIs are hierarchical, cross-certification will
 typically be accomplished by each Root CA issuing a certificate for
 the other PKI's Root CA.  This results in a slightly more complex,

Cooper, et al. Informational [Page 11] RFC 4158 Certification Path Building September 2005

 but still essentially hierarchical environment.  If the PKIs are mesh
 style, then a CA within each PKI is selected, more or less
 arbitrarily, to establish the cross-certification, effectively
 creating a larger mesh PKI.  Figure 4 depicts a hybrid situation
 resulting from a hierarchical PKI cross-certifying with a mesh PKI.
                     PKI 1 and 2 cross-certificates
                    +-------------------------------+
                    |                               |
                    |                               v
                    |                           +---------+
                    |                      +----| Root CA |---+
                    |                      |    +---------+   |
                    |                      |       PKI 1      |
                    |                      v                  v
                    |                     +------+         +------+
                    v PKI 2             +-|  CA  |-+       |  CA  |
                   +------+             | +------+ |       +------+
          +------->|  CA  |<-----+      |     |    |         |   |
          |        +------+      |      |     |    |         |   |
          |         |    |       |      v     v    v         v   v
          |         |    |       |  +----+ +----+ +----+ +----+ +----+
          |         v    v       |  | EE | | EE | | EE | | EE | | EE |
          |      +----+ +----+   |  +----+ +----+ +----+ +----+ +----+
          |      | EE | | EE |   |
          |      +----+ +----+   |
          v                      v
       +------+                +------+
       |  CA  |<-------------->|  CA  |------+
       +------+                +------+      |
        |    |                  |    |       |
        |    |                  |    |       |
        v    v                  v    v       v
    +----+ +----+            +----+ +----+ +----+
    | EE | | EE |            | EE | | EE | | EE |
    +----+ +----+            +----+ +----+ +----+
                        Figure 4 - Hybrid PKI
 In current implementations, this situation creates a concern that the
 applications used under the hierarchical PKIs will not have path
 building capabilities robust enough to handle this more complex
 certificate graph.  As the number of cross-certified PKIs grows, the
 number of the relationships between them grows exponentially.  Two
 principal concerns about cross-certification are the creation of
 unintended certification paths through transitive trust, and the
 dilution of assurance when a high-assurance PKI with restrictive
 operating policies is cross-certified with a PKI with less

Cooper, et al. Informational [Page 12] RFC 4158 Certification Path Building September 2005

 restrictive policies.  (Proper name constraints and certificate
 policies processing can help mitigate the problem of assurance
 dilution.)

1.5.4. Bridge Structures

 Another approach to the interconnection of PKIs is the use of a
 "bridge" certification authority (BCA).  A BCA is a nexus to
 establish trust paths among multiple PKIs.  The BCA cross-certifies
 with one CA in each participating PKI.  Each PKI only cross-certifies
 with one other CA (i.e., the BCA), and the BCA cross-certifies only
 once with each participating PKI.  As a result, the number of cross
 certified relationships in the bridged environment grows linearly
 with the number of PKIs whereas the number of cross-certified
 relationships in mesh architectures grows exponentially.  However,
 when connecting PKIs in this way, the number and variety of PKIs
 involved results in a non-hierarchical environment, such as the one
 as depicted in Figure 5.  (Note: as discussed in Section 2.3, non-
 hierarchical PKIs can be considered hierarchical, depending upon
 perspective.)

Cooper, et al. Informational [Page 13] RFC 4158 Certification Path Building September 2005

                    PKI 1 cross-certified with Bridge
                    +-------------------------------+
                    |                               |
                    v                               v
              +-----------+                    +---------+
              | Bridge CA |                +---| Root CA |-----+
              +-----------+                |   +---------+     |
                    ^                      |      PKI 1        |
         PKI 2 cross|cert with Bridge      v                   v
                    |                     +------+         +------+
                    v PKI 2             +-|  CA  |-+       |  CA  |
                   +------+             | +------+ |       +------+
          +------->|  CA  |<-----+      |     |    |         |   |
          |        +------+      |      |     |    |         |   |
          |         |    |       |      v     v    v         v   v
          |         |    |       |  +----+ +----+ +----+ +----+ +----+
          |         v    v       |  | EE | | EE | | EE | | EE | | EE |
          |      +----+ +----+   |  +----+ +----+ +----+ +----+ +----+
          |      | EE | | EE |   |
          |      +----+ +----+   |
          v                      v
       +------+                +------+
       |  CA  |<-------------->|  CA  |------+
       +------+                +------+      |
        |    |                  |    |       |
        |    |                  |    |       |
        v    v                  v    v       v
    +----+ +----+            +----+ +----+ +----+
    | EE | | EE |            | EE | | EE | | EE |
    +----+ +----+            +----+ +----+ +----+
           Figure 5 - Cross-Certification with a Bridge CA

1.6. Bridge Structures and Certification Path Processing

 Developers building certificate-enabled applications intended for
 widespread use throughout various sectors are encouraged to consider
 supporting a Bridge PKI structure because implementation of
 certification path processing functions to support a Bridge PKI
 structure requires support of all the PKI structures (e.g.,
 hierarchical, mesh, hybrid) which the Bridge may connect.  An
 application that can successfully build valid certification paths in
 all Bridge PKIs will therefore have implemented all of the processing
 logic required to support the less complicated PKI structures.  Thus,
 if an application fully supports the Bridge PKI structure, it can be
 deployed in any standards-compliant PKI environment and will perform
 the required certification path processing properly.

Cooper, et al. Informational [Page 14] RFC 4158 Certification Path Building September 2005

2. Certification Path Building

 Certification path building is the process by which the certificate
 processing system obtains the certification path between a trust
 anchor and the target certificate.  Different implementations can
 build the certification path in different ways; therefore, it is not
 the intent of this document to recommend a single "best" way to
 perform this function.  Rather, guidance is provided on the technical
 issues that surround the path-building process, and on the
 capabilities path-building implementations need in order to build
 certification paths successfully, irrespective of PKI structures.

2.1. Introduction to Certification Path Building

 A certification path is an ordered list of certificates starting with
 a certificate that can be validated by one of the relying party's
 trust anchors, and ending with the certificate to be validated.  (The
 certificate to be validated is referred to as the "target
 certificate" throughout this document.)  Though not required, as a
 matter of convenience these trust anchors are typically stored in
 trust anchor certificates.  The intermediate certificates that
 comprise the certification path may be retrieved by any means
 available to the validating application.  These sources may include
 LDAP, HTTP, SQL, a local cache or certificate store, or as part of
 the security protocol itself as is common practice with signed S/MIME
 messages and SSL/TLS sessions.
 Figure 6 shows an example of a certification path.  In this figure,
 the horizontal arrows represent certificates, and the notation B(A)
 signifies a certificate issued to B, signed by A.
    +---------+      +-----+     +-----+     +-----+     +--------+
    |  Trust  |----->| CA  |---->| CA  |---->| CA  |---->| Target |
    | Anchor  |  :   |  A  |  :  |  B  |  :  |  C  |  :  |   EE   |
    +---------+  :   +-----+  :  +-----+  :  +-----+  :  +--------+
                 :            :           :           :
                 :            :           :           :
               Cert 1       Cert 2      Cert 3      Cert 4
          A(Trust Anchor)    B(A)        C(B)      Target(C)
                Figure 6 - Example Certification Path
 Unlike certification path validation, certification path building is
 not addressed by the standards that define the semantics and
 structure of a PKI.  This is because the validation of a
 certification path is unaffected by the method in which the
 certification path was built.  However, the ability to build a valid
 certification path is of paramount importance for applications that

Cooper, et al. Informational [Page 15] RFC 4158 Certification Path Building September 2005

 rely on a PKI.  Without valid certification paths, certificates
 cannot be validated according to [RFC3280] and therefore cannot be
 trusted.  Thus, the ability to build a path is every bit as important
 as the ability to validate it properly.
 There are many issues that can complicate the path-building process.
 For example, building a path through a cross-certified environment
 could require the path-building module to traverse multiple PKI
 domains spanning multiple directories, using multiple algorithms, and
 employing varying key lengths.  A path-building client may also need
 to manage a number of trust anchors, partially populated directory
 entries (e.g., missing issuedToThisCA entries in the
 crossCertificatePair attribute), parsing of certain certificate
 extensions (e.g., authorityInformationAccess) and directory
 attributes (e.g., crossCertificatePair), and error handling such as
 loop detection.
 In addition, a developer has to decide whether to build paths from a
 trust anchor (the reverse direction) to the target certificate or
 from the target certificate (the forward direction) to a trust
 anchor.  Some implementations may even decide to use both.  The
 choice a developer makes should be dependent on the environment and
 the underlying PKI for that environment.  More information on making
 this choice can be found in Section 2.3.

2.2. Criteria for Path Building

 From this point forward, this document will be discussing specific
 algorithms and mechanisms to assist developers of certification
 path-building implementations.  To provide justification for these
 mechanisms, it is important to denote what the authors considered the
 criteria for a path-building implementation.
 Criterion 1: The implementation is able to find all possible paths,
 excepting paths containing repeated subject name/public key pairs.
 This means that all potentially valid certification paths between the
 trust anchor and the target certificate which may be valid paths can
 be built by the algorithm.  As discussed in Section 2.4.2, we
 recommend that subject names and public key pairs are not repeated in
 paths.
 Criterion 2: The implementation is as efficient as possible.  An
 efficient certification path-building implementation is defined to be
 one that builds paths that are more likely to validate following
 [RFC3280], before building paths that are not likely to validate,
 with the understanding that there is no way to account for all
 possible configurations and infrastructures.  This criterion is
 intended to ensure implementations that can produce useful error

Cooper, et al. Informational [Page 16] RFC 4158 Certification Path Building September 2005

 information.  If a particular path is entirely valid except for a
 single expired certificate, this is most likely the 'right' path.  If
 other paths are developed that are invalid for multiple obscure
 reasons, this provides little useful information.
 The algorithms and mechanisms discussed henceforth are chosen because
 the authors consider them to be good methods for meeting the above
 criteria.

2.3. Path-Building Algorithms

 It is intuitive for people familiar with the Bridge CA concept or
 mesh type PKIs to view path building as traversing a complex graph.
 However, from the simplest viewpoint, writing a path-building module
 can be nothing more than traversal of a spanning tree, even in a very
 complex cross-certified environment.  Complex environments as well as
 hierarchical PKIs can be represented as trees because certificates
 are not permitted to repeat in a path.  If certificates could be
 repeated, loops can be formed such that the number of paths and
 number of certificates in a path both increase without bound (e.g., A
 issues to B, B issues to C, and C issues to A).  Figure 7 below
 illustrates this concept from the trust anchor's perspective.

Cooper, et al. Informational [Page 17] RFC 4158 Certification Path Building September 2005

          +---------+                        +---------+
          |  Trust  |                        |  Trust  |
          | Anchor  |                        |  Anchor |
          +---------+                        +---------+
           |       |                         |         |
           v       v                         v         v
        +---+    +---+                     +---+      +---+
        | A |<-->| C |                  +--| A |      | C |--+
        +---+    +---+                  |  +---+      +---+  |
         |         |                    |     |       |      |
         |  +---+  |                    v     v       v      v
         +->| B |<-+                  +---+  +---+  +---+  +---+
            +---+                     | B |  | C |  | A |  | B |
              |                       +---+  +---+  +---+  +---+
              v                         |      |      |       |
            +----+                      v      v      v       v
            | EE |                  +----+   +---+  +---+  +----+
            +----+                  | EE |   | B |  | B |  | EE |
                                    +----+   +---+  +---+  +----+
       A certificate graph with               |        |
       bi-directional cross-cert.             v        v
       between CAs A and C.                 +----+  +----+
                                            | EE |  | EE |
                                            +----+  +----+
                                       The same certificate graph
                                       rendered as a tree - the
                                       way path-building software
                                       could see it.
   Figure 7 - Simple Certificate Graph - From Anchor Tree Depiction
 When viewed from this perspective, all PKIs look like hierarchies
 emanating from the trust anchor.  An infrastructure can be depicted
 in this way regardless of its complexity.  In Figure 8, the same
 graph is depicted from the end entity (EE) (the target certificate in
 this example).  It would appear this way if building in the forward
 (from EE or from target) direction.  In this example, without knowing
 any particulars of the certificates, it appears at first that
 building from EE has a smaller decision tree than building from the
 trust anchor.  While it is true that there are fewer nodes in the
 tree, it is not necessarily more efficient in this example.

Cooper, et al. Informational [Page 18] RFC 4158 Certification Path Building September 2005

                    +---------+         +---------+
                    |  Trust  |         |  Trust  |
                    | Anchor  |         |  Anchor |
                    +---------+         +---------+
                         ^                   ^
                         |                   |
                         |                   |
                       +---+               +---+
                       | A |               | C |
                       +---+               +---+
          +---------+    ^                   ^      +---------+
          |  Trust  |    |                   |      |  Trust  |
          | Anchor  |    |                   |      |  Anchor |
          +---------+    |                   |      +---------+
               ^         |                   |           ^
               |       +---+               +---+         |
               +-------| C |               | A |---------+
                       +---+               +---+
                        ^                    ^
                        |                    |
                        |         +---+      |
                        +---------| B |------+
                                  +---+
                                    ^
                                    |
                                    |
                                 +----+
                                 | EE |
                                 +----+
                 The same certificate graph rendered
                  as a tree but from the end entity
                    rather than the trust anchor.
   Figure 8 - Certificate Graph - From Target Certificate Depiction
 Suppose a path-building algorithm performed no optimizations.  That
 is, the algorithm is only capable of detecting that the current
 certificate in the tree was issued by the trust anchor, or that it
 issued the target certificate (EE).  From the tree above, building
 from the target certificate will require going through two
 intermediate certificates before encountering a certificate issued by
 the trust anchor 100% of the time (e.g., EE chains to B, which then
 chains to C, which is issued by the Trust Anchor).  The path-building
 module would not chain C to A because it can recognize that C has a
 certificate issued by the Trust Anchor (TA).

Cooper, et al. Informational [Page 19] RFC 4158 Certification Path Building September 2005

 On the other hand, in the first tree (Figure 7: from anchor
 depiction), there is a 50% probability of building a path longer than
 needed (e.g., TA to A to C to B to EE rather than the shorter TA to A
 to B to EE).  However, even given our simplistic example, the path-
 building software, when at A, could be designed to recognize that B's
 subject distinguished name (DN) matches the issuer DN of the EE.
 Given this one optimization, the builder could prefer B to C.  (B's
 subject DN matches that of the EE's issuer whereas C's subject DN
 does not.)  So, for this example, assuming the issuedByThisCA
 (reverse) and issuedToThisCA (forward) elements were fully populated
 in the directory and our path-building module implemented the
 aforementioned DN matching optimization method, path building from
 either the trust anchor or the target certificate could be made
 roughly equivalent.  A list of possible optimization methods is
 provided later in this document.
 A more complicated example is created when the path-building software
 encounters a situation when there are multiple certificates from
 which to choose while building a path.  We refer to this as a large
 decision tree, or a situation with high fan-out.  This might occur if
 an implementation has multiple trust anchors to choose from, and is
 building in the reverse (from trust anchor) direction.  Or, it may
 occur in either direction if a Bridge CA is encountered.  Large
 decision trees are the enemy of efficient path-building software.  To
 combat this problem, implementations should make careful decisions
 about the path-building direction, and should utilize optimizations
 such as those discussed in Section 3.1 when confronted with a large
 decision tree.
 Irrespective of the path-building approach for any path-building
 algorithm, cases can be constructed that make the algorithm perform
 poorly.  The following questions should help a developer decide from
 which direction to build certification paths for their application:
 1) What is required to accommodate the local PKI environment and the
    PKI environments with which interoperability will be required?
    a. If using a directory, is the directory [RFC2587] compliant
       (specifically, are the issuedToThisCA [forward] cross-
       certificates and/or the cACertificate attributes fully
       populated in the directory)?  If yes, you are able to build in
       the forward direction.
    b. If using a directory, does the directory contain all the
       issuedByThisCA (reverse) cross-certificates in the
       crossCertificatePair attribute, or, alternately, are all
       certificates issued from each CA available via some other
       means?  If yes, it is possible to build in the reverse

Cooper, et al. Informational [Page 20] RFC 4158 Certification Path Building September 2005

       direction.  Note: [RFC2587] does not require the issuedByThisCA
       (reverse) cross-certificates to be populated; if they are
       absent it will not be possible to build solely in the reverse
       direction.
    c. Are all issuer certificates available via some means other than
       a directory (e.g., the authorityInformationAccess extension is
       present and populated in all certificates)?  If yes, you are
       able to build in the forward direction.
 2) How many trust anchors will the path-building and validation
    software be using?
    a. Are there (or will there be) multiple trust anchors in the
       local PKI?  If yes, forward path building may offer better
       performance.
    b. Will the path-building and validation software need to place
       trust in trust anchors from PKIs that do not populate reverse
       cross-certificates for all intermediate CAs?  If no, and the
       local PKI populates reverse cross-certificates, reverse path
       building is an option.

