39 Repository field of the Subject Information Access extension in various CA certificates, and resources declared in the CA Issuers field of the Authority Information Access extension in various certificates.

4.5.1 Path Validation

The client shall validate the server certificate in accordance with the certification path validation rules specified in Section 6 of [ RFC5280 ]. In addition, the revocation status of each certificate in the certification path shall be checked using the Certificate Revocation List CRL or Online Certificate Status Protocol OCSP. OCSP checking shall be in compliance with [ RFC6960 ] and should use only one of the following options: • The OCSP Responder is trusted by the client, i.e., the OCSP Responder public key is the same as that of one of the public keys in the client’s trust anchor store; or • The OCSP Response is signed using the same key as that of the certificate whose status is being checked; or • The OCSP Response is signed by a designateddelegated OCSP Responder as described in [ RFC6960 ], and the OCSP Responder certificate is signed using the same key as that of the certificate whose status is being checked. Revocation information shall be obtained as described in Section 4.2.2. Not all commercial products support the public key certification path validation and certificate policy processing rules listed and cited above. Specifically, revocation checking in some instances may not be available, or the client could accept a server public key certificate if the latest revocation information is inaccessible. Similarly, some clients are not able to provide inputs related to acceptable certificate policy or initial values for requiring policies, and inhibiting policy mapping. In the absence of clients that are fully certificate policy aware, Federal agencies may use other mechanisms to decide if a server certificate has been issued with due diligence. Not all clients support checking name constraints. The Federal agencies shall only procure clients that perform name constraint checking in order to obtain assurance that unauthorized certificates are properly rejected. As an alternative, the Federal agency may procure clients that use one or more of the features discussed in Appendix D. The client shall terminate the TLS connection if path validation fails. Federal agencies shall only use clients that check that the DNS name or IP address, whichever is presented in the client TLS request, matches a DNS name or IP address contained in the server certificate’s subject alternative name extension. If the name presented in the client TLS request is absent from the server certificate’s subject alternative name extension, only then the client shall check the server certificate’s subject distinguished name field to determine if the subject distinguished name specifically, the common name attribute type contains the requested name. The client shall terminate the TLS connection if the name check fails. 40

4.5.2 Trust Anchor Store