Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Delegated Path Validation
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Security implications == The DPV protocol must incorporate mechanisms to prevent [[Replay attack|replay attacks]], ensuring that malicious entities cannot reuse validation requests to gain unauthorized access.<ref name=RFC3379 /> Importantly, this replay prevention must not depend on synchronized clocks between the client and server, which can be a vulnerability if clocks are not accurately aligned.<ref>{{Cite book |last=Syverson |first=P. |chapter=A taxonomy of replay attacks [cryptographic protocols] |date=1994 |title=Proceedings the Computer Security Foundations Workshop VII |chapter-url=https://ieeexplore.ieee.org/document/315935 |publisher=IEEE Comput. Soc. Press |pages=187β191 |doi=10.1109/CSFW.1994.315935 |isbn=978-0-8186-6230-0}}</ref> When a certificate is validated successfully according to the specified policy, the DPV server should include this information in the response if requested by the client. However, if the certificate is found to be invalid or if the server cannot determine its validity, the server may choose to omit this information to avoid unnecessary disclosure of potentially sensitive details.<ref name=RFC3379 /> The revocation status information used by the DPV server pertains to the validation time specified in the client's request. This validation time might differ from the actual time when the certificate's [[Public-key cryptography|private key]] was used to sign a document or transaction.<ref name=RFC3379 /> Therefore, the DPV client should adjust the validation time to account for several delays:<ref name="RFC3379" /> * The time it takes for the certificate holder (end-entity) to realize that their private key has been or might be compromised; * The time needed for the end-entity to report the key compromise to the relevant authorities; * The time required for the revocation authority to process the revocation request submitted by the end-entity; * The time taken by the revocation authority to update and distribute the new revocation status information. By considering these factors, the DPV protocol try to ensure that the revocation status information accurately reflects the current validity of the certificate, enhancing the overall security and reliability of the validation process.<ref name=RFC3379 />
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)