What is Certificate Path Discovery and Validation (PDVal)?

It came up recently in a meeting we were in that some folks are not sure of what is meant by PDVal, so thought I would provide an explanation. First some terminology:

The term "Certificate Path" is used to refer to a series of certificates issued by certificate authorities (CAs) to other CAs or users, e.g. Alice’s CA issues a Certificate to Bob’s CA, who issues a certificate to Bob, creating a certificate path from Alice’s CA to Bob.

Certificate Path Validation consists of two phases:
  1. Trust Path Discovery
  2. Trust Path Validation
Trust Path Discovery is the process of discovering the chain of cross-certificates and CA certificates running from the relying party's trust anchor to the end-entity's certificate. A trust path may be discovered dynamically each time as needed or it may be constructed once and cached.

Trust Path Validation is the process of examining each certificate that comprises the trust path, and consulting the issuing CA's CRL or OCSP responder to determine each certificate's validity status at that moment, as well as a number of checks such as policy mapping and signature validation.

Validating the policy mapping is needed since a particular CA may be able to issue certificates that map to different policy levels e.g. PIV, PIV-I, Medium Hardware etc. This is important because the processes used in order to identity proof someone (or other factors that are used in order to make a determination as to the "trust-ability" of a credential) may be different for the different types of PKI credentials that a CA is capable of issuing. e.g. Both PIV and PIV-I have the same identify proofing requirements, but PIV (which can only be issued by a Government Agency to its Employees and Contractors) also requires that the Applicant undergo a background check for suitability for Government employment.

PDVal standards fall under IETF PKIX and there is a comprehensive test suite developed by NIST called the Public Key Interoperability Suite (PKITS). The PKITS path discovery and validation test suite ensures that vendor products and/or services have been implemented according to RFC 3280 and work in a PKI Bridge environment.

This is a big deal in the US Federal Government as the Federal PKI Bridge is the Interoperability Trust Anchor for the US Government, and the ability to carry out certificate path validation is critical when the PKI credentials issued by one Agency's CA need to be validated by another Agency. In addition, Federal Information Processing Standard (FIPS) 201 requires agencies to validate that certificates comply with FPKI Common Policy when accepting PIV cards (Smart Cards issued by an Agency to its Employees and Contractors). PDVal is the only way to really do that.

As such, having products that can do PDVal as part of validating a certificate or having the ability to "outsource" that validation to a dedicated capability is something that we are very interested in. While vendors can use the PKITS to self-test, please note that the Federal PKI Management Authority does have a testing program that uses the NIST PKITS to independently verify PDVal capability.

[A quick note of thanks to Chris Louden @ PGS (who supports the FICAM Program) who has been a tireless, and often frustrated, proponent of PDVal for explaining some of the intricacies of PDVal to me]

:- by Anil John