2.4. How to Build a Certification Path

 As was discussed in the prior section, path building is essentially a
 tree traversal.  It was easy to see how this is true in a simple
 example, but how about a more complicated one? Before taking a look
 at more a complicated scenario, it is worthwhile to address loops and
 what constitutes a loop in a certification path.  [X.509] specifies
 that the same certificate may not repeat in a path.  In a strict
 sense, this works well as it is not possible to create an endless
 loop without repeating one or more certificates in the path.
 However, this requirement fails to adequately address Bridged PKI
 environments.

Cooper, et al. Informational [Page 21] RFC 4158 Certification Path Building September 2005

          +---+    +---+
          | F |--->| H |
          +---+    +---+
           ^ ^       ^
           |  \       \
           |   \       \
           |    v       v
           |  +---+    +---+
           |  | G |--->| I |
           |  +---+    +---+
           |   ^
           |  /
           | /
       +------+       +-----------+        +------+   +---+   +---+
       | TA W |<----->| Bridge CA |<------>| TA X |-->| L |-->| M |
       +------+       +-----------+        +------+   +---+   +---+
                         ^      ^               \        \
                        /        \               \        \
                       /          \               \        \
                      v            v               v        v
                +------+         +------+        +---+    +---+
                | TA Y |         | TA Z |        | J |    | N |
                +------+         +------+        +---+    +---+
                 /   \              / \            |        |
                /     \            /   \           |        |
               /       \          /     \          v        v
              v         v        v       v       +---+    +----+
            +---+     +---+    +---+   +---+     | K |    | EE |
            | A |<--->| C |    | O |   | P |     +---+    +----+
            +---+     +---+    +---+   +---+
               \         /      /  \       \
                \       /      /    \       \
                 \     /      v      v       v
                  v   v    +---+    +---+   +---+
                  +---+    | Q |    | R |   | S |
                  | B |    +---+    +---+   +---+
                  +---+               |
                    /\                |
                   /  \               |
                  v    v              v
               +---+  +---+         +---+
               | E |  | D |         | T |
               +---+  +---+         +---+
                     Figure 9 - Four Bridged PKIs

Cooper, et al. Informational [Page 22] RFC 4158 Certification Path Building September 2005

 Figure 9 depicts four root certification authorities cross-certified
 with a Bridge CA (BCA).  While multiple trust anchors are shown in
 the Figure, our examples all consider TA Z as the trust anchor.  The
 other trust anchors serve different relying parties.  By building
 certification paths through the BCA, trust can be extended across the
 four infrastructures.  In Figure 9, the BCA has four certificates
 issued to it; one issued from each of the trust anchors in the graph.
 If stored in the BCA directory system, the four certificates issued
 to the BCA would be stored in the issuedToThisCA (forward) entry of
 four different crossCertificatePair structures.  The BCA also has
 issued four certificates, one to each of the trust anchors.  If
 stored in the BCA directory system, those certificates would be
 stored in the issuedByThisCA (reverse) entry of the same four
 crossCertificatePair structures.  (Note that the cross-certificates
 are stored as matched pairs in the crossCertificatePair attribute.
 For example, a crossCertificatePair structure might contain both A(B)
 and B(A), but not contain A(C) and B(A).)  The four
 crossCertificatePair structures would then be stored in the BCA's
 directory entry in the crossCertificatePair attribute.

2.4.1. Certificate Repetition

 [X.509] requires that certificates are not repeated when building
 paths.  For instance, from the figure above, do not build the path TA
 Z->BCA->Y->A->C->A->C->B->D.  Not only is the repetition unnecessary
 to build the path from Z to D, but it also requires the reuse of a
 certificate (the one issued from C to A), which makes the path non-
 compliant with [X.509].
 What about the following path from TA Z to EE?
             TA Z->BCA->Y->BCA->W->BCA->X->L->N->EE
 Unlike the first example, this path does not require a developer to
 repeat any certificates; therefore, it is compliant with [X.509].
 Each of the BCA certificates is issued from a different source and is
 therefore a different certificate.  Suppose now that the bottom left
 PKI (in Figure 9) had double arrows between Y and C, as well as
 between Y and A.  The following path could then be built:
             TA Z->BCA->Y->A->C->Y->BCA->W->BCA->X->L->N->EE
 A path such as this could become arbitrarily complex and traverse
 every cross-certified CA in every PKI in a cross-certified
 environment while still remaining compliant with [X.509].  As a
 practical matter, the path above is not something an application
 would typically want or need to build for a variety of reasons:

Cooper, et al. Informational [Page 23] RFC 4158 Certification Path Building September 2005

  1. First, certification paths like the example above are generally

not intended by the PKI designers and should not be necessary in

      order to validate any given certificate.  If a convoluted path
      such as the example above is required (there is no corresponding
      simple path) in order to validate a given certificate, this is
      most likely indicative of a flaw in the PKI design.
  1. Second, the longer a path becomes, the greater the potential

dilution of trust in the certification path. That is, with each

      successive link in the infrastructure (i.e., certification by
      CAs and cross-certification between CAs) some amount of
      assurance may be considered lost.
  1. Third, the longer and more complicated a path, the less likely

it is to validate because of basic constraints, policies or

      policy constraints, name constraints, CRL availability, or even
      revocation.
  1. Lastly, and certainly not least important from a developer's or

user's perspective, is performance. Allowing paths like the one

      above dramatically increases the number of possible paths for
      every certificate in a mesh or cross-certified environment.
      Every path built may require one or more of the following:
      validation of certificate properties, CPU intensive signature
      validations, CRL retrievals, increased network load, and local
      memory caching.  Eliminating the superfluous paths can greatly
      improve performance, especially in the case where no path
      exists.
 There is a special case involving certificates with the same
 distinguished names but differing encodings required by [RFC3280].
 This case should not be considered a repeated certificate.  See
 Section 5.4 for more information.

2.4.2. Introduction to Path-Building Optimization

 How can these superfluous paths be eliminated?  Rather than only
 disallowing identical certificates from repeating, it is recommended
 that a developer disallow the same public key and subject name pair
 from being repeated.  For maximum flexibility, the subject name
 should collectively include any subject alternative names.  Using
 this approach, all of the intended and needed paths should be
 available, and the excess and diluted paths should be eliminated.
 For example, using this approach, only one path exists from the TA Z
 to EE in the diagram above: TA Z->BCA->X->L->N->EE.

Cooper, et al. Informational [Page 24] RFC 4158 Certification Path Building September 2005

 Given the simplifying rule of not repeating pairs of subject names
 (including subject alternative names) and public keys, and only using
 certificates found in the cACertificate and forward (issuedToThisCA)
 element of the crossCertificatePair attributes, Figure 10 depicts the
 forward path-building decision tree from the EE to all reachable
 nodes in the graph.  This is the ideal graph for a path builder
 attempting to build a path from TA Z to EE.
      +------+       +-----------+        +------+   +---+
      | TA W |<------| Bridge CA |<-------| TA X |<--| L |
      +------+       +-----------+        +------+   +---+
                        /     \                        ^
                       /       \                        \
                      /         \                        \
                     v           v                        \
               +------+         +------+                 +---+
               | TA Y |         | TA Z |                 | N |
               +------+         +------+                 +---+
                                                           ^
                                                            \
                                                             \
                                                           +----+
                                                           | EE |
                                                           +----+
           Figure 10 - Forward (From Entity) Decision Tree
 It is not possible to build forward direction paths into the
 infrastructures behind CAs W, Y, and Z, because W, Y, and Z have not
 been issued certificates by their subordinate CAs.  (The subordinate
 CAs are F and G, A and C, and O and P, respectively.)  If simplicity
 and speed are desirable, the graph in Figure 10 is a very appealing
 way to structure the path-building algorithm.  Finding a path from
 the EE to one of the four trust anchors is reasonably simple.
 Alternately, a developer could choose to build in the opposite
 direction, using the reverse cross-certificates from any one of the
 four trust anchors around the BCA.  The graph in Figure 11 depicts
 all possible paths as a tree emanating from TA Z.  (Note: it is not
 recommended that implementations attempt to determine all possible
 paths, this would require retrieval and storage of all PKI data
 including certificates and CRLs!  This example is provided to
 demonstrate the complexity which might be encountered.)

Cooper, et al. Informational [Page 25] RFC 4158 Certification Path Building September 2005

   +---+    +---+
   | I |--->| H |
   +---+    +---+
     ^
     |      +---+    +---+
     |      | H |--->| I |
     |      +---+    +---+
   +---+     ^
   | G |    /      +---+    +---+    +---+
   +---+   /       | F |--->| H |--->| I |
     ^    /        +---+    +---+    +---+
      \  /          ^
       \/          /
      +---+    +---+    +---+    +---+                +---+
      | F |    | G |--->| I |--->| H |                | M |
      +---+    +---+    +---+    +---+                +---+
        ^      ^                                        ^
        |     /                                         |
      +------+       +-----------+         +------+   +---+
      | TA W |<------| Bridge CA |-------->| TA X |-->| L |
      +------+       +-----------+         +------+   +---+
                      /          ^              \         \
                     v            \              v         v
               +------+            +------+     +---+     +---+
               | TA Y |            | TA Z |     | J |     | N |
               +------+            +------+     +---+     +---+
              /       \              /     \        \       \
             v         v            v       v        v       v
          +---+      +---+        +---+   +---+    +---+  +----+
          | A |      | C |        | O |   | P |    | K |  | EE |
          +---+      +---+        +---+   +---+    +---+  +----+
          /   \       /   \       /   \        \
         v     v     v     v     v     v        v
      +---+ +---+ +---+ +---+ +---+ +---+     +---+
      | B | | C | | A | | B | | Q | | R |     | S |
      +---+ +---+ +---+ +---+ +---+ +---+     +---+
      /    \     \    \    \      \     \
     v      v     v    v    v      v     v
   +---+ +---+ +---+ +---+ +---+  +---+  +---+
   | E | | D | | B | | B | | E |  | D |  | T |
   +---+ +---+ +---+ +---+ +---+  +---+  +---+
               /  |    |  \
             v    v    v   v
         +---+ +---+ +---+ +---+
         | E | | D | | E | | D |
         +---+ +---+ +---+ +---+
           Figure 11 - Reverse (From Anchor) Decision Tree

Cooper, et al. Informational [Page 26] RFC 4158 Certification Path Building September 2005

 Given the relative complexity of this decision tree, it becomes clear
 that making the right choices while navigating the tree can make a
 large difference in how quickly a valid path is returned.  The path-
 building software could potentially traverse the entire graph before
 choosing the shortest path:  TA Z->BCA->X->L->N->EE.  With a decision
 tree like the one above, the basic depth first traversal approach
 introduces obvious inefficiencies in the path-building process.  To
 compensate for this, a path-building module needs to decide not only
 in which direction to traverse the tree, but also which branches of
 the tree are more likely to yield a valid path.
 The path-building algorithm then ideally becomes a tree traversal
 algorithm with weights or priorities assigned to each branch point to
 guide the decision making.  If properly designed, such an approach
 would effectively yield the "best path first" more often than not.
 (The terminology "best path first" is quoted because the definition
 of the "best" path may differ from PKI to PKI.  That is ultimately to
 be determined by the developer, not by this document.)  Finding the
 "best path first" is an effort to make the implementation efficient,
 which is one of our criteria as stated in Section 2.2.
 So how would a developer go about finding the best path first?  Given
 the simplifying idea of addressing path building as a tree traversal,
 path building could be structured as a depth first search.  A simple
 example of depth first tree traversal path building is depicted in
 Figure 12, with no preference given to sort order.
 Note: The arrows in the lower portion of the figure do not indicate
 the direction of certificate issuance; they indicate the direction of
 the tree traversal from the target certificate (EE).

Cooper, et al. Informational [Page 27] RFC 4158 Certification Path Building September 2005

             +----+                        +----+  +----+
             | TA |                        | TA |  | TA |
             +----+                        +----+  +----+
              /  \                           ^     ^
             /    \                           |     |
            v      v                        +---+ +---+
          +---+   +---+                     | A | | C |
          | A |<->| C |                     +---+ +---+
          +---+   +---+                        ^   ^
            ^      ^                   +----+  |   |  +----+
             \    /                    | TA |  |   |  | TA |
              v  v                     +----+  |   |  +----+
             +---+                         ^   |   |   ^
             | B |                          \  |   |  /
             +---+                           \ |   | /
              / \                           +---+ +---+
             /   \                          | C | | A |
            v     v                         +---+ +---+
          +---+ +---+                          ^    ^
          | E | | D |                          |   /
          +---+ +---+                          |  /
                                              +---+
        Infrastructure                        | B |
                                              +---+
                                                ^
                                                |
                                             +----+
                                             | EE |
                                             +----+
                                    The Same Infrastructure
                                     Represented as a Tree

Cooper, et al. Informational [Page 28] RFC 4158 Certification Path Building September 2005

                  +----+               +----+
                  | TA |               | TA |
                  +----+               +----+
                     ^                    ^
                     |                    |
                    +---+               +---+
                    | A |               | C |
                    +---+               +---+
 +----+                ^                 ^                 +----+
 | TA |                |                 |                 | TA |
 +----+                |                 |                 +----+
    ^                  |                 |                   ^
     \                 |                 |                  /
    +---+           +---+                +---+           +---+
    | C |           | C |                | A |           | A |
    +---+           +---+                +---+           +---+
       ^               ^                    ^               ^
       |               |                   /               /
       |               |                  /               /
      +---+           +---+          +---+           +---+
      | B |           | B |          | B |           | B |
      +---+           +---+          +---+           +---+
        ^               ^              ^               ^
        |               |              |               |
        |               |              |               |
      +----+          +----+         +----+          +----+
      | EE |          | EE |         | EE |          | EE |
      +----+          +----+         +----+          +----+
                   All possible paths from EE to TA
              using a depth first decision tree traversal
     Figure 12 - Path Building Using a Depth First Tree Traversal
 Figure 12 illustrates that four possible paths exist for this
 example.  Suppose that the last path (TA->A->B->EE) is the only path
 that will validate.  This could be for any combination of reasons
 such as name constraints, policy processing, validity periods, or
 path length constraints.  The goal of an efficient path-building
 component is to select the fourth path first by testing properties of
 the certificates as the tree is traversed.  For example, when the
 path-building software is at entity B in the graph, it should examine
 both choices A and C to determine which certificate is the most
 likely best choice.  An efficient module would conclude that A is the
 more likely correct path.  Then, at A, the module compares
 terminating the path at TA, or moving to C.  Again, an efficient
 module will make the better choice (TA) and thereby find the "best
 path first".

