SCVP Validation

The Online Certificate Status Protocol (OCSP) technology, designed to provide the real-time status of certificates, can be complemented by the Server-based Certificate Validation Protocol (SCVP) technology, which helps determine the certificate path.

SCVP is an Internet protocol for determining the path between a X.509 digital certificate and a trusted root (Delegated Path Discovery—DPD) and the validation of that path (Delegated Path Validation - DPV) according to a particular validation policy. When a relying party receives a digital certificate and needs to decide whether to trust the certificate, it first needs to determine whether the certificate can be linked to a trusted certificate. This process may involve chaining the certificate back through several issuers.

SCVP provides a standards-based client-server protocol for solving this problem using DPD. When using DPD, a relying party asks a server for a certification path that meets its needs. The SCVP client's request contains the certificate that it is attempting to trust and a set of trusted certificates. The SCVP server's response contains a set of certificates making up a valid path between the certificate in question and one of the trusted certificates. The response may also contain proof of revocation status, such as OCSP responses, for the certificates in the path.

Once a certification path has been constructed, it needs to be validated. An algorithm for validating certification paths is defined in RFC 5280 section 6 (signatures, expiration, name constraints, policy constraints, basic constraints, etc.). This can be done locally by the client or by the SCVP server with DPV.

The ActivID Validation Suite provides a server infrastructure for validating the status of digital certificates using SCVP. SCVP requests can take one of the following two basic forms:

Certificate validation is complex. Certificate handling can be widely deployed in a variety of applications and environments. Before an application can accept a certificate, the amount of processing the application needs to perform must be reduced. There are a variety of applications that can make use of public key certificates. However, these applications are burdened with the overhead of constructing and validating the certification paths. SCVP reduces this overhead for the following two classes of certificate-using application:

  • The first class of applications has two functions - Confirming that the public key belongs to the identity named in the certificate and the public key can be used for the intended purpose. Such clients can completely delegate certification path construction and validation to the SCVP server. This is often referred to as DPV.

  • The second class of applications can perform certification path validation, but they lack a reliable or efficient method of constructing a valid certification path. Such clients delegate certification path construction to the SCVP server, but not validation of the returned certification path. This is often referred to as DPD.

The ActivID Validation Suite is capable of servicing both DPD and DPV requests.

It is comprised of two infrastructure components:

  • ActivID Validation Authority provides all security functions and stores all security-sensitive data, and is capable of responding to both DPD and DPV requests. All deployments include at least one Validation Authority.

  • ActivID Validation Responder retrieves certification path data from one or more Validation Authorities and uses this information to respond to DPD requests. Responder does not perform any security-sensitive functions nor store any sensitive data. It is not capable of responding to DPV requests. A DPD deployment typically includes one or more Validation Responders.

Topics in this section: