To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

How to transfigure the Wikipedia

Would you like Wikipedia to always look as professional and up-to-date? We have created a browser extension. It will enhance any encyclopedic page you visit with the magic of the WIKI 2 technology.

Try it — you can delete it anytime.

Install in 5 seconds
4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
Great Wikipedia has got greater.
.
Leo
Newton
Brights
Milds

Certification path validation algorithm

From Wikipedia, the free encyclopedia

The certification path validation algorithm is the algorithm which verifies that a given certificate path is valid under a given public key infrastructure (PKI). A path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted certificate authority (CA).

Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. For example, in a hierarchical PKI, a certificate chain starting with a web server certificate might lead to a small CA, then to an intermediate CA, then to a large CA whose trust anchor is present in the relying party's web browser. In a bridged PKI, a certificate chain starting with a user at Company A might lead to Company A's CA certificate, then to a bridge CA, then to company B's CA certificate, then to company B's trust anchor, which a relying party at company B could trust.

RFC 5280[1] defines a standardized path validation algorithm for X.509 certificates, given a certificate path. (Path discovery, the actual construction of a path, is not covered.) The algorithm takes the following inputs:

  • The certificate path to be evaluated;
  • The current date/time;
  • The list of certificate policy object identifiers (OIDs) acceptable to the relying party (or any);
  • The trust anchor of the certificate path; and
  • Indicators whether policy mapping is allowed and how/when/whether the "any" policy OID is to be tolerated.

In the standardized algorithm, the following steps are performed for each certificate in the path, starting from the trust anchor. If any check fails on any certificate, the algorithm terminates and path validation fails. (This is an explanatory summary of the scope of the algorithm, not a rigorous reproduction of the detailed steps.)

  • The public key algorithm and parameters are checked;
  • The current date/time is checked against the validity period of the certificate;
  • The revocation status is checked, whether by CRL, OCSP, or some other mechanism, to ensure the certificate is not revoked;
  • The issuer name is checked to ensure that it equals the subject name of the previous certificate in the path;
  • Name constraints are checked, to make sure the subject name is within the permitted subtrees list of all previous CA certificates and not within the excluded subtrees list of any previous CA certificate;
  • The asserted certificate policy OIDs are checked against the permissible OIDs as of the previous certificate, including any policy mapping equivalencies asserted by the previous certificate;
  • Policy constraints and basic constraints are checked, to ensure that any explicit policy requirements are not violated and that the certificate is a CA certificate, respectively. This step is crucial in preventing some man in the middle attacks;[2]
  • The path length is checked to ensure that it does not exceed any maximum path length asserted in this or a previous certificate;
  • The key usage extension is checked to ensure that is allowed to sign certificates; and
  • Any other critical extensions are recognized and processed.

If this procedure reaches the last certificate in the chain, with no name constraint or policy violations or any other error condition, then the certificate path validation algorithm terminates successfully.

YouTube Encyclopedic

  • 1/3
    Views:
    7 242
    42 506
    5 372
  • Microsoft Data Science Curriculum | Microsoft on edX
  • Data Science Curriculum from Microsoft | Microsoft on edX | XSeries About Video
  • Career Story Pt. 6: When I Started Simple Programmer

Transcription

External links

  1. ^ RFC 5280 (May 2008), chapter 6., a standardized path validation algorithm for X.509 certificates.
  2. ^ Moxie Marlinspike, New Tricks For Defeating SSL In Practice, Black Hat DC Briefings 2009 conference.

See also

This page was last edited on 14 July 2023, at 09:26
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.
Contact WIKI 2
Introduction
Terms of Service
Privacy Policy