Cooper, et al. Informational [Page 29] RFC 4158 Certification Path Building September 2005

 What if the choice between CA certificates is not binary as it was in
 the previous example?  What if the path-building software encounters
 a branch point with some arbitrary number of CA certificates thereby
 creating the same arbitrary number of tree branches?  (This would be
 typical in a mesh style PKI CA, or at a Bridge CA directory entry, as
 each will have multiple certificates issued to itself from other
 CAs.)  This situation actually does not change the algorithm at all,
 if it is structured properly.  In our example, rather than treating
 each decision as binary (i.e., choosing A or C), the path-building
 software should sort all the available possibilities at any given
 branch point, and then select the best choice from the list.  In the
 event the path could not be built through the first choice, then the
 second choice should be tried next upon traversing back to that point
 in the tree.  Continue following this pattern until a path is found
 or all CA nodes in the tree have been traversed.  Note that the
 certificates at any given point in the tree should only be sorted at
 the time a decision is first made.  Specifically, in the example, the
 sorting of A and C is done when the algorithm reached B.  There is no
 memory resident representation of the entire tree.  Just like any
 other recursive depth first search algorithm, the only information
 the algorithm needs to keep track of is what nodes (entities) in the
 tree lie behind it on the current path, and for each of those nodes,
 which arcs (certificates) have already been tried.

2.5. Building Certification Paths for Revocation Signer Certificates

 Special consideration is given to building a certification path for
 the Revocation Signer certificate because it may or may not be the
 same as the Certification Authority certificate.  For example, after
 a CA performs a key rollover, the new CA certificate will be the CRL
 Signer certificate, whereas the old CA certificate is the
 Certification Authority certificate for previously issued
 certificates.  In the case of indirect CRLs, the CRL Signer
 certificate will contain a different name and key than the
 Certification Authority certificate.  In the case of OCSP, the
 Revocation Signer certificate may represent an OCSP Responder that is
 not the same entity as the Certification Authority.
 When the Revocation Signer certificate and the Certification
 Authority certificate are identical, no additional consideration is
 required from a certification path-building standpoint.  That is, the
 certification path built (and validated) for the Certification
 Authority certificate can also be used as the certification path for
 the Revocation Signer certificate.  In this case, the signature on
 the revocation data (e.g., CRL or OCSP response) is verified using
 the same certificate, and no other certification path building is
 required.  An efficient certification path validation algorithm
 should first try all possible CRLs issued by the Certification

Cooper, et al. Informational [Page 30] RFC 4158 Certification Path Building September 2005

 Authority to determine if any of the CRLs (a) cover the certificate
 in question, (b) are current, and (c) are signed using the same key
 used to sign the certificate.
 When the Revocation Signer certificate is not identical to the
 Certification Authority certificate, a certification path must be
 built (and validated) for the Revocation Signer certificate.  In
 general, the certification path-building software may build the path
 as it would for any other certificate.  However, this document also
 outlines methods in later sections for greatly improving path
 building efficiency for Revocation Signer certificate case.

2.6. Suggested Path-Building Software Components

 There is no single way to define an interface to a path-building
 module.  It is not the intent of this document to prescribe a
 particular method or semantic; rather, it is up to the implementer to
 decide.  There are many ways this could be done.  For example, a
 path-building module could build every conceivable path and return
 the entire list to the caller.  Or, the module could build until it
 finds just one that validates and then terminate the procedure.  Or,
 it could build paths in an iterative fashion, depending on validation
 outside of the builder and successive calls to the builder to get
 more paths until one valid path is found or all possible paths have
 been found.  All of these are possible approaches, and each of these
 may offer different benefits to a particular environment or
 application.
 Regardless of semantics, a path-building module needs to contain the
 following components:
 1) The logic for building and traversing the certificate graph.
 2) Logic for retrieving the necessary certificates (and CRLs and/or
    other revocation status information if the path is to be
    validated) from the available source(s).
 Assuming a more efficient and agile path-building module is desired,
 the following is a good starting point and will tie into the
 remainder of this document.  For a path-building module to take full
 advantage of all the suggested optimizations listed in this document,
 it will need all of the components listed below.
 1) A local certificate and CRL cache.
    a. This may be used by all certificate-using components; it does
       not need to be specific to the path-building software.  A local
       cache could be memory resident, stored in an operating system

Cooper, et al. Informational [Page 31] RFC 4158 Certification Path Building September 2005

       or application certificate store, stored in a database, or even
       stored in individual files on the hard disk.  While the
       implementation of this cache is beyond the scope of this
       document, some design considerations are listed below.
 2) The logic for building and traversing the certificate graph/tree.
    a. This performs sorting functionality for prioritizing
       certificates (thereby optimizing path building) while
       traversing the tree.
    b. There is no need to build a complete graph prior to commencing
       path building.  Since path building can be implemented as a
       depth first tree traversal, the path builder only needs to
       store the current location in the tree along with the points
       traversed to the current location.  All completed branches can
       be discarded from memory and future branches are discovered as
       the tree is traversed.
 3) Logic for retrieving the necessary certificates from the available
    certificate source(s):
    a. Local cache.
          i. Be able to retrieve all certificates for an entity by
             subject name, as well as individual certificates by
             issuer and serial number tuple.
         ii. Tracking which directory attribute (including
             issuedToThisCA <forward> and issuedByThisCA <reverse>
             for split crossCertificatePair attributes) each
             certificate was found in may be useful.  This allows for
             functionality such as retrieving only forward cross-
             certificates, etc.
        iii. A "freshness" timestamp (cache expiry time) can be used
             to determine when the directory should be searched
             again.
    b. LDAPv3 directory for certificates and CRLs.
          i. Consider supporting multiple directories for general
             queries.
         ii. Consider supporting dynamic LDAP connections for
             retrieving CRLs using an LDAP URI [RFC3986] in the CRL
             distribution point certificate extension.

Cooper, et al. Informational [Page 32] RFC 4158 Certification Path Building September 2005

        iii. Support LDAP referrals.  This is typically only a matter
             of activating the appropriate flag in the LDAP API.
    c. HTTP support for CRL distribution points and authority
       information access (AIA) support.
        i. Consider HTTPS support, but be aware that this may create
           an unbounded recursion when the implementation tries to
           build a certification path for the server's certificate if
           this in turn requires an additional HTTPS lookup.
 4) A certification path cache that stores previously validated
    relationships between certificates.  This cache should include:
    a. A configurable expiration date for each entry.  This date can
       be configured based upon factors such as the expiry of the
       information used to determine the validity of an entry,
       bandwidth, assurance level, storage space, etc.
    b. Support to store previously verified issuer certificate to
       subject certificate relationships.
        i. Since the issuer DN and serial number tuple uniquely
           identifies a certificate, a pair of these tuples (one for
           both the issuer and subject) is an effective method of
           storing this relationship.
    c. Support for storing "known bad" paths and certificates.  Once a
       certificate is determined to be invalid, implementations can
       decide not to retry path development and validation.

2.7. Inputs to the Path-Building Module

 [X.509] specifically addresses the list of inputs required for path
 validation but makes no specific suggestions concerning useful inputs
 to path building.  However, given that the goal of path building is
 to find certification paths that will validate, it follows that the
 same inputs used for validation could be used to optimize path
 building.

2.7.1. Required Inputs

 Setting aside configuration information such as repository or cache
 locations, the following are required inputs to the certification
 path-building process:
 1) The Target Certificate: The certificate that is to be validated.
    This is one endpoint for the path.  (It is also possible to

Cooper, et al. Informational [Page 33] RFC 4158 Certification Path Building September 2005

    provide information used to retrieve a certificate for a target,
    rather than the certificate itself.)
 2) Trust List: This is the other endpoint of the path, and can
    consist of either:
    a. Trusted CA certificates
    b. Trusted keys and DNs; a certificate is not necessarily required

2.7.2. Optional Inputs

 In addition to the inputs listed in Section 2.7.1, the following
 optional inputs can also be useful for optimizing path building.
 However, if the path-building software takes advantage of all of the
 optimization methods described later in this document, all of the
 following optional inputs will be required.
 1) Time (T): The time for which the certificate is to be validated
    (e.g., if validating a historical signature from one year ago, T
    is needed to build a valid path)
    a. If not included as an input, the path-building software should
       always build for T equal to the current system time.
 2) Initial-inhibit-policy-mapping indicator
 3) Initial-require-explicit-policy indicator
 4) Initial-any-policy-inhibit indicator
 5) Initial user acceptable policy set
 6) Error handlers (call backs or virtual classes)
 7) Handlers for custom certificate extensions
 8) Is-revocation-provider indicator
    a. IMPORTANT:  When building a certification path for an OCSP
       Responder certificate specified as part of the local
       configuration, this flag should not be set.  It is set when
       building a certification path for a CRL Signer certificate or
       for an OCSP Responder Signer certificate discovered using the
       information asserted in an authorityInformationAccess
       certificate extension.

Cooper, et al. Informational [Page 34] RFC 4158 Certification Path Building September 2005

 9) The complete certification path for the Certification Authority
    (if Is-revocation-provider is set)
 10) Collection of certificates that may be useful in building the
     path
 11) Collection of certificate revocation lists and/or other
     revocation data
 The last two items are a matter of convenience.  Alternately,
 certificates and revocation information could be placed in a local
 cache accessible to the path-building module prior to attempting to
 build a path.

3. Optimizing Path Building

 This section recommends methods for optimizing path-building
 processes.

3.1. Optimized Path Building

 Path building can be optimized by sorting the certificates at every
 decision point (at every node in the tree) and then selecting the
 most promising certificate not yet selected as described in Section
 2.4.2.  This process continues until the path terminates.  This is
 roughly equivalent to the concept of creating a weighted edge tree,
 where the edges are represented by certificates and nodes represent
 subject DNs.  However, unlike the weighted edge graph concept, a
 certification path builder need not have the entire graph available
 in order to function efficiently.  In addition, the path builder can
 be stateless with respect to nodes of the graph not present in the
 current path, so the working data set can be relatively small.
 The concept of statelessness with respect to nodes not in the current
 path is instrumental to using the sorting optimizations listed in
 this document.  Initially, it may seem that sorting a given group of
 certificates for a CA once and then preserving that sorted order for
 later use would be an efficient way to write the path builder.
 However, maintaining this state can quickly eliminate the efficiency
 that sorting provides.  Consider the following diagram:

Cooper, et al. Informational [Page 35] RFC 4158 Certification Path Building September 2005

          +---+
          | R |
          +---+
           ^
          /
         v
       +---+       +---+      +---+    +---+    +----+
       | A |<----->| E |<---->| D |--->| Z |--->| EE |
       +---+       +---+      +---+    +---+    +----+
          ^         ^ ^        ^
           \       /   \      /
            \     /     \    /
             v   v       v  v
             +---+       +---+
             | B |<----->| C |
             +---+       +---+
          Figure 13 - Example of Path-Building Optimization
 In this example, the path builder is building in the forward (from
 target) direction for a path between R and EE.  The path builder has
 also opted to allow subject name and key to repeat.  (This will allow
 multiple traversals through any of the cross-certified CAs, creating
 enough complexity in this small example to illustrate proper state
 maintenance.  Note that a similarly complex example could be designed
 by using multiple keys for each entity and prohibiting repetition.)
 The first step is simple; the builder builds the path Z(D)->EE(Z).
 Next the builder adds D and faces a decision between two
 certificates. (Choose between D(C) or D(E)).  The builder now sorts
 the two choices in order of priority.  The sorting is partially based
 upon what is currently in the path.
 Suppose the order the builder selects is [D(E), D(C)].  The current
 path is now D(E)->Z(D)->EE(Z).  Currently the builder has three nodes
 in the graph (EE, Z, and D) and should maintain the state, including
 sort order of the certificates at D, when adding the next node, E.
 When E is added, the builder now has four certificates to sort: E(A),
 E(B), E(C), and E(D).  In this case, the example builder opts for the
 order [E(C), E(B), E(A), E(D)].  The current path is now E(C)->D(E)->
 Z(D)->EE(Z) and the path has four nodes; EE, Z, D, and E.
 Upon adding the fifth node, C, the builder sorts the certificates
 (C(B), C(D), and C(E)) at C, and selects C(E).  The path is now
 C(E)->E(C)->D(E)->Z(D)->EE(Z) and the path has five nodes: EE, Z, D,
 E, and C.

Cooper, et al. Informational [Page 36] RFC 4158 Certification Path Building September 2005

 Now the builder finds itself back at node E with four certificates.
 If the builder were to use the prior sort order from the first
 encounter with E, it would have [E(C), E(B), E(A), E(D)].  In the
 current path's context, this ordering may be inappropriate.  To begin
 with, the certificate E(C) is already in the path so it certainly
 does not deserve first place.
 The best way to handle this situation is for the path builder to
 handle this instance of E as a new (sixth) node in the tree.  In
 other words, there is no state information for this new instance of E
 - it is treated just as any other new node.  The certificates at the
 new node are sorted based upon the current path content and the first
 certificate is then selected.  For example, the builder may examine
 E(B) and note that it contains a name constraint prohibiting "C".  At
 this point in the decision tree, E(B) could not be added to the path
 and produce a valid result since "C" is already in the path.  As a
 result, the certificate E(B) should placed at the bottom of the
 prioritized list.
 Alternatively, E(B) could be eliminated from this new node in the
 tree.  It is very important to see that this certificate is
 eliminated only at this node and only for the current path.  If path
 building fails through C and traverses back up the tree to the first
 instance of E, E(B) could still produce a valid path that does not
 include C; specifically R->A->B->E->D->Z->EE.  Thus the state at any
 node should not alter the state of previous or subsequent nodes.
 (Except for prioritizing certificates in the subsequent nodes.)
 In this example, the builder should also note that E(C) is already in
 the path and should make it last or eliminate it from this node since
 certificates cannot be repeated in a path.
 If the builder eliminates both certificates E(B) and E(C) at this
 node, it is now only left to select between E(A) and E(D).  Now the
 path has six nodes: EE, Z, D, E(1), C, and E(2).  E(1) has four
 certificates, and E(2) has two, which the builder sorts to yield
 [E(A), E(D)].  The current path is now E(A)->C(E)->E(C)->D(E)->
 Z(D)->EE(Z).  A(R) will be found when the seventh node is added to
 the path and the path terminated because one of the trust anchors has
 been found.
 In the event the first path fails to validate, the path builder will
 still have the seven nodes and associated state information to work
 with.  On the next iteration, the path builder is able to traverse
 back up the tree to a working decision point, such as A, and select
 the next certificate in the sorted list at A.  In this example, that
 would be A(B).  (A(R) has already been tested.)  This would dead end,
 and the builder traverse back up to the next decision point, E(2)

Cooper, et al. Informational [Page 37] RFC 4158 Certification Path Building September 2005

 where it would try D(E).  This process repeats until the traversal
 backs all the way up to EE or a valid path is found.  If the tree
 traversal returns to EE, all possible paths have been exhausted and
 the builder can conclude no valid path exists.
 This approach of sorting certificates in order to optimize path
 building will yield better results than not optimizing the tree
 traversal.  However, the path-building process can be further
 streamlined by eliminating certificates, and entire branches of the
 tree as a result, as paths are built.

