Re: Issue 36 in direct-certificate-discovery-tool: Certificates in demo tool should contain CDPs

[direct-certifica...@googlecode.com]

Updates:
Status: Fixed

Comment #1 on issue 36 by david.de...@nitorgroup.com: Certificates in demo
tool should contain CDPs
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=36

In the Applicability Statement for Secure Health Transport, it doesn't say
(in my reading) that you can't trust a certificate without a certificate
distribution point (aka a CRL).

See section 4.1.3: "STAs MAY by policy enforce either restriction (or any
other more restrictive policy) but need not. STAs MAY support any valid,
non-expired, non-revoked and trusted certificate."

[direct-certifica...@googlecode.com]

Comment #2 on issue 36 by dca...@meditech.com: Certificates in demo tool

should contain CDPs
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=36

Accorting to RFC 5280, A certificate without a CDP is considered to have a
CDP status of "UNDETERMINED". I would argue that a certificate missing a
CDP is *not* a non-revoked certificate and that I can't trust it. Googling
this issue, you'll find that most posts/documents agree these certificates
should be rejected.

Many implementations of certificate validation, including IBM's (
http://publib.boulder.ibm.com/infocenter/java7sdk/v7r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2FcertpathDocs%2Fibmcertpathvalidator.html
) and Microsoft's (by default, I think there is a way to bypass this check)
will reject such certificates. Occasionally there is a way to enable
trusting such certificates, though it is a special option you have to
select.