
Title: Security - Remove duplicate certificate retrieval requirements
PDR Reference:                M2080008
Originator Reference:         PDR-SV8-6
SARPs Document Reference:     Edition 3 Sub-Volume VIII, Section 8.6.3.5.1
CAMAL Document Reference:    -
P/OICS Document Reference:    -
Status:                       RESOLVED
Impact:                       C
PDR Revision Date:            07 Oct 2002 (Resolved)
			      02 Oct 2002 (Proposed)
			      23 Sep 2002 (Accepted)
PDR Submission Date:          29-Aug-2002 (Submitted)
Submitting State/Organization:     FAA
Submitting Author Name:       Jim Simpkins
Submitting Author E-mail Address: jsimpkins@bcisse.com Submitting Author Supplemental Contact Information:  +1-856-228-5757 x19
SARPs Date:                   Doc 9705 Edition 3
P/OICS Date:    -
SARPs Language:               English

Summary of Defect:

In 8.6.3.2.1.d, the SSO is required to retrieve and validate the Source Peer's uncompressed certificate path when it is not presented in the input to SSO-SignCheck and the SSO does not have a cached, verified copy.  The SSO then invokes SSO-AMACVP to verify the input a MAC-appendix.  SSO-AMACVP invokes SSO-SessionKey when it is invoked the first time.  The SSO is then required to retrieve and validate the Source Peer's uncompressed certificate path again by 8.6.3.5.1.a.  This duplication should be removed.

Assigned SME:  Sub-Volume VIII SME

Proposed SARPs amendment:

1/ 8.6.3.5.1: Add new item a with the following:  "a) when the SSO does not have a (cached) verified key-agreement-key uncompressed certificate path for the Remote Peer:".

2/ 8.6.3.5.1: Relabel existing item a as sub-item 1 under item a and replace with the following:  "1) retrieve the Remote Peer's public key-agreement-key uncompressed certificate path, and".

3/ 8.6.3.5.1: Relabel item b as sub-item 2 under item a.

4/ 8.6.3.5.1: Relabel items c through e as items b through d.

5/ 8.6.3.5.1: Renumber the Note as Note 1.

6/ 8.6.3.5.1: Add the following as Note 2 before item b.  "Note 2. -- The SSO may elect to cache certificate paths after verification.  The length of time that certificate paths are cached is subject to local policy."

Impact on interoperability:

None.  Without the change, one unnecessary
certificate retrieval and check is made when a session key is created.

PDR Validation status:  Thorough inspection should be sufficient.

SME Recommendation to CCB: Progress to RESOLVED.

CCB Decision: RESOLVED.