3.2. Sorting vs. Elimination

 Consider a situation when building a path in which three CA
 certificates are found for a given target certificate and must be
 prioritized.  When the certificates are examined, as in the previous
 example, one of the three has a name constraint present that will
 invalidate the path built thus far.  When sorting the three
 certificates, that one would certainly go to the back of the line.
 However, the path-building software could decide that this condition
 eliminates the certificate from consideration at this point in the
 graph, thereby reducing the number of certificate choices by 33% at
 this point.
 NOTE: It is important to understand that the elimination of a
 certificate only applies to a single decision point during the tree
 traversal.  The same certificate may appear again at another point in
 the tree; at that point it may or may not be eliminated.  The
 previous section details an example of this behavior.
 Elimination of certificates could potentially eliminate the traversal
 of a large, time-consuming infrastructure that will never lead to a
 valid path.  The question of whether to sort or eliminate is one that
 pits the flexibility of the software interface against efficiency.
 To be clear, if one eliminates invalid paths as they are built,
 returning only likely valid paths, the end result will be an
 efficient path-building module.  The drawback to this is that unless
 the software makes allowances for it, the calling application will
 not be able to see what went wrong.  The user may only see the
 unrevealing error message: "No certification path found."
 On the other hand, the path-building module could opt to not rule out
 any certification paths.  The path-building software could then
 return any and all paths it can build from the certificate graph.  It
 is then up to the validation engine to determine which are valid and
 which are invalid.  The user or calling application can then have
 complete details on why each and every path fails to validate.  The

Cooper, et al. Informational [Page 38] RFC 4158 Certification Path Building September 2005

 drawback is obviously one of performance, as an application or end
 user may wait for an extended period of time while cross-certified
 PKIs are navigated in order to build paths that will never validate.
 Neither option is a very desirable approach.  One option provides
 good performance for users, which is beneficial.  The other option
 though allows administrators to diagnose problems with the PKI,
 directory, or software.  Below are some recommendations to reach a
 middle ground on this issue.
 First, developers are strongly encouraged to output detailed log
 information from the path-building software.  The log should
 explicitly indicate every choice the builder makes and why.  It
 should clearly identify which certificates are found and used at each
 step in building the path.  If care is taken to produce a useful log,
 PKI administrators and help desk personnel will have ample
 information to diagnose a problem with the PKI.  Ideally, there would
 be a mechanism for turning this logging on and off, so that it is not
 running all the time.  Additionally, it is recommended that the log
 contain information so that a developer or tester can recreate the
 paths tried by the path-building software, to assist with diagnostics
 and testing.
 Secondly, it is desirable to return something useful to the user.
 The easiest approach is probably to implement a "dual mode" path-
 building module.  In the first mode [mode 1], the software eliminates
 any and all paths that will not validate, making it very efficient.
 In the second mode [mode 2], all the sorting methods are still
 applied, but no paths are eliminated based upon the sorting methods.
 Having this dual mode allows the module to first fail to find a valid
 path, but still return one invalid path (assuming one exists) by
 switching over to the second mode long enough to generate a single
 path.  This provides a middle ground -- the software is very fast,
 but still returns something that gives the user a more specific error
 than "no path found".
 Third, it may be useful to not rule out any paths, but instead limit
 the number of paths that may be built given a particular input.
 Assuming the path-building module is designed to return the "best
 path first", the paths most likely to validate would be returned
 before this limit is reached.  Once the limit is reached the module
 can stop building paths, providing a more rapid response to the
 caller than one which builds all possible paths.
 Ultimately, the developer determines how to handle the trade-off
 between efficiency and provision of information.  A developer could
 choose the middle ground by opting to implement some optimizations as
 elimination rules and others as not.  A developer could validate

Cooper, et al. Informational [Page 39] RFC 4158 Certification Path Building September 2005

 certificate signatures, or even check revocation status while
 building the path, and then make decisions based upon the outcome of
 those checks as to whether to eliminate the certificate in question.
 This document suggests the following approach:
 1) While building paths, eliminate any and all certificates that do
    not satisfy all path validation requirements with the following
    exceptions:
    a. Do not check revocation status if it requires a directory
       lookup or network access
    b. Do not check digital signatures (see Section 8.1, General
       Considerations for Building A Certification Path, for
       additional considerations).
    c. Do not check anything that cannot be checked as part of the
       iterative process of traversing the tree.
    d. Create a detailed log, if this feature is enabled.
    e. If a path cannot be found, the path builder shifts to "mode 2"
       and allows the building of a single bad path.
          i. Return the path with a failure indicator, as well as
             error information detailing why the path is bad.
 2) If path building succeeds, validate the path in accordance with
    [X.509] and [RFC3280] with the following recommendations:
    a. For a performance boost, do not re-check items already checked
       by the path builder. (Note: if pre-populated paths are supplied
       to the path-building system, the entire path has to be fully
       re-validated.)
    b. If the path validation failed, call the path builder again to
       build another path.
          i. Always store the error information and path from the
             first iteration and return this to the user in the event
             that no valid path is found.  Since the path-building
             software was designed to return the "best path first",
             this path should be shown to the user.
 As stated above, this document recommends that developers do not
 validate digital signatures or check revocation status as part of the
 path-building process.  This recommendation is based on two

Cooper, et al. Informational [Page 40] RFC 4158 Certification Path Building September 2005

 assumptions about PKI and its usage.  First, signatures in a working
 PKI are usually good.  Since signature validation is costly in terms
 of processor time, it is better to delay signature checking until a
 complete path is found and then check the signatures on each
 certificate in the certification path starting with the trust anchor
 (see Section 8.1).  Second, it is fairly uncommon in typical
 application environments to encounter a revoked certificate;
 therefore, most certificates validated will not be revoked.  As a
 result, it is better to delay retrieving CRLs or other revocation
 status information until a complete path has been found.  This
 reduces the probability of retrieving unneeded revocation status
 information while building paths.

3.3. Representing the Decision Tree

 There are a multitude of ways to implement certification path
 building and as many ways to represent the decision tree in memory.
 The method described below is an approach that will work well with
 the optimization methods listed later in this document.  Although
 this approach is the best the authors of this document have
 implemented, it is by no means the only way to implement it.
 Developers should tailor this approach to their own requirements or
 may find that another approach suits their environment, programming
 language, or programming style.

3.3.1. Node Representation for CA Entities

 A "node" in the certification graph is a collection of CA
 certificates with identical subject DNs.  Minimally, for each node,
 in order to fully implement the optimizations to follow, the path-
 building module will need to be able to keep track of the following
 information:
 1. Certificates contained in the node
 2. Sorted order of the certificates
 3. "Current" certificate indicator
 4. The current policy set (It may be split into authority and user
    constrained sets, if desired.)
  1. It is suggested that encapsulating the policy set in an object

with logic for manipulating the set such as performing

      intersections, mappings, etc., will simplify implementation.

Cooper, et al. Informational [Page 41] RFC 4158 Certification Path Building September 2005

 5. Indicators (requireExplicitPolicy, inhibitPolicyMapping,
    anyPolicyInhibit) and corresponding skipCert values
 6. A method for indicating which certificates are eliminated or
    removing them from the node.
  1. If nodes are recreated from the cache on demand, it may be

simpler to remove eliminated certificates from the node.

 7. A "next" indicator that points to the next node in the current
    path
 8. A "previous" indicator that points to the previous node in the
    current path

3.3.2. Using Nodes to Iterate Over All Paths

 In simplest form, a node is created, the certificates are sorted, the
 next subject DN required is determined from the first certificate,
 and a new node is attached to the certification path via the next
 indicator (Number 7 above).  This process continues until the path
 terminates.  (Note: end entity certificates may not contain subject
 DNs as allowed by [RFC3280].  Since end entity certificates by
 definition do not issue certificates, this has no impact on the
 process.)
 Keeping in mind that the following algorithm is designed to be
 implemented using recursion, consider the example in Figure 12 and
 assume that the only path in the diagram is valid for E is TA->A->
 B->E:
 If our path-building module is building a path in the forward
 direction for E, a node is first created for E.  There are no
 certificates to sort because only one certificate exists, so all
 initial values are loaded into the node from E.  For example, the
 policy set is extracted from the certificate and stored in the node.
 Next, the issuer DN (B) is read from E, and new node is created for B
 containing both certificates issued to B -- B(A) and B(C).  The
 sorting rules are applied to these two certificates and the sorting
 algorithm returns B(C);B(A).  This sorted order is stored and the
 current indicator is set to B(C).  Indicators are set and the policy
 sets are calculated to the extent possible with respect to B(C).  The
 following diagram illustrates the current state with the current
 certificate indicated with a "*".

Cooper, et al. Informational [Page 42] RFC 4158 Certification Path Building September 2005

 +-------------+    +---------------+
 | Node 1      |    | Node 2        |
 | Subject: E  |--->| Subject: B    |
 | Issuers: B* |    | Issuers: C*,A |
 +-------------+    +---------------+
 Next, a node is created for C and all three certificates are added to
 it.  The sorting algorithm happens to return the certificates sorted
 in the following order: C(TA);C(A);C(B)
 +-------------+    +---------------+    +------------------+
 | Node 1      |    | Node 2        |    | Node 3           |
 | Subject: E  |--->| Subject: B    |--->| Subject: C       |
 | Issuers: B  |    | Issuers: C*,A |    | Issuers: TA*,A,B |
 +-------------+    +---------------+    +------------------+
 Recognizing that the trust anchor has been found, the path
 (TA->C->B->E) is validated but fails. (Remember that the only valid
 path happens to be TA->A->B->E.)  The path-building module now moves
 the current certificate indicator in node 3 to C(A), and adds the
 node for A.
    +-------------+    +---------------+    +------------------+
    | Node 1      |    | Node 2        |    | Node 3           |
    | Subject: E  |--->| Subject: B    |--->| Subject: C       |
    | Issuers: B  |    | Issuers: C*,A |    | Issuers: TA,A*,B |
    +-------------+    +---------------+    +------------------+
                                                      |
                                                      v
                                            +------------------+
                                            | Node 4           |
                                            | Subject: A       |
                                            | Issuers: TA*,C,B |
                                            +------------------+
 The path TA->A->C->B->E is validated and it fails.  The path-building
 module now moves the current indicator in node 4 to A(C) and adds a
 node for C.

Cooper, et al. Informational [Page 43] RFC 4158 Certification Path Building September 2005

 +-------------+    +---------------+    +------------------+
 | Node 1      |    | Node 2        |    | Node 3           |
 | Subject: E  |--->| Subject: B    |--->| Subject: C       |
 | Issuers: B  |    | Issuers: C*,A |    | Issuers: TA,A*,B |
 +-------------+    +---------------+    +------------------+
                                                   |
                                                   v
                 +------------------+    +------------------+
                 | Node 5           |    | Node 4           |
                 | Subject: C       |<---| Subject: A       |
                 | Issuers: TA*,A,B |    | Issuers: TA,C*,B |
                 +------------------+    +------------------+
 At this juncture, the decision of whether to allow repetition of name
 and key comes to the forefront.  If the certification path-building
 module will NOT allow repetition of name and key, there are no
 certificates in node 5 that can be used. (C and the corresponding
 public key is already in the path at node 3.)  At this point, node 5
 is removed from the current path and the current certificate
 indicator on node 4 is moved to A(B).
 If instead, the module is only disallowing repetition of
 certificates, C(A) is eliminated from node 5 since it is in use in
 node 3, and path building continues by first validating TA->C->A->
 C->B->E, and then continuing to try to build paths through C(B).
 After this also fails to provide a valid path, node 5 is removed from
 the current path and the current certificate indicator on node 4 is
 moved to A(B).
    +-------------+    +---------------+    +------------------+
    | Node 1      |    | Node 2        |    | Node 3           |
    | Subject: E  |--->| Subject: B    |--->| Subject: C       |
    | Issuers: B  |    | Issuers: C*,A |    | Issuers: TA,A*,B |
    +-------------+    +---------------+    +------------------+
                                                      |
                                                      v
                                            +------------------+
                                            | Node 4           |
                                            | Subject: A       |
                                            | Issuers: TA,C,B* |
                                            +------------------+
 Now a new node 5 is created for B.  Just as with the prior node 5, if
 not repeating name and key, B also offers no certificates that can be
 used (B and B's public key is in use in node 2) so the new node 5 is
 also removed from the path.  At this point all certificates in node 4
 have now been tried, so node 4 is removed from the path, and the
 current indicator on node 3 is moved to C(B).

Cooper, et al. Informational [Page 44] RFC 4158 Certification Path Building September 2005

 Also as above, if allowing repetition of name and key, B(C) is
 removed from the new node 5 (B(C) is already in use in node 3) and
 paths attempted through the remaining certificate B(A).  After this
 fails, it will lead back to removing node 5 from the path.  At this
 point all certificates in node 4 have now been tried, so node 4 is
 removed from the path, and the current indicator on node 3 is moved
 to C(B).
 This process continues until all certificates in node 1 (if there
 happened to be more than one) have been tried, or until a valid path
 has been found.  Once the process ends and in the event no valid path
 was found, it may be concluded that no path can be found from E to
 TA.

3.4. Implementing Path-Building Optimization

 The following section describes methods that may be used for
 optimizing the certification path-building process by sorting
 certificates.  Optimization as described earlier seeks to prioritize
 a list of certificates, effectively prioritizing (weighting) branches
 of the graph/tree.  The optimization methods can be used to assign a
 cumulative score to each certificate.  The process of scoring the
 certificates amounts to testing each certificate against the
 optimization methods a developer chooses to implement, and then
 adding the score for each test to a cumulative score for each
 certificate.  After this is completed for each certificate at a given
 branch point in the builder's decision tree, the certificates can be
 sorted so that the highest scoring certificate is selected first, the
 second highest is selected second, etc.
 For example, suppose the path builder has only these two simple
 sorting methods:
 1) If the certificate has a subject key ID, +5 to score.
 2) If the certificate has an authority key ID, +10 to score.
 And it then examined three certificates:
 1) Issued by CA 1; has authority key ID; score is 10.
 2) Issued by CA 2; has subject key ID; score is 5.
 3) Issued by CA 1; has subject key ID and authority key ID; score is
    15.
 The three certificates are sorted in descending order starting with
 the highest score: 3, 1, and 2.  The path-building software should
 first try building the path through certificate 3.  Failing that, it
 should try certificate 1.  Lastly, it should try building a path
 through certificate 2.

Cooper, et al. Informational [Page 45] RFC 4158 Certification Path Building September 2005

 The following optimization methods specify tests developers may
 choose to perform, but does not suggest scores for any of the
 methods.  Rather, developers should evaluate each method with respect
 to the environment in which the application will operate, and assign
 weights to each accordingly in the path-building software.
 Additionally, many of the optimization methods are not binary in
 nature.  Some are tri-valued, and some may be well suited to sliding
 or exponential scales.  Ultimately, the implementer decides the
 relative merits of each optimization with respect to his or her own
 software or infrastructure.
 Over and above the scores for each method, many methods can be used
 to eliminate branches during the tree traversal rather than simply
 scoring and weighting them.  All cases where certificates could be
 eliminated based upon an optimization method are noted with the
 method descriptions.
 Many of the sorting methods described below are based upon what has
 been perceived by the authors as common in PKIs.  Many of the methods
 are aimed at making path building for the common PKI fast, but there
 are cases where most any sorting method could lead to inefficient
 path building.  The desired behavior is that although one method may
 lead the algorithm in the wrong direction for a given situation or
 configuration, the remaining methods will overcome the errant
 method(s) and send the path traversal down the correct branch of the
 tree more often than not.  This certainly will not be true for every
 environment and configuration, and these methods may need to be
 tweaked for further optimization in the application's target
 operating environment.
 As a final note, the list contained in this document is not intended
 to be exhaustive.  A developer may desire to define additional
 sorting methods if the operating environment dictates the need.

3.5. Selected Methods for Sorting Certificates

 The reader should draw no specific conclusions as to the relative
 merits or scores for each of the following methods based upon the
 order in which they appear.  The relative merit of any sorting
 criteria is completely dependent on the specifics of the operating
 environment.  For most any method, an example can be created to
 demonstrate the method is effective and a counter-example could be
 designed to demonstrate that it is ineffective.
 Each sorting method is independent and may (or may not) be used to
 assign additional scores to each certificate tested.  The implementer
 decides which methods to use and what weights to assign them.  As
 noted previously, this list is also not exhaustive.

