I meanwhile found a reference that uses the shell model validation without naming it explicitly as shell model.
Document rfc5280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" explains in section 6 the "Certification Path Validation".
Section 6.1.3. (a)(2) states that the timestamp of the validation(system date) has to be within the validity period of all certificates in the validation path.
It uses the validation method that was named "shell model" in the referenced presentation. Currently I do not have any references concerning the "chain" validation model, however as the presentation was made by the Bundesnetzagentur which is a state agency in Germany, I guess it is used.
The general question for us was which validation model shall we use for our implementation. We will go for the shell model that is also used in the rfc5280.
Thanks for all the comments concerning this issue.
Connect to the next generation of MSN Messenger Get it now!
|