[OGSA-AUTHZ] RFC 3280 path validation [Re: Implementations]

Alan Sill Alan.Sill at ttu.edu
Tue Mar 25 14:03:19 CDT 2008

On Mar 22, 2008, at 4:44 AM, David Chadwick wrote:

> if you have followed a lot of the (old) discussions on the PKIX
> list about DN matching in certificates, you will see that a lot of PKI
> software vendors do plain string matching of DNs, rather than proper
> X.500/LDAP DN matching rules, so dont believe that passing certs  
> instead
> of DNs will solve this problem. It wont. Only proper DN matching
> software will solve this, so it is irrelevant whether the DN is passed
> as a string or in a cert.

David et al.,

With respect to the point above, thought you might be interested in  
the following link.

PathFinder is designed to provide a mechanism for any program to  
perform RFC3280-compliant path validation of X509 certificates, even  
when some of the intermediate certificates are not present on the  
local machine. By design, Pathfinder automatically downloads any such  
certificates (and their CRLs) from the Internet as needed using the  
AIA and CRL distribution point extensions of the certificates it is  



Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics

:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :

More information about the ogsa-authz-wg mailing list