Cooper, et al. Informational [Page 46] RFC 4158 Certification Path Building September 2005

 In addition, name chaining (meaning the subject name of the issuer
 certificate matches the issuer name of the issued certificate) is not
 addressed as a sorting method since adherence to this is required in
 order to build the decision tree to which these methods will be
 applied.  Also, unaddressed in the sorting methods is the prevention
 of repeating certificates.  Path builders should handle name chaining
 and certificate repetition irrespective of the optimization approach.
 Each sorting method description specifies whether the method may be
 used to eliminate certificates, the number of possible numeric values
 (sorting weights) for the method, components from Section 2.6 that
 are required for implementing the method, forward and reverse methods
 descriptions, and finally a justification for inclusion of the
 method.
 With regard to elimination of certificates, it is important to
 understand that certificates are eliminated only at a given decision
 point for many methods.  For example, the path built up to
 certificate X may be invalidated due to name constraints by the
 addition of certificate Y.  At this decision point only, Y could be
 eliminated from further consideration.  At some future decision
 point, while building this same path, the addition of Y may not
 invalidate the path.
 For some other sorting methods, certificates could be eliminated from
 the process entirely.  For example, certificates with unsupported
 signature algorithms could not be included in any path and validated.
 Although the path builder may certainly be designed to operate in
 this fashion, it is sufficient to always discard certificates only
 for a given decision point regardless of cause.

3.5.1. basicConstraints Is Present and cA Equals True

 May be used to eliminate certificates: Yes
 Number of possible values: Binary
 Components required: None
 Forward Method:  Certificates with basicConstraints present and
 cA=TRUE, or those designated as CA certificates out-of-band have
 priority.  Certificates without basicConstraints, with
 basicConstraints and cA=FALSE, or those that are not designated as CA
 certificates out-of-band may be eliminated or have zero priority.
 Reverse Method:  Same as forward except with regard to end entity
 certificates at the terminus of the path.
 Justification:  According to [RFC3280], basicConstraints is required
 to be present with cA=TRUE in all CA certificates, or must be

Cooper, et al. Informational [Page 47] RFC 4158 Certification Path Building September 2005

 verified via an out-of-band mechanism.  A valid path cannot be built
 if this condition is not met.

3.5.2. Recognized Signature Algorithms

 May be used to eliminate certificates: Yes
 Number of possible values: Binary
 Components required: None
 Forward Method:  Certificates containing recognized signature and
 public key algorithms [PKIXALGS] have priority.
 Reverse Method:  Same as forward.
 Justification:  If the path-building software is not capable of
 processing the signatures associated with the certificate, the
 certification path cannot be validated.

3.5.3. keyUsage Is Correct

 May be used to eliminate certificates:  Yes
 Number of possible values:  Binary
 Components required:  None
 Forward Method:  If keyUsage is present, certificates with
 keyCertSign set have 100% priority.  If keyUsage is present and
 keyCertSign is not set, the certificate may be eliminated or have
 zero priority.  All others have zero priority.
 Reverse Method:  Same as forward except with regard to end entity
 certificates at the terminus of the path.
 Justification:  A valid certification path cannot be built through a
 CA certificate with inappropriate keyUsage.  Note that
 digitalSignature is not required to be set in a CA certificate.

3.5.4. Time (T) Falls within the Certificate Validity

 May be used to eliminate certificates:  Yes
 Number of possible values:  Binary
 Components required:  None
 Forward Method:  Certificates that contain the required time (T)
 within their validity period have 100% priority.  Otherwise, the
 certificate is eliminated or has priority zero.
 Reverse Method:  Same as forward.

Cooper, et al. Informational [Page 48] RFC 4158 Certification Path Building September 2005

 Justification:  A valid certification path cannot be built if T falls
 outside of the certificate validity period.
 NOTE: Special care should be taken to return a meaningful error to
 the caller, especially in the event the target certificate does not
 meet this criterion, if this sorting method is used for elimination.
 (e.g., the certificate is expired or is not yet valid).

3.5.5. Certificate Was Previously Validated

 May be used to eliminate certificates:  No
 Number of possible values:  Binary
 Components required:  Certification Path Cache
 Forward Method:  A certificate that is present in the certification
 path cache has priority.
 Reverse Method:  Does not apply. (The validity of a certificate vs.
 unknown validity does not infer anything about the correct direction
 in the decision tree.  In other words, knowing the validity of a CA
 certificate does not indicate that the target is more likely found
 through that path than another.)
 Justification:  Certificates in the path cache have been validated
 previously.  Assuming the initial constraints have not changed, it is
 highly likely that the path from that certificate to a trust anchor
 is still valid.  (Changes to the initial constraints may cause a
 certificate previously considered valid to no longer be considered
 valid.)
 Note:  It is important that items in the path cache have appropriate
 life times.  For example, it could be inappropriate to cache a
 relationship beyond the period the related CRL will be trusted by the
 application.  It is also critical to consider certificates and CRLs
 farther up the path when setting cache lifetimes.  For example, if
 the issuer certificate expires in ten days, but the issued
 certificate is valid for 20 days, caching the relationship beyond 10
 days would be inappropriate.

3.5.6. Previously Verified Signatures

 May be used to eliminate certificates:  Yes
 Number of possible values:  Binary
 Components required:  Path Cache
 Forward Method:   If a previously verified relationship exists in the
 path cache between the subject certificate and a public key present
 in one or more issuer certificates, all the certificates containing

Cooper, et al. Informational [Page 49] RFC 4158 Certification Path Building September 2005

 said public key have higher priority.  Other certificates may be
 eliminated or set to zero priority.
 Reverse Method:  If known bad signature relationships exist between
 certificates, these relationships can be used to eliminate potential
 certificates from the decision tree.  Nothing can be concluded about
 the likelihood of finding a given target certificate down one branch
 versus another using known good signature relationships.
 Justification: If the public key in a certificate (A) was previously
 used to verify a signature on a second certificate (B), any and all
 certificates containing the same key as (A) may be used to verify the
 signature on (B).  Likewise, any certificates that do not contain the
 same key as (A) cannot be used to verify the signature on (B).  This
 forward direction method is especially strong for multiply cross-
 certified CAs after a key rollover has occurred.

3.5.7. Path Length Constraints

 May be used to eliminate certificates: Yes
 Number of possible values: Binary
 Components required: None
 Forward Method:  Certificates with basic constraints present and
 containing a path length constraint that would invalidate the current
 path (the current length is known since the software is building from
 the target certificate) may be eliminated or set to zero priority.
 Otherwise, the priority is 100%.
 Reverse Method:  This method may be applied in reverse.  To apply it,
 the builder keeps a current path length constraint variable and then
 sets zero priority for (or eliminates) certificates that would
 violate the constraint.
 Justification:  A valid path cannot be built if the path length
 constraint has been violated.

3.5.8. Name Constraints

 May be used to eliminate certificates:  Yes
 Number of possible values:  Binary
 Components required:  None
 Forward Method:  Certificates that contain nameConstraints that would
 be violated by certificates already in the path to this point are
 given zero priority or eliminated.

Cooper, et al. Informational [Page 50] RFC 4158 Certification Path Building September 2005

 Reverse Method:  Certificates that will allow successful processing
 of any name constraints present in the path to this point are given
 higher priority.
 Justification:  A valid path cannot be built if name constraints are
 violated.

3.5.9. Certificate Is Not Revoked

 May be used to eliminate certificates: No
 Number of possible values:  Three
 Components required:  CRL Cache
 Forward Method:  If a current CRL for a certificate is present in the
 CRL cache, and the certificate serial number is not on the CRL, the
 certificate has priority.  If the certificate serial number is
 present on the CRL, it has zero priority.  If an (acceptably fresh)
 OCSP response is available for a certificate, and identifies the
 certificate as valid, the certificate has priority.  If an OCSP
 response is available for a certificate, and identifies the
 certificate as invalid, the certificate has zero priority.
 Reverse Method:  Same as Forward.
 Alternately, the certificate may be eliminated if the CRL or OCSP
 response is verified.  That is, fully verify the CRL or OCSP response
 signature and relationship to the certificate in question in
 accordance with [RFC3280].  While this is viable, the signature
 verification required makes it less attractive as an elimination
 method.  It is suggested that this method only be used for sorting
 and that CRLs and OCSP responses are validated post path building.
 Justification:  Certificates known to be not revoked can be
 considered more likely to be valid than certificates for which the
 revocation status is unknown.  This is further justified if CRL or
 OCSP response validation is performed post path validation - CRLs or
 OCSP responses are only retrieved when complete paths are found.
 NOTE:  Special care should be taken to allow meaningful errors to
 propagate to the caller, especially in cases where the target
 certificate is revoked.  If a path builder eliminates certificates
 using CRLs or OCSP responses, some status information should be
 preserved so that a meaningful error may be returned in the event no
 path is found.

Cooper, et al. Informational [Page 51] RFC 4158 Certification Path Building September 2005

3.5.10. Issuer Found in the Path Cache

 May be used to eliminate certificates: No
 Number of possible values: Binary
 Components required:  Certification Path Cache
 Forward Method:  A certificate whose issuer has an entry (or entries)
 in the path cache has priority.
 Reverse Method:  Does not apply.
 Justification:  Since the path cache only contains entries for
 certificates that were previously validated back to a trust anchor,
 it is more likely than not that the same or a new path may be built
 from that point to the (or one of the) trust anchor(s).  For
 certificates whose issuers are not found in the path cache, nothing
 can be concluded.
 NOTE: This method is not the same as the method named "Certificate
 Was Previously Validated".  It is possible for this sorting method to
 evaluate to true while the other method could evaluate to zero.

3.5.11. Issuer Found in the Application Protocol

 May be used to eliminate certificates: No
 Number of possible values: Binary
 Components required:  Certification Path Cache
 Forward Method:  If the issuer of a certificate sent by the target
 through the application protocol (SSL/TLS, S/MIME, etc.), matches the
 signer of the certificate you are looking at, then that certificate
 has priority.
 Reverse Method:  If the subject of a certificate matches the issuer
 of a certificate sent by the target through the application protocol
 (SSL/TLS, S/MIME, etc.), then that certificate has priority.
 Justification:  The application protocol may contain certificates
 that the sender considers valuable to certification path building,
 and are more likely to lead to a path to the target certificate.

3.5.12. Matching Key Identifiers (KIDs)

 May be used to eliminate certificates:  No
 Number of possible values:  Three
 Components required:  None
 Forward Method:  Certificates whose subject key identifier (SKID)

Cooper, et al. Informational [Page 52] RFC 4158 Certification Path Building September 2005

 matches the current certificate's authority key identifier (AKID)
 have highest priority.  Certificates without a SKID have medium
 priority.  Certificates whose SKID does not match the current
 certificate's AKID (if both are present) have zero priority.  If the
 current certificate expresses the issuer name and serial number in
 the AKID, certificates that match both these identifiers have highest
 priority.  Certificates that match only the issuer name in the AKID
 have medium priority.
 Reverse Method:  Certificates whose AKID matches the current
 certificate's SKID have highest priority.  Certificates without an
 AKID have medium priority.  Certificates whose AKID does not match
 the current certificate's SKID (if both are present) have zero
 priority.  If the certificate expresses the issuer name and serial
 number in the AKID, certificates that match both these identifiers in
 the current certificate have highest priority.  Certificates that
 match only the issuer name in the AKID have medium priority.
 Justification:  Key Identifier (KID) matching is a very useful
 mechanism for guiding path building (that is their purpose in the
 certificate) and should therefore be assigned a heavy weight.
 NOTE:  Although required to be present by [RFC3280], it is extremely
 important that KIDs be used only as sorting criteria or as hints
 during certification path building.  KIDs are not required to match
 during certification path validation and cannot be used to eliminate
 certificates.  This is of critical importance for interoperating
 across domains and multi-vendor implementations where the KIDs may
 not be calculated in the same fashion.

3.5.13. Policy Processing

 May be used to eliminate certificates: Yes
 Number of possible values: Three
 Components required: None
 Forward Method:  Certificates that satisfy Forward Policy Chaining
 have priority.  (See Section 4 entitled "Forward Policy Chaining" for
 details.)  If the caller provided an initial-policy-set and did not
 set the initial-require-explicit flag, the weight of this sorting
 method should be increased.  If the initial-require-explicit-policy
 flag was set by the caller or by a certificate, certificates may be
 eliminated.
 Reverse Method:  Certificates that contain policies/policy mappings
 that will allow successful policy processing of the path to this
 point have priority.  If the caller provided an initial-policy-set
 and did not set the initial-require-explicit flag, the weight of this

Cooper, et al. Informational [Page 53] RFC 4158 Certification Path Building September 2005

 sorting method should be increased.  Certificates may be eliminated
 only if initial-require-explicit was set by the caller or if
 require-explicit-policy was set by a certificate in the path to this
 point.
 Justification:  In a policy-using environment, certificates that
 successfully propagate policies are more likely part of an intended
 certification path than those that do not.
 When building in the forward direction, it is always possible that a
 certificate closer to the trust anchor will set the require-
 explicit-policy indicator; so giving preference to certification
 paths that propagate policies may increase the probability of finding
 a valid path first.  If the caller (or a certificate in the current
 path) has specified or set the initial-require-explicit-policy
 indicator as true, this sorting method can also be used to eliminate
 certificates when building in the forward direction.
 If building in reverse, it is always possible that a certificate
 farther along the path will set the require-explicit-policy
 indicator; so giving preference to those certificates that propagate
 policies will serve well in that case.  In the case where require-
 explicit-policy is set by certificates or the caller, certificates
 can be eliminated with this method.

3.5.14. Policies Intersect the Sought Policy Set

 May be used to eliminate certificates: No
 Number of possible values: Additive
 Components required: None
 Forward Method:  Certificates that assert policies found in the
 initial-acceptable-policy-set have priority.  Each additional
 matching policy could have an additive affect on the total score.
 Alternately, this could be binary; it matches 1 or more, or matches
 none.
 Reverse Method:  Certificates that assert policies found in the
 target certificate or map policies to those found in the target
 certificate have priority.  Each additional matching policy could
 have an additive affect on the total score.  Alternately, this could
 be binary; it matches 1 or more, or matches none.
 Justification:  In the forward direction, as the path draws near to
 the trust anchor in a cross-certified environment, the policies
 asserted in the CA certificates will match those in the caller's
 domain.  Since the initial acceptable policy set is specified in the

Cooper, et al. Informational [Page 54] RFC 4158 Certification Path Building September 2005

 caller's domain, matches may indicate that the path building is
 drawing nearer to a desired trust anchor.  In the reverse direction,
 finding policies that match those of the target certificate may
 indicate that the path is drawing near to the target's domain.

3.5.15. Endpoint Distinguished Name (DN) Matching

 May be used to eliminate certificates: No
 Number of possible values: Binary
 Components required: None
 Forward Method:  Certificates whose issuer exactly matches a trust
 anchor subject DN have priority.
 Reverse Method:  Certificates whose subject exactly matches the
 target entity issuer DN have priority.
 Justification:  In the forward direction, if a certificate's issuer
 DN matches a trust anchor's DN [X.501], then it may complete the
 path.  In the reverse direction, if the certificate's subject DN
 matches the issuer DN of the target certificate, it may be the last
 certificate required to complete the path.

3.5.16. Relative Distinguished Name (RDN) Matching

 May be used to eliminate certificates: No
 Number of possible values: Sliding Scale
 Components required: None
 Forward Method:  Certificates that match more ordered RDNs between
 the issuer DN and a trust anchor DN have priority.  When all the RDNs
 match, this yields the highest priority.
 Reverse Method: Certificates with subject DNs that match more RDNs
 with the target's issuer DN have higher priority.  When all the RDNs
 match, this yields the highest priority.
 Justification:  In PKIs the DNs are frequently constructed in a tree
 like fashion.  Higher numbers of matches may indicate that the trust
 anchor is to be found in that direction within the tree.  Note that
 in the case where all the RDNs match [X.501], this sorting method
 appears to mirror the preceding one.  However, this sorting method
 should be capable of producing a 100% weight even if the issuer DN
 has more RDNs than the trust anchor.  The Issuer DN need only contain
 all the RDNs (in order) of the trust anchor.
 NOTE: In the case where all RDNs match, this sorting method mirrors
 the functionality of the preceding one.  This allows for partial

Cooper, et al. Informational [Page 55] RFC 4158 Certification Path Building September 2005

 matches to be weighted differently from exact matches.  Additionally,
 this method can require a lot of processing if many trust anchors are
 present.

