Editing Delegated Path Validation (section)

== Protocol requirements ==
{{IETF RFC|3379}} specifies several key requirements to ensure effective and secure delegated path validation.

Firstly, if a client requests a specific validation policy that the DPV server does not support, the server must return an error. This ensures that the client is aware that the requested policy cannot be applied. If the client does not specify a validation policy, the server must indicate which validation policy was used in the response. This transparency allows clients to understand the basis on which the validation was performed.<ref name=RFC3379 />

Validation policies can be complex and may include parameters such as root self-signed certificates. The DPV protocol must allow clients to include these policy-dependent parameters in their requests. However, it is expected that most clients will either reference a validation policy suitable for their application or accept the DPV server's default validation policy.<ref name=RFC3379 />

Clients can also request that the DPV server determines the certificate's validity at a specific time other than the current time. In such cases, the server must obtain revocation status information relevant to the specified validation time. If the necessary revocation status information is unavailable, the server must return a status indicating that the certificate is invalid, possibly providing additional details about the reason for invalidity.<ref name=RFC3379 />

For the validation to proceed, the certificate must be either directly provided in the request or unambiguously referenced by details such as the CA [[Lightweight Directory Access Protocol|distinguished name]], certificate serial number, and certificate [[Hash function|hash]]. This ensures that the correct certificate is validated.<ref name=RFC3379 />

The DPV client must be capable of providing the validation server with useful certificates and revocation information related to each certificate being validated. This includes OCSP responses, CRLs, and delta CRLs, which are critical for checking the current status of certificates.<ref name=RFC3379 />

The DPV server must have access to the certificate that needs validation. If the certificate is not provided in the request, the server must obtain it and verify that it matches the reference provided by the client. In the response, the server must include either the certificate or a clear reference to it, especially in cases involving CA key compromises.<ref name=RFC3379 />

The response from the DPV server must indicate one of the following statuses:<ref name="RFC3379" />

* The certificate is valid according to the validation policy;
* The certificate is not valid according to the validation policy;
* The validity of the certificate is unknown according to the validation policy;
* The validity could not be determined due to an error.

If the certificate is not valid, the server must also provide the reason for this determination. Common reasons include the inability to construct a certification path, the constructed path failing the validation algorithm, or the certificate not being valid at the requested time, such as before its validity period begins or during a suspension.<ref name=RFC3379 />

Additionally, the DPV protocol must allow clients to request that the server includes extra information in its response. This extra information helps relying parties who do not trust the DPV server to be confident that the certificate validation was performed correctly. The DPV response must be bound to the DPV request, which can be achieved by including a [[One-way function|one-way]] hash of the request in the response. This binding ensures that all request parameters were considered in building the response.<ref name=RFC3379 />

To ensure the client trusts the DPV server, the response must be [[Authentication|authenticated]]. For the client to prove to third parties that the certificate validation was handled correctly, the DPV response must be [[Digital signature|digitally signed]], except when reporting an error. The DPV server's certificate must authenticate the server, adding another layer of trust and security to the validation process.<ref name=RFC3379 />

=== Relaying, re-direction and multicasting ===
[[File:Delegated path validation.png|thumb|upright=1.7|Application of the DPV framework in [[Transport Layer Security|TLS]]-based communications, with the optional use of a relaying mechanism by the primary DPV server.]]
In certain network environments, particularly those with [[Firewall (computing)|firewalls]], a DPV server may encounter difficulties in obtaining all the necessary information to process a validation request. To address this, a DPV server can be configured to leverage the services of other DPV servers. In such scenarios, the client remains unaware that the primary DPV server is utilizing additional servers to fulfill the request. Essentially, the primary DPV server acts as a client to another DPV server, facilitating a more comprehensive validation process. Unlike end clients, DPV servers typically have more substantial computing and memory resources, enabling them to employ relaying, re-direction, or [[multicast|multicasting mechanisms]].<ref name=RFC3379 />

The protocols designed to support these operations may include optional fields and extensions to facilitate relaying, re-direction, or multicasting between DPV servers. However, it is not expected that DPV clients will support these features. If a protocol incorporates such functionalities, it must also provide mechanisms to ensure compatibility with DPV clients and servers that do not support these advanced features, ensuring adherence to the basic protocol requirements.<ref name=RFC3379 />