SCVP

1
SCVP

• Russ Housley
• Trevor Freeman
• Ambarish Malpani

2
Status

• Draft 10 published
• Comprehensive review by Denis Pinkas
• Point by point answers provided
• Some open issues

3
Open Issues

• Criticality of extensions
• Align definition with 3280
• ReplyTypesOfCheck and ReplyWantBack have
  critical flag
• Remove
• Server returns error if does not set of OIDs
• Syntax includes place holder for validation of
  other signed objects
• Limit scope to identity and attribute certs
• Can client supply bag of attribute and identity
  certificates as supporting data to request?
• Yes but can only ask for one to be validated per
  transaction

4
Open Issues

• What form can trust anchors take?
• Direct reference in request (DNkey)
• Indirect reference (hash of data URL)
• Unique SCVP server response identifier
• Proposal to use hash in the signed attribute
• Constraints on trust anchors
• Client can request which set of cert policy to
  use
• Define application specific validation policy in
  separate document
• SMIME, IPSEC, TLS, RA

5
Way Forward

• Draft 10
• Meets all documented requirements
• Draft 11
• Address open issues
• Ready for working group last call