3.5.17. Certificates are Retrieved from cACertificate Directory

       Attribute
 May be used to eliminate certificates: No
 Number of possible values: Binary
 Components required: Certificate Cache with flags for the attribute
 from where the certificate was retrieved and Remote Certificate
 Storage/Retrieval using a directory
 Forward Method:   Certificates retrieved from the cACertificate
 directory attribute have priority over certificates retrieved from
 the crossCertificatePair attribute. (See [RFC2587].)
 Reverse Method:  Does not apply.
 Justification:  The cACertificate directory attribute contains
 certificates issued from local sources and self issued certificates.
 By using the cACertificate directory attribute before the
 crossCertificatePair attribute, the path-building algorithm will
 (depending on the local PKI configuration) tend to demonstrate a
 preference for the local PKI before venturing to external cross-
 certified PKIs.  Most of today's PKI applications spend most of their
 time processing information from the local (user's own) PKI, and the
 local PKI is usually very efficient to traverse due to proximity and
 network speed.

3.5.18. Consistent Public Key and Signature Algorithms

 May be used to eliminate certificates: Yes
 Number of possible values: Binary
 Components required: None
 Forward Method:  If the public key in the issuer certificate matches
 the algorithm used to sign the subject certificate, then it has
 priority.  (Certificates with unmatched public key and signature
 algorithms may be eliminated.)
 Reverse Method:  If the public key in the current certificate matches
 the algorithm used to sign the subject certificate, then it has
 priority.  (Certificates with unmatched public key and signature
 algorithms may be eliminated.)
 Justification:  Since the public key and signature algorithms are not
 consistent, the signature on the subject certificate will not verify

Cooper, et al. Informational [Page 56] RFC 4158 Certification Path Building September 2005

 successfully.  For example, if the issuer certificate contains an RSA
 public key, then it could not have issued a subject certificate
 signed with the DSA-with-SHA-1 algorithm.

3.5.19. Similar Issuer and Subject Names

 May be used to eliminate certificates:  No
 Number of possible values:  Sliding Scale
 Components required:  None
 Forward Method:  Certificates encountered with a subject DN that
 matches more RDNs with the issuer DN of the target certificate have
 priority.
 Reverse Method:  Same as forward.
 Justification:  As it is generally more efficient to search the local
 domain prior to branching to cross-certified domains, using
 certificates with similar names first tends to make a more efficient
 path builder.  Cross-certificates issued from external domains will
 generally match fewer RDNs (if any), whereas certificates in the
 local domain will frequently match multiple RDNs.

3.5.20. Certificates in the Certification Cache

 May be used to eliminate certificates:  No
 Number of possible values:  Three
 Components required:  Local Certificate Cache and Remote Certificate
 Storage/Retrieval (e.g., LDAP directory as the repository)
 Forward Method:  A certificate whose issuer certificate is present in
 the certificate cache and populated with certificates has higher
 priority.  A certificate whose issuer's entry is fully populated with
 current data (all certificate attributes have been searched within
 the timeout period) has higher priority.
 Reverse Method:  If the subject of a certificate is present in the
 certificate cache and populated with certificates, then it has higher
 priority.  If the entry is fully populated with current data (all
 certificate attributes have been searched within the timeout period)
 then it has higher priority.
 Justification:  The presence of required directory values populated
 in the cache increases the likelihood that all the required
 certificates and CRLs needed to complete the path from this
 certificate to the trust anchor (or target if building in reverse)
 are present in the cache from a prior path being developed, thereby

Cooper, et al. Informational [Page 57] RFC 4158 Certification Path Building September 2005

 eliminating the need for directory access to complete the path.  In
 the event no path can be found, the performance cost is low since the
 certificates were likely not retrieved from the network.

3.5.21. Current CRL Found in Local Cache

 May be used to eliminate certificates: No
 Number of possible values:  Binary
 Components Required:  CRL Cache
 Forward Method:  Certificates have priority if the issuer's CRL entry
 exists and is populated with current data in the CRL cache.
 Reverse Method:  Certificates have priority if the subject's CRL
 entry exists and is populated with current data in the CRL cache.
 Justification:  If revocation is checked only after a complete path
 has been found, this indicates that a complete path has been found
 through this entity at some past point, so a path still likely
 exists.  This also helps reduce remote retrievals until necessary.

3.6. Certificate Sorting Methods for Revocation Signer Certification

    Paths
 Unless using a locally-configured OCSP responder or some other
 locally-configured trusted revocation status service, certificate
 revocation information is expected to be provided by the PKI that
 issued the certificate.  It follows that when building a
 certification path for a Revocation Signer certificate, it is
 desirable to confine the building algorithm to the PKI that issued
 the certificate.  The following sorting methods seek to order
 possible paths so that the intended Revocation Signer certification
 path is found first.
 These sorting methods are not intended to be used in lieu of the ones
 described in the previous section; they are most effective when used
 in conjunction with those in Section 3.5. Some sorting criteria below
 have identical names as those in the preceding section.  This
 indicates that the sorting criteria described in the preceding
 section are modified slightly when building the Revocation Signer
 certification path.

3.6.1. Identical Trust Anchors

 May be used to eliminate certificates: No
 Number of possible values: Binary
 Components required: Is-revocation-signer indicator and the
 Certification Authority's trust anchor

Cooper, et al. Informational [Page 58] RFC 4158 Certification Path Building September 2005

 Forward Method:  Not applicable.
 Reverse Method:  Path building should begin from the same trust
 anchor used to validate the Certification Authority before trying any
 other trust anchors.  If any trust anchors exist with a different
 public key but an identical subject DN to that of the Certification
 Authority's trust anchor, they should be tried prior to those with
 mismatched names.
 Justification:  The revocation information for a given certificate
 should be produced by the PKI that issues the certificate.
 Therefore, building a path from a different trust anchor than the
 Certification Authority's is not desirable.

3.6.2. Endpoint Distinguished Name (DN) Matching

 May be used to eliminate certificates: No
 Number of possible values: Binary
 Components required: Is-revocation-signer indicator and the
 Certification Authority's trust anchor
 Forward Method:  Operates identically to the sorting method described
 in 3.5.15, except that instead of performing the matching against all
 trust anchors, the DN matching is performed only against the trust
 anchor DN used to validate the CA certificate.
 Reverse Method:  No change for Revocation Signer's certification
 path.
 Justification:  The revocation information for a given certificate
 should be produced by the PKI that issues the certificate.
 Therefore, building a path to a different trust anchor than the CA's
 is not desirable.  This sorting method helps to guide forward
 direction path building toward the trust anchor used to validate the
 CA certificate.

3.6.3. Relative Distinguished Name (RDN) Matching

 May be used to eliminate certificates: No
 Number of possible values: Sliding Scale
 Components required: Is-revocation-signer indicator and the
 Certification Authority's trust anchor
 Forward Method:  Operates identically to the sorting method described
 in 3.5.16 except that instead of performing the RDN matching against
 all trust anchors, the matching is performed only against the trust
 anchor DN used to validate the CA certificate.

Cooper, et al. Informational [Page 59] RFC 4158 Certification Path Building September 2005

 Reverse Method:  No change for Revocation Signer's certification
 path.
 Justification:  The revocation information for a given certificate
 should be produced by the PKI that issues the certificate.
 Therefore, building a path to a different trust anchor than the CA's
 is not desirable.  This sorting method helps to guide forward
 direction path building toward the trust anchor used to validate the
 CA certificate.

3.6.4. Identical Intermediate Names

 May be used to eliminate certificates: No
 Number of possible values: Binary
 Components required: Is-revocation-signer indicator and the
 Certification Authority's complete certification path
 Forward Method:  If the issuer DN in the certificate matches the
 issuer DN of a certificate in the Certification Authority's path, it
 has higher priority.
 Reverse Method:  If the subject DN in the certificate matches the
 subject DN of a certificate in the Certification Authority's path, it
 has higher priority.
 Justification:  Following the same path as the Certificate should
 deter the path-building algorithm from wandering in an inappropriate
 direction.  Note that this sorting method is indifferent to whether
 the certificate is self-issued.  This is beneficial in this situation
 because it would be undesirable to lower the priority of a re-key
 certificate.

4. Forward Policy Chaining

 It is tempting to jump to the conclusion that certificate policies
 offer little assistance to path building when building from the
 target certificate.  It's easy to understand the "validate as you go"
 approach from the trust anchor, and much less obvious that any value
 can be derived in the other direction.  However, since policy
 validation consists of the intersection of the issuer policy set with
 the subject policy set and the mapping of policies from the issuer
 set to the subject set, policy validation can be done while building
 a path in the forward direction as well as the reverse.  It is simply
 a matter of reversing the procedure.  That is not to say this is as
 ideal as policy validation when building from the trust anchor, but
 it does offer a method that can be used to mostly eliminate what has
 long been considered a weakness inherent to building in the forward
 (from the target certificate) direction.

Cooper, et al. Informational [Page 60] RFC 4158 Certification Path Building September 2005

4.1. Simple Intersection

 The most basic form of policy processing is the intersection of the
 policy sets from the first CA certificate through the target
 certificate.  Fortunately, the intersection of policy sets will
 always yield the same final set regardless of the order of
 intersection.  This allows processing of policy set intersections in
 either direction.  For example, if the trust anchor issues a CA
 certificate (A) with policies {X,Y,Z}, and that CA issues another CA
 certificate (B) with policies {X,Y}, and CA B then issues a third CA
 certificate (C) with policy set {Y,G}, one normally calculates the
 policy set from the trust anchor as follows:
 1) Intersect A{X,Y,Z} with B{X,Y} to yield the set {X,Y}
 2) Intersect that result, {X,Y} with C{Y,G} to yield the final set
    {Y}
 Now it has been shown that certificate C is good for policy Y.
 The other direction is exactly the same procedure, only in reverse:
 1) Intersect C{Y,G} with B{X,Y} to yield the set {Y}
 2) Intersect that result, {Y} with A{X,Y,Z} to yield the final set
    {Y}
 Just like in the reverse direction, it has been shown that
 certificate C is good for policy Y, but this time in the forward
 direction.
 When building in the forward direction, policy processing is handled
 much like it is in reverse -- the software lends preference to
 certificates that propagate policies.  Neither approach guarantees
 that a path with valid policies will be found, but rather both
 approaches help guide the path in the direction it should go in order
 for the policies to propagate.
 If the caller has supplied an initial-acceptable-policy set, there is
 less value in using it when building in the forward direction unless
 the caller also set inhibit-policy-mapping.  In that case, the path
 builder can further constrain the path building to propagating
 policies that exist in the initial-acceptable-policy-set.  However,
 even if the inhibit-policy-mapping is not set, the initial-policy-set
 can still be used to guide the path building toward the desired trust
 anchor.

Cooper, et al. Informational [Page 61] RFC 4158 Certification Path Building September 2005

4.2. Policy Mapping

 When a CA issues a certificate into another domain, an environment
 with disparate policy identifiers to its own, the CA may make use of
 policy mappings to map equivalence from the local domain's policy to
 the non-local domain's policy.  If in the prior example, A had
 included a policy mapping that mapped X to G in the certificate it
 issued to B, C would be good for X and Y:
 1) Intersect A{X,Y,Z} with B{X,Y} to yield the set {X,Y}
 2) Process Policy Mappings in B's certificate (X maps to G) to yield
    {G,Y} (same as {Y,G})
 3) Intersect that result, {G,Y} with C{Y,G} to yield the final set
    {G,Y}
 Since policies are always expressed in the relying party's domain,
 the certificate C is said to be good for {X, Y}, not {Y, G}.  This is
 because "G" doesn't mean anything in the context of the trust anchor
 that issued A without the policy mapping.
 When building in the forward direction, policies can be "unmapped" by
 reversing the mapping procedure.  This procedure is limited by one
 important aspect: if policy mapping has occurred in the forward
 direction, there is no mechanism by which it can be known in advance
 whether or not a future addition to the current path will invalidate
 the policy chain (assuming one exists) by setting inhibit-policy-
 mapping.  Fortunately, it is uncommon practice to set this flag.  The
 following is the procedure for processing policy mapping in the
 forward direction:
 1) Begin with C's policy set {Y,G}
 2) Apply the policy mapping in B's certificate (X maps to G) in
    reverse to yield {Y,X} (same as {X,Y})
 3) Intersect the result {X,Y} with B{X,Y} to yield the set {X,Y}
 4) Intersect that result, {X,Y}, with A{X,Y,Z} to yield the final set
    {X,Y}
 Just like in the reverse direction, it is determined in the forward
 direction that certificate C is good for policies {X,Y}.  If during
 this procedure, an inhibit-policy-mapping flag was encountered, what
 should be done?  This is reasonably easy to keep track of as well.
 The software simply maintains a flag on any policies that were
 propagated as a result of a mapping; just a simple Boolean kept with

Cooper, et al. Informational [Page 62] RFC 4158 Certification Path Building September 2005

 the policies in the set.  Imagine now that the certificate issued to
 A has the inhibit-policy-mapping constraint expressed with a skip
 certificates value of zero.
 1) Begin with C's policy set {Y,G}
 2) Apply the policy mapping in B's certificate and mark X as
    resulting from a mapping. (X maps to G) in reverse to yield {Y,Xm}
    (same as {Xm,Y})
 3) Intersect the result {Xm,Y} with B{X,Y} to yield the set {Xm,Y}
 4) A's certificate expresses the inhibit policy mapping constraint,
    so eliminate any policies in the current set that were propagated
    due to mapping (which is Xm) to yield {Y}
 5) Intersect that result, {Y} with A{X,Y,Z} to yield the final set
    {Y}
 If in our example, the policy set had gone to empty at any point (and
 require-explicit-policy was set), the path building would back up and
 try to traverse another branch of the tree.  This is analogous to the
 path-building functionality utilized in the reverse direction when
 the policy set goes to empty.

4.3. Assigning Scores for Forward Policy Chaining

 Assuming the path-building module is maintaining the current forward
 policy set, weights may be assigned using the following procedure:
 1) For each CA certificate being scored:
    a. Copy the current forward policy set.
    b. Process policy mappings in the CA certificate in order to
       "un-map" policies, if any.
    c. Intersect the resulting set with CA certificate's policies.
 The larger the policy set yielded, the larger the score for that CA
 certificate.
 2) If an initial acceptable set was supplied, intersect this set with
    the resulting set for each CA certificate from (1).
 The larger the resultant set, the higher the score is for this
 certificate.

Cooper, et al. Informational [Page 63] RFC 4158 Certification Path Building September 2005

 Other scoring schemes may work better if the operating environment
 dictates.

5. Avoiding Path-Building Errors

 This section defines some errors that may occur during the path-
 building process, as well as ways to avoid these errors when
 developing path-building functions.

5.1. Dead Ends

 When building certification paths in a non-hierarchical PKI
 structure, a simple path-building algorithm could fail prematurely
 without finding an existing path due to a "dead end".  Consider the
 example in Figure 14.
          +----+      +---+
          | TA |      | Z |
          +----+      +---+
             |          |
             |          |
             V          V
           +---+      +---+
           | C |<-----| Y |
           +---+      +---+
             |
             |
             V
           +--------+
           | Target |
           +--------+
    Figure 14 - Dead End Example
 Note that in the example, C has two certificates: one issued by Y,
 and the other issued by the Trust Anchor.  Suppose that a simple
 "find issuer" algorithm is used, and the order in which the path
 builder found the certificates was Target(C), C(Y), Y(Z), Z(Z).  In
 this case, Z has no certificates issued by any other entities, and so
 the simplistic path-building process stops.  Since Z is not the
 relying party's trust anchor, the certification path is not complete,
 and will not validate.  This example shows that in anything but the
 simplest PKI structure, additional path-building logic will need to
 handle the cases in which entities are issued multiple certificates
 from different issuers.  The path-building algorithm will also need
 to have the ability to traverse back up the decision tree and try
 another path in order to be robust.

