View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000627910000-004: ServicesSpecpublic2020-11-25 16:262021-11-16 13:04
ReporterOndrej Flek Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Summary0006279: Unclear certificate validation requirements
Description

Part 4, Section 6.1.3 states: “If an application is not directly trusted (i.e. its Certificate is not in the list of trusted applications) then the application shall build a chain of Certificates back to a trusted CA.” However, the CTT expects that the trust path is built even for directly trusted (end entity) Application Instance Certificates, unless the Certificate is self-signed. Either the CTT test case (Security Certificate Validation, cases 009.js and 046.js) should be fixed, or the wording in the Specification should be changed to describe the behavior stipulated by the CTT, depending on which behavior is actually desired.

Additional Information

After initial discussion with Randy, it looks like the behavior expected by the CTT is the desired one. That is why this issue is filed under UA Spec/Part 4 and not under CTT.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

duplicate of 0004666 closedMatthias Damm 10000-004: Services 6.1.3 Determining if a Certificate is Trusted is not consistent with Part 12 
Not all the children of this issue are yet resolved or closed.

Activities

Matthias Damm

2020-12-06 14:39

developer   ~0013371

This was already change in 1.05 draft based on Mantis 0004666

6.1.3 Determining if a Certificate is trusted
Applications shall never communicate with another application that they do not trust. An Application decides if another application is trusted by checking whether the Application Instance Certificate for the other application is trusted. A Certificate is only trusted if its chain can be validated.

Applications shall rely on lists of Certificates provided by the Administrator to determine trust. There are two separate lists: a list of trusted Certificates and a list of issuer Certificates (i.e. CAs). The list of trusted Certificates may contain a Certificate issued to another Application or it may be a Certificate belonging to a CA. The list of issuer Certificates contains CA Certificates needed for chain validation that are not in the list of trusted Certificates.

Jim Luth

2020-12-11 15:34

administrator   ~0013467

Agreed to dup in Virtual F2F. fixed in 1.04.8.

Issue History

Date Modified Username Field Change
2020-11-25 16:26 Ondrej Flek New Issue
2020-12-06 14:30 Matthias Damm Relationship added duplicate of 0004373
2020-12-06 14:37 Matthias Damm Relationship added duplicate of 0004666
2020-12-06 14:37 Matthias Damm Relationship deleted 0004373
2020-12-06 14:39 Matthias Damm Assigned To => Matthias Damm
2020-12-06 14:39 Matthias Damm Status new => resolved
2020-12-06 14:39 Matthias Damm Resolution open => duplicate
2020-12-06 14:39 Matthias Damm Note Added: 0013371
2020-12-11 15:34 Jim Luth Status resolved => closed
2020-12-11 15:34 Jim Luth Note Added: 0013467