39 Repository field of the Subject Information Access extension in various CA certificates,
and resources declared in the CA Issuers field of the Authority Information Access extension in various certificates.
4.5.1 Path Validation
The client shall validate the server certificate in accordance with the certification path
validation rules specified in Section 6 of [ RFC5280
]. In addition, the revocation status of
each certificate in the certification path shall be checked using the Certificate Revocation List CRL or Online Certificate Status Protocol OCSP. OCSP checking shall be in
compliance with [ RFC6960
] and should use only one of the following options:
• The OCSP Responder is trusted by the client, i.e., the OCSP Responder public
key is the same as that of one of the public keys in the client’s trust anchor store; or
• The OCSP Response is signed using the same key as that of the certificate whose
status is being checked; or •
The OCSP Response is signed by a designateddelegated OCSP Responder as described in [
RFC6960 ], and the OCSP Responder certificate is signed using the
same key as that of the certificate whose status is being checked.
Revocation information shall be obtained as described in Section 4.2.2. Not all commercial products support the public key certification path validation and
certificate policy processing rules listed and cited above. Specifically, revocation checking in some instances may not be available, or the client could accept a server
public key certificate if the latest revocation information is inaccessible. Similarly, some clients are not able to provide inputs related to acceptable certificate policy or initial
values for requiring policies, and inhibiting policy mapping. In the absence of clients that are fully certificate policy aware, Federal agencies may use other mechanisms to
decide if a server certificate has been issued with due diligence. Not all clients support checking name constraints. The Federal agencies shall only
procure clients that perform name constraint checking in order to obtain assurance that unauthorized certificates are properly rejected. As an alternative, the Federal agency may
procure clients that use one or more of the features discussed in Appendix D. The client shall terminate the TLS connection if path validation fails.
Federal agencies shall only use clients that check that the DNS name or IP address,
whichever is presented in the client TLS request, matches a DNS name or IP address contained in the server certificate’s subject alternative name extension. If the name
presented in the client TLS request is absent from the server certificate’s subject
alternative name extension, only then the client shall check the server certificate’s subject
distinguished name field to determine if the subject distinguished name specifically, the
common name attribute type contains the requested name. The client shall terminate
the TLS connection if the name check fails.
40
4.5.2 Trust Anchor Store