Cooper, et al. Informational [Page 64] RFC 4158 Certification Path Building September 2005

5.2. Loop Detection

 In a non-hierarchical PKI structure, a path-building algorithm may
 become caught in a loop without finding an existing path.  Consider
 the example below:
           +----+
           | TA |
           +----+
             |
             |
           +---+      +---+
           | A |    ->| Z |
           +---+   /  +---+
             |    /     |
             |   /      |
             V  /       V
           +---+      +---+
           | B |<-----| Y |
           +---+      +---+
             |
             |
             V
           +--------+
           | Target |
           +--------+
    Figure 15 - Loop Example
 Let us suppose that in this example the simplest "find issuer"
 algorithm is used, and the order in which certificates are retrieved
 is Target(B), B(Y), Y(Z), Z(B), B(Y), Y(Z), Z(B), B(Y), ... A loop
 has formed that will cause the correct path (Target, B, A) to never
 be found.  The certificate processing system will need to recognize
 loops created by duplicate certificates (which are prohibited in a
 path by [X.509]) before they form to allow the certification path-
 building process to continue and find valid paths.  The authors of
 this document recommend that the loop detection not only detect the
 repetition of a certificate in the path, but also detect the presence
 of the same subject name / subject alternative name/ subject public
 key combination occurring twice in the path.  A name/key pair should
 only need to appear once in the path.  (See Section 2.4.2 for more
 information on the reasoning behind this recommendation.)

Cooper, et al. Informational [Page 65] RFC 4158 Certification Path Building September 2005

5.3. Use of Key Identifiers

 Inconsistent and/or incompatible approaches to computing the subject
 key identifier and authority key identifier in public key
 certificates can cause failures in certification path-building
 algorithms that use those fields to identify certificates, even
 though otherwise valid certification paths may exist.  Path-building
 implementations should use existing key identifiers and not attempt
 to re-compute subject key identifiers.  It is extremely important
 that Key Identifiers be used only as sorting criteria or hints.  KIDs
 are not required to match during certification path validation and
 cannot be used to eliminate certificates.  This is of critical
 importance for interoperating across domains and multi-vendor
 implementations where the KIDs may not be calculated in the same
 fashion.
 Path-building and processing implementations should not rely on the
 form of authority key identifier that uses the authority DN and
 serial number as a restrictive matching rule, because cross-
 certification can lead to this value not being matched by the cross-
 certificates.

5.4. Distinguished Name Encoding

 Certification path-building software should not rely on DNs being
 encoded as PrintableString.  Although frequently encoded as
 PrintableString, DNs may also appear as other types, including
 BMPString or UTF8String.  As a result, software systems that are
 unable to process BMPString and UTF8String encoded DNs may be unable
 to build and validate some certification paths.
 Furthermore, [RFC3280] compliant certificates are required to encode
 DNs as UTF8String as of January 1, 2004.  Certification path-building
 software should be prepared to handle "name rollover" certificates as
 described in [RFC3280].  Note that the inclusion of a "name rollover"
 certificate in a certification path does not constitute repetition of
 a DN and key.  Implementations that include the "name rollover"
 certificate in the path should ensure that the DNs with differing
 encoding are regarded as dissimilar.  (Implementations may instead
 handle matching DNs of different encodings and will therefore not
 need to include "name rollover" certificates in the path.)

Cooper, et al. Informational [Page 66] RFC 4158 Certification Path Building September 2005

6. Retrieval Methods

 Building a certification path requires the availability of the
 certificates and CRLs that make up the path.  There are many
 different methods for obtaining these certificates and CRLs.  This
 section lists a few of the common ways to perform this retrieval, as
 well as some suggested approaches for improving performance.  This
 section is not intended to provide a complete reference for
 certificate and CRL retrieval methods or optimizations that would be
 useful in certification path building.

6.1. Directories Using LDAP

 Most applications utilize the Lightweight Directory Access Protocol
 (LDAP) when retrieving data from directories following the X.500
 model.  Applications may encounter directories which support either
 LDAP v2 [RFC1777] or LDAP v3 [RFC3377].
 The LDAP v3 specification defines one attribute retrieval option, the
 "binary" option.  When specified in an LDAP retrieval request, this
 option was intended to force the directory to ignore any string-based
 representations of BER-encoded directory information, and send the
 requested attribute(s) in BER format.  Since all PKI objects of
 concern are BER-encoded objects, the "binary" option should be used.
 However, not all directories support the "binary" option.  Therefore,
 applications should be capable of requesting attributes with and
 without the "binary" option.  For example, if an application wishes
 to retrieve the userCertificate attribute, the application should
 request "userCertificate;binary".  If the desired information is not
 returned, robust implementations may opt to request "userCertificate"
 as well.
 The following attributes should be considered by PKI application
 developers when performing certificate retrieval from LDAP sources:
 userCertificate: contains certificates issued by one or more
    certification authorities with a subject DN that matches that of
    the directory entry.  This is a multi-valued attribute and all
    values should be received and considered during path building.
    Although typically it is expected that only end entity
    certificates will be stored in this attribute, (e.g., this is the
    attribute an application would request to find a person's
    encryption certificate) implementers may opt to search this
    attribute when looking in CA entries to make their path builder
    more robust.  If it is empty, the overhead added by including this
    attribute when already requesting one or both of the two below is
    marginal.

Cooper, et al. Informational [Page 67] RFC 4158 Certification Path Building September 2005

 cACertificate: contains self-issued certificates (if any) and any
    certificates issued to this certification authority by other
    certification authorities in the same realm.  (Realm is dependent
    upon local policy.)  This is a multi-valued attribute and all
    values should be received and considered during path building.
 crossCertificatePair: in conformant implementations, the
    crossCertificatePair is used to contain all, except self-issued
    certificates issued to this certification authority, as well as
    certificates issued by this certification authority to other
    certification authorities.  Each attribute value is a structure
    containing two elements.  The issuedToThisCA element contains
    certificates issued to this certification authority by other
    certification authorities.  The issuedByThisCA element contains
    certificates issued by this certification authority to other
    certification authorities.  Both elements of the
    crossCertificatePair are labeled optional in the ASN.1 definition.
    If both elements are present in a single value, the issuer name in
    one certificate is required to match the subject name in the other
    and vice versa, and the subject public key in one certificate
    shall be capable of verifying the digital signature on the other
    certificate and vice versa.  As this technology has evolved,
    different standards have had differing requirements on where
    information could be found.  For example, the LDAP v2 schema
    [RFC2587] states that the issuedToThisCA (once called 'forward')
    element of the crossCertificatePair attribute is mandatory and the
    issuedByThisCA (once called 'reverse') element is optional.  In
    contrast, Section 11.2.3 of [X.509] requires the issuedByThisCA
    element to be present if the CA issues a certificate to another CA
    if the subject is not a subordinate CA in a hierarchy.  Conformant
    directories behave as required by [X.509], but robust path-
    building implementations may want to retrieve all certificates
    from the cACertificate and crossCertificatePair attributes to
    ensure all possible certification authority certificates are
    obtained.
 certificateRevocationList: the certificateRevocationList attribute
    contains a certificate revocation list (CRL).  A CRL is defined in
    [RFC3280] as a time stamped list identifying revoked certificates,
    which is signed by a CA or CRL issuer and made freely available in
    a public repository.  Each revoked certificate is identified in a
    CRL by its certificate serial number.  There may be one or more
    CRLs in this attribute, and the values should be processed in
    accordance with [RFC3280].

Cooper, et al. Informational [Page 68] RFC 4158 Certification Path Building September 2005

 authorityRevocationList: the authorityRevocationList attribute also
    contains CRLs.  These CRLs contain revocation information
    regarding certificates issued to other CAs.  There may be one or
    more CRLs in this attribute, and the values should be processed in
    accordance with [RFC3280].
 Certification path processing systems that plan to interoperate with
 varying PKI structures and directory designs should at a minimum be
 able to retrieve and process the userCertificate, cACertificate,
 crossCertificatePair, certificateRevocationList, and
 authorityRevocationList attributes from directory entries.

6.2. Certificate Store Access via HTTP

 Another possible method of certificate retrieval is using HTTP as an
 interface mechanism for retrieving certificates and CRLs from PKI
 repositories.  A current PKIX document [CERTSTORE] provides a
 protocol for a general-purpose interface capability for retrieving
 certificates and CRLs from PKI repositories.  Since the [CERTSTORE]
 document is a work in progress as of the writing of this document, no
 details are given here on how to utilize this mechanism for
 certificate and CRL retrieval.  Instead, refer to the [CERTSTORE]
 document or its current version.  Certification path processing
 systems may wish to implement support for this interface capability,
 especially if they will be used in environments that will provide
 HTTP-based access to certificates and CRLs.

6.3. Authority Information Access

 The authority information access (AIA) extension, defined within
 [RFC3280], indicates how to access CA information and services for
 the issuer of the certificate in which the extension appears.  If a
 certificate with an AIA extension contains an accessMethod defined
 with the id-ad-caIssuers OID, the AIA may be used to retrieve one or
 more certificates for the CA that issued the certificate containing
 the AIA extension.  The AIA will provide a uniform resource
 identifier (URI) [RFC3986] when certificates can be retrieved via
 LDAP, HTTP, or FTP.  The AIA will provide a directoryName when
 certificates can be retrieved via directory access protocol (DAP).
 The AIA will provide an rfc822Name when certificates can be retrieved
 via electronic mail.  Additionally, the AIA may specify the location
 of an OCSP [RFC2560] responder that is able to provide revocation
 information for the certificate.
 If present, AIA may provide forward path-building implementations
 with a direct link to a certificate for the issuer of a given
 certificate.  Therefore, implementations may wish to provide support
 for decoding the AIA extension and processing the LDAP, HTTP, FTP,

Cooper, et al. Informational [Page 69] RFC 4158 Certification Path Building September 2005

 DAP, or e-mail locators.  Support for AIA is optional; [RFC3280]
 compliant implementations are not required to populate the AIA
 extension.  However, implementers of path-building and validation
 modules are strongly encouraged to support AIA, especially the HTTP
 transport; this will provide for usability and interoperability with
 many existing PKIs.

6.4. Subject Information Access

 The subject information access (SIA) extension, defined within
 [RFC3280], indicates how to access information and services for the
 subject of the certificate in which the extension appears.  If a
 certificate with an SIA extension contains an accessMethod defined
 with the id-ad-caRepository OID, the SIA may be used to locate one or
 more certificates (and possibly CRLs) for entities issued
 certificates by the subject.  The SIA will provide a uniform resource
 identifier (URI) [RFC3986] when data can be retrieved via LDAP, HTTP,
 or FTP.  The SIA will provide a directoryName when data can be
 retrieved via directory access protocol (DAP).  The SIA will provide
 an rfc822Name when data can be retrieved via electronic mail.
 If present, the SIA extension may provide reverse path-building
 implementations with the certificates required to continue building
 the path.  Therefore, implementations may wish to provide support for
 decoding the SIA extension and processing the LDAP, HTTP, FTP, DAP,
 or e-mail locators.  Support for SIA is optional; [RFC3280] compliant
 implementations are not required to populate the SIA extension.
 However, implementers of path-building and validation modules are
 strongly encouraged to support SIA, especially the HTTP transport;
 this will provide for usability and interoperability with many
 existing PKIs.

6.5. CRL Distribution Points

 The CRL distribution points (CRLDP) extension, defined within
 [RFC3280], indicates how to access CRL information.  If a CRLDP
 extension appears within a certificate, the CRL(s) to which the CRLDP
 refer are generally the CRLs that would contain revocation
 information for the certificate.  The CRLDP extension may point to
 multiple distribution points from which the CRL information may be
 obtained; the certificate processing system should process the CRLDP
 extension in accordance with [RFC3280].  The most common distribution
 points contain URIs from which the appropriate CRL may be downloaded,
 and directory names, which can be queried in a directory to retrieve
 the CRL attributes from the corresponding entry.

Cooper, et al. Informational [Page 70] RFC 4158 Certification Path Building September 2005

 If present, CRLDP can provide certificate processing implementations
 with a link to CRL information for a given certificate.  Therefore,
 implementations may wish to provide support for decoding the CRLDP
 extension and using the information to retrieve CRLs.  Support for
 CRLDP is optional and [RFC3280] compliant implementations need not
 populate the CRLDP extension.  However, implementers of path-building
 and validation modules are strongly encouraged to support CRLDPs.  At
 a minimum, developers are encouraged to consider supporting the LDAP
 and HTTP transports; this will provide for interoperability across a
 wide range of existing PKIs.

6.6. Data Obtained via Application Protocol

 Many application protocols, such as SSL/TLS and S/MIME, allow one
 party to provide certificates and CRLs to another.  Data provided in
 this method is generally very valuable to path-building software
 (will provide direction toward valid paths), and should be stored and
 used accordingly.  Note: self-signed certificates obtained via
 application protocol are not trustworthy; implementations should only
 consider the relying party's trust anchors when building paths.

6.7. Proprietary Mechanisms

 Some certificate issuing systems and certificate processing systems
 may utilize proprietary retrieval mechanisms, such as network mapped
 drives, databases, or other methods that are not directly referenced
 via the IETF standards.  Certificate processing systems may wish to
 support other proprietary mechanisms, but should only do so in
 addition to supporting standard retrieval mechanisms such as LDAP,
 AIA, and CRLDP (unless functioning in a closed environment).

7. Improving Retrieval Performance

 Retrieval performance can be improved through a few different
 mechanisms, including the use of caches and setting a specific
 retrieval order.  This section discusses a few methods by which the
 performance of a certificate processing system may be improved during
 the retrieval of PKI objects.  Certificate processing systems that
 are consistently very slow during processing will be disliked by
 users and will be slow to be adopted into organizations.  Certificate
 processing systems are encouraged to do whatever possible to reduce
 the delays associated with requesting and retrieving data from
 external sources.

Cooper, et al. Informational [Page 71] RFC 4158 Certification Path Building September 2005

7.1. Caching

 Certificate processing systems operating in a non-hierarchical PKI
 will often need to retrieve certificates and certificate revocation
 lists (CRLs) from a source outside the application protocol.
 Typically, these objects are retrieved from an X.500 or LDAP
 repository, an Internet URI [RFC3986], or some other non-local
 source.  Due to the delays associated with establishing connections
 as well as network transfers, certificate processing systems ought to
 be as efficient as possible when retrieving data from external
 sources.  Perhaps the best way to improve retrieval efficiency is by
 using a caching mechanism.  Certificate processing systems can cache
 data retrieved from external sources for some period of time, but not
 to exceed the useful period of the data (i.e., an expired certificate
 need not be cached).  Although this comes at a cost of increased
 memory/disk consumption by the system, the cost and performance
 benefit of reducing network transmissions is great.  Also, CRLs are
 often issued and available in advance of the nextUpdate date in the
 CRL.  Implementations may wish to obtain these "fresher" CRLs before
 the nextUpdate date has passed.
 There are a number of different ways in which caching can be
 implemented; the specifics of these methods can be used as
 distinguishing characteristics between certificate processing
 systems.  However, some things that implementers may wish to consider
 when developing caching systems are as follows:
  1. If PKI objects are cached, the certification path-building

mechanism should be able to examine and retrieve from the cache

      during path building.  This will allow the certificate
      processing system to find or eliminate one or more paths quickly
      without requiring external contact with a directory or other
      retrieval mechanism.
  1. Sharing caches between multiple users (via a local area network

or LAN) may be useful if many users in one organization

      consistently perform PKI operations with another organization.
  1. Caching not only PKI objects (such as certificates and CRLs) but

also relationships between PKI objects (storing a link between a

      certificate and the issuer's certificate) may be useful.  This
      linking may not always lead to the most correct or best
      relationship, but could represent a linking that worked in
      another scenario.
  1. Previously built paths and partial paths are quite useful to

cache, because they will provide information on previous

      successes or failures.  Additionally, if the cache is safe from

Cooper, et al. Informational [Page 72] RFC 4158 Certification Path Building September 2005

      unauthorized modifications, caching validation and signature
      checking status for certificates, CRLs, and paths can also be
      stored.

7.2. Retrieval Order

 To optimize efficiency, certificate processing systems are encouraged
 to also consider the order in which different PKI objects are
 retrieved, as well as the mechanism from which they are retrieved.
 If caching is utilized, the caches can be consulted for PKI objects
 before attempting other retrieval mechanisms.  If multiple caches are
 present (such as local disk and network), the caches can be consulted
 in the order in which they can be expected to return their result
 from fastest to slowest.  For example, if a certificate processing
 system wishes to retrieve a certificate with a particular subject DN,
 the system might first consult the local cache, then the network
 cache, and then attempt directory retrieval.  The specifics of the
 types of retrieval mechanisms and their relative costs are left to
 the implementer.
 In addition to ordering retrieval mechanisms, the certificate
 processing system ought to order the relative merits of the different
 external sources from which a PKI object can be retrieved.  If the
 AIA is present within a certificate, with a URI [RFC3986] for the
 issuer's certificate, the certificate processing system (if able) may
 wish to attempt to retrieve the certificate first from local cache
 and then by using that URI (because it is expected to point directly
 to the desired certificate) before attempting to retrieve the
 certificates that may exist within a directory.
 If a directory is being consulted, it may be desirable to retrieve
 attributes in a particular order.  A highly cross-certified PKI
 structure will lead to multiple possibilities for certification
 paths, which may mean multiple validation attempts before a
 successful path is retrieved.  Therefore, cACertificate and
 userCertificate (which typically contain certificates from within the
 same 'realm') could be consulted before attempting to retrieve the
 crossCertificatePair values for an entry.  Alternately, all three
 attributes could be retrieved in one query, but cross-certificates
 then tagged as such and used only after exhausting the possibilities
 from the cACertificate attribute.  The best approach will depend on
 the nature of the application and PKI environment.

7.3. Parallel Fetching and Prefetching

 Much of this document has focused on a path-building algorithm that
 minimizes the performance impact of network retrievals, by preventing
 those retrievals and utilization of caches.  Another way to improve

Cooper, et al. Informational [Page 73] RFC 4158 Certification Path Building September 2005

 performance would be to allow network retrievals to be performed in
 advance (prefetching) or at the same time that other operations are
 performed (parallel fetching).  For example, if an email application
 receives a signed email message, it could download the required
 certificates and CRLs prior to the recipient viewing (or attempting
 to verify) the message.  Implementations that provide the capability
 of parallel fetching and/or prefetching, along with a robust cache,
 can lead to greatly improved performance or user experience.

8. Security Considerations

8.1. General Considerations for Building a Certification Path

 Although certification path building deals directly with security
 relevant PKI data, the PKI data itself needs no special handling
 because its integrity is secured with the digital signature applied
 to it.  The only exception to this is the appropriate protection of
 the trust anchor public keys.  These are to be kept safe and obtained
 out of band (e.g., not from an electronic mail message or a
 directory) with respect to the path-building module.
 The greatest security risks associated with this document revolve
 around performing certification path validation while certification
 paths are built.  It is therefore noted here that fully implemented
 certification path validation in accordance with [RFC3280] and
 [X.509] is required in order for certification path building,
 certification path validation, and the certificate using application
 to be properly secured.  All of the Security Considerations listed in
 Section 9 of [RFC3280] apply equally here.
 In addition, as with any application that consumes data from
 potentially untrusted network locations, certification path-building
 components should be carefully implemented so as to reduce or
 eliminate the possibility of network based exploits.  For example, a
 poorly implemented path-building module may not check the length of
 the CRLDP URI [RFC3986] before using the C language strcpy() function
 to place the address in a 1024 byte buffer.  A hacker could use such
 a flaw to create a buffer overflow exploit by encoding malicious
 assembly code into the CRLDP of a certificate and then use the
 certificate to attempt an authentication.  Such an attack could yield
 system level control to the attacker and expose the sensitive data
 the PKI was meant to protect.
 Path building may be used to mount a denial of service (DOS) attack.
 This might occur if multiple simple requests could be performed that
 cause a server to perform a number of path developments, each taking
 time and resources from the server.  Servers can help avoid this by
 limiting the resources they are willing to devote to path building,

Cooper, et al. Informational [Page 74] RFC 4158 Certification Path Building September 2005

 and being able to further limit those resources when the load is
 heavy.  Standard DOS protections such as systems that identify and
 block attackers can also be useful.
 A DOS attack can be also created by presenting spurious CA
 certificates containing very large public keys.  When the system
 attempts to use the large public key to verify the digital signature
 on additional certificates, a long processing delay may occur.  This
 can be mitigated by either of two strategies.  The first strategy is
 to perform signature verifications only after a complete path is
 built, starting from the trust anchor.  This will eliminate the
 spurious CA certificate from consideration before the large public
 key is used.  The second strategy is to recognize and simply reject
 keys longer than a certain size.
 A similar DOS attack can occur with very large public keys in end
 entity certificates.  If a system uses the public key in a
 certificate before building and validating that certificate's
 certification path, long processing delays may occur.  To mitigate
 this threat, the public key in an end entity certificate should not
 be used for any purpose until a complete certification path for that
 certificate is built and validated.

8.2. Specific Considerations for Building Revocation Signer

    Certification Paths
 If the CRL Signer certificate (and certification path) is not
 identical to the Certification Authority certificate (and
 certification path), special care should be exercised when building
 the CRL Signer certification path.
 If special consideration is not given to building a CRL Signer
 certification path, that path could be constructed such that it
 terminates with a different root or through a different certification
 path to the same root.  If this behavior is not prevented, the
 relying party may end up checking the wrong revocation data, or even
 maliciously substituted data, resulting in denial of service or
 security breach.
 For example, suppose the following certification path is built for E
 and is valid for an example "high assurance" policy.
    A->B->C->E
 When the building/validation routine attempts to verify that E is not
 revoked, C is referred to as the Certification Authority certificate.
 The path builder finds that the CRL for checking the revocation
 status of E is issued by C2; a certificate with the subject name "C",

Cooper, et al. Informational [Page 75] RFC 4158 Certification Path Building September 2005

 but with a different key than the key that was used to sign E.  C2 is
 referred to as the CRL Signer.  An unrestrictive certification path
 builder might then build a path such as the following for the CRL
 Signer C2 certificate:
    X->Y->Z->C2
 If a path such as the one above is permitted, nothing can be
 concluded about the revocation status of E since C2 is a different CA
 from C.
 Fortunately, preventing this security problem is not difficult and
 the solution also makes building CRL Signer certification paths very
 efficient.  In the event the CRL Signer certificate is identical to
 the Certification Authority certificate, the Certification Authority
 certification path should be used to verify the CRL; no additional
 path building is required.  If the CRL Signer certificate is not
 identical to the Certification Authority certificate, a second path
 should be built for the CRL Signer certificate in exactly the same
 fashion as for any certificate, but with the following additional
 guidelines:
 1.  Trust Anchor:  The CRL Signer's certification path should start
     with the same trust anchor as the Certification Authority's
     certification path.  Any trust anchor certificate with a subject
     DN matching that of the Certification Authority's trust anchor
     should be considered acceptable though lower in priority than the
     one with a matching public key and subject DN.  While different
     trust anchor public keys are acceptable at the beginning of the
     CRL signer's certification path and the Certification Authority's
     certification path, both keys must be trusted by the relying
     party per the recommendations in Section 8.1.
 2.  CA Name Matching:  The subject DNs for all CA certificates in the
     two certification paths should match on a one-to-one basis
     (ignoring self-issued certificates) for the entire length of the
     shorter of the two paths.
 3.  CRL Signer Certification Path Length:  The length of the CRL
     Signer certification path (ignoring self-issued certificates)
     should be equal to or less than the length of the Certification
     Authority certification path plus (+) one.  This allows a given
     Certification Authority to issue a certificate to a
     delegated/subordinate CRL Signer.  The latter configuration
     represents the maximum certification path length for a CRL Signer
     certificate.

Cooper, et al. Informational [Page 76] RFC 4158 Certification Path Building September 2005

 The reasoning behind the first guideline is readily apparent.
 Lacking this and the second guideline, any trusted CA could issue
 CRLs for any other CA, even if the PKIs are not related in any
 fashion.  For example, one company could revoke certificates issued
 by another company if the relying party trusted the trust anchors
 from both companies.  The two guidelines also prevent erroneous CRL
 checks since Global uniqueness of names is not guaranteed.
 The second guideline prevents roaming certification paths such as the
 previously described example CRL Signer certification path for
 A->B->C->E.  It is especially important that the "ignoring self-
 issued certificates" is implemented properly.  Self-issued
 certificates are cast out of the one-to-one name comparison in order
 to allow for key rollover.  The path-building algorithm may be
 optimized to only consider certificates with the acceptable subject
 DN for the given point in the CRL Signer certification path while
 building the path.
 The third and final guideline ensures that the CRL used is the
 intended one.  Without a restriction on the length of the CRL Signer
 certification path, the path could roam uncontrolled into another
 domain and still meet the first two guidelines.  For example, again
 using the path A->B->C->E, the Certification Authority C, and a CRL
 Signer C2, a CRL Signer certification path such as the following
 could pass the first two guidelines:
    A->B->C->D->X->Y->RogueCA->C2
 In the preceding example, the trust anchor is identical for both
 paths and the one-to-one name matching test passes for A->B->C.
 However, accepting such a path has obvious security consequences, so
 the third guideline is used to prevent this situation.  Applying the
 second and third guideline to the certification path above, the path
 builder could have immediately detected this path was not acceptable
 (prior to building it) by examining the issuer DN in C2.  Given the
 length and name guidelines, the path builder could detect that
 "RogueCA" is not in the set of possible names by comparing it to the
 set of possible CRL Signer issuer DNs, specifically, A, B, or C.
 Similar consideration should be given when building the path for the
 OCSP Responder certificate when the CA is the OCSP Response Signer or
 the CA has delegated the OCSP Response signing to another entity.

Cooper, et al. Informational [Page 77] RFC 4158 Certification Path Building September 2005

9. Acknowledgements

 The authors extend their appreciation to David Lemire for his efforts
 coauthoring "Managing Interoperability in Non-Hierarchical Public Key
 Infrastructures" from which material was borrowed heavily for use in
 the introductory sections.
 This document has also greatly benefited from the review and
 additional technical insight provided by Dr. Santosh Chokhani, Carl
 Wallace, Denis Pinkas, Steve Hanna, Alice Sturgeon, Russ Housley, and
 Tim Polk.

10. Normative References

 [RFC3280]   Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
             X.509 Public Key Infrastructure Certificate and
             Certificate Revocation List (CRL) Profile", RFC 3280,
             April 2002.

11. Informative References

 [MINHPKIS]  Hesse, P., and D. Lemire, "Managing Interoperability in
             Non-Hierarchical Public Key Infrastructures", 2002
             Conference Proceedings of the Internet Society Network
             and Distributed System Security Symposium, February 2002.
 [RFC1777]   Yeong, W., Howes, T., and S. Kille, "Lightweight
             Directory Access Protocol", RFC 1777, March 1995.
 [RFC2560]   Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
             Adams, "X.509 Internet Public Key Infrastructure Online
             Certificate Status Protocol - OCSP", RFC 2560, June 1999.
 [RFC2587]   Boeyen, S., Howes, T., and P. Richard, "Internet X.509
             Public Key Infrastructure LDAPv2 Schema", RFC 2587, June
             1999.
 [RFC3377]   Hodges, J. and R. Morgan, "Lightweight Directory Access
             Protocol (v3): Technical Specification", RFC 3377,
             September 2002.
 [RFC3820]   Tuecke, S., Welch, V., Engert, D., Pearlman, L., and M.
             Thompson, "Internet X.509 Public Key Infrastructure (PKI)
             Proxy Certificate Profile", RFC 3820, June 2004.
 [RFC3986]   Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
             Resource Identifier (URI): Generic Syntax", STD 66, RFC
             3986, January 2005.

Cooper, et al. Informational [Page 78] RFC 4158 Certification Path Building September 2005

 [X.501]     ITU-T Recommendation X.501: Information Technology - Open
             Systems Interconnection - The Directory: Models, 1993.
 [X.509]     ITU-T Recommendation X.509 (2000 E): Information
             Technology - Open Systems Interconnection - The
             Directory: Authentication Framework, March 2000.
 [PKIXALGS]  Bassham, L., Polk, W. and R. Housley, "Algorithms and
             Identifiers for the Internet X.509 Public Key
             Infrastructure Certificate and Certificate Revocation
             Lists (CRL) Profile", RFC 3279, April 2002.
 [CERTSTORE] P. Gutmann, "Internet X.509 Public Key Infrastructure
             Operational Protocols: Certificate Store Access via
             HTTP", Work in Progress, August 2004.

Cooper, et al. Informational [Page 79] RFC 4158 Certification Path Building September 2005

Authors' Addresses

 Matt Cooper
 Orion Security Solutions, Inc.
 1489 Chain Bridge Rd, Ste. 300
 McLean, VA  22101,  USA
 Phone:  +1-703-917-0060
 EMail:  mcooper@orionsec.com
 Yuriy Dzambasow
 A&N Associates, Inc.
 999 Corporate Blvd Ste. 100
 Linthicum, MD  21090,  USA
 Phone:  +1-410-859-5449 x107
 EMail:  yuriy@anassoc.com
 Peter Hesse
 Gemini Security Solutions, Inc.
 4451 Brookfield Corporate Dr. Ste. 200
 Chantilly, VA  20151,  USA
 Phone:  +1-703-378-5808 x105
 EMail:  pmhesse@geminisecurity.com
 Susan Joseph
 Van Dyke Technologies
 6716 Alexander Bell Drive
 Columbia, MD 21046
 EMail:  susan.joseph@vdtg.com
 Richard Nicholas
 BAE Systems Information Technology
 141 National Business Parkway, Ste. 210
 Annapolis Junction, MD  20701,  USA
 Phone:  +1-301-939-2722
 EMail:  richard.nicholas@it.baesystems.com

Cooper, et al. Informational [Page 80] RFC 4158 Certification Path Building September 2005

Full Copyright Statement

 Copyright (C) The Internet Society (2005).
 This document is subject to the rights, licenses and restrictions
 contained in BCP 78, and except as set forth therein, the authors
 retain all their rights.
 This document and the information contained herein are provided on an
 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

 The IETF takes no position regarding the validity or scope of any
 Intellectual Property Rights or other rights that might be claimed to
 pertain to the implementation or use of the technology described in
 this document or the extent to which any license under such rights
 might or might not be available; nor does it represent that it has
 made any independent effort to identify any such rights.  Information
 on the procedures with respect to rights in RFC documents can be
 found in BCP 78 and BCP 79.
 Copies of IPR disclosures made to the IETF Secretariat and any
 assurances of licenses to be made available, or the result of an
 attempt made to obtain a general license or permission for the use of
 such proprietary rights by implementers or users of this
 specification can be obtained from the IETF on-line IPR repository at
 http://www.ietf.org/ipr.
 The IETF invites any interested party to bring to its attention any
 copyrights, patents or patent applications, or other proprietary
 rights that may cover technology that may be required to implement
 this standard.  Please address the information to the IETF at ietf-
 ipr@ietf.org.

Acknowledgement

 Funding for the RFC Editor function is currently provided by the
 Internet Society.

Cooper, et al. Informational [Page 81]

/data/webs/external/dokuwiki/data/pages/rfc/rfc4158.txt · Last modified: 2005/09/08 00:52 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki