1 Overview

1.1　 Test Flow

Under the PKI Interoperability Suite, the following test data is created for each test case:

- Signature data that must be verified

- Certificate chain needed for verification

- Revocation information needed for certificate revocation verification

- Trust anchor information to be used in verification

In each test area, signature data for the application subject to testing is verified based on a given trust anchor, and the results are compared with an expected value.

This Test Design Document mainly defines the above-mentioned test data created for the test cases described later.

This document contains several test case designs, and there are three general test categories corresponding to different authorities. In so doing, we can clearly indicate which test case conforms to which specification.

1.2.1 Test Category Design

In this project, we prepared the following three test categories. Essentially, we can define two types of categories. The first is a GPKI simulation test category in which confirmation is performed for adaptability to a realistic environment. The second is a model case the objective of which is to perform various function verifications using a certification path, such as with DoD/FPKI and original test cases.

(1) GPKI Simulation Test

Under a GPKI simulation test, an environment simulating current GPKI is prepared, after which various test cases related to certificate path verification are developed. The GPKI Test Case Design Document covers examples related to each certificate issued from each certificate authority.

(2) NIST Test (Sample)

The following summarizes materials including test cases and documents related to DoD BCA interoperability test in NIST.

The PKI Interoperability Test Suite compiles these test cases and saves the results in a database.

(3) Original Tests

Original tests are created as high-level test cases that are not fully conducted in GPKI simulation tests and DoD/ FPKI path verification testing.

These tests are used as model cases when performing functional verification related to certification path verification, apart from the GPKI simulation environment.

1.2.2 Test Case Design

Several test case designs for each test category are contained in this document.

The following categories should be defined for each test case.

- Test category

- Test case name and test case objective

- Test case reference

- Test keywords

- Trust anchor information (starting point for path verification)

- Input values for path verification

- Certification path sequence

- Parameters for trust anchor certificate

- Parameters for intermediate certificate included in the certification path

- Parameters for signer certificate (certificate subject to verification)

- Parameters for revocation information referenced from each certificate

However, detailed parameters for each certificate have been omitted in this documentation. Detailed parameters are referenced in the test case database.

2 GPKI Simulation Test

2.1　 Test Objectives

Under this test case, we have prepared an environment whereby we will confirm the ability to verify signature data between a government EE and a private EE via a GPKI bridge certificate authority.

Use of a bridge CA allows us to confirm the ability to verify a certification path including certificate policy and policy mapping, and the certification path construction via LDAPv3 Referral between a private repository and an integrated repository.

Test suite users tested each application under these environments, confirming the levels of compatibility with GPKI.

2.2　 Basic Testing Environment

Each GPKI component interface is defined by the GPKI Interoperability Specification. This testing environment was created to imitate GPKI design and operation under this specification.

2.2.1 Certificate authority and EE used with this test

Certificate authorities under GPKI include government (mainly administrative) certificate authorities, and so-called private certificate authorities who have received authorization according to the Electronic Signature Law, as well as GPKI bridge certificate authorities, which involves both government and private authorities. The certificate authority for METI is a hierarchical model consisting of a root certificate authority and a subordinate certificate authority. In this test environment, simulated certificate data issued from the certificate authorities mentioned below is tailored for each test category.

We have also made it possible to add any government certificate authorities and private certificate authorities that may be developed in the future, providing a means to create data designed for testing these authorities in the same manner as the ones identified below.

(1) GPKI bridge certificate authority

(2) Ministry of Economy, Trade and Industry certificate authority

(a) METI root certificate authority

(b) METI subordinate certificate authority

(3) Ministry of Land, Infrastructure and Transport certificate authority

(4) Ministry of Public Management, Home Affairs, Posts and Telecommunications certificate authority

(5) Commercial registration CA

(6) Japan Certification Services, Inc.'s A-Sign2 (A-Sign2, below)

(7) SECOM Trust.net Co., Ltd.'s Passport for G-ID (G-ID, below)

2.2.2 Repositories used for testing

Under GPKI, publicly released integrated repositories such as those holding certificate/ revocation information from government certificate authorities, and publicly released private repositories containing certificate/ revocation information from private certificate authorities can reference each other through LDAPv3 Referral. An integrated repository (imitating the type of repository introduced above) and two types of simulated private repositories were prepared for this test environment. By setting LDAPv3 Referral between these two repositories, certification path construction and verification can be performed in a manner spanning both repositories.

(1) Simulated integrated repository

(2) Simulated A-Sign2 repository

(3) Simulated G-ID repository

2.2.3 Commercial registration responders

GPKI provides for a commercial registration responder that generates revocation information for certificates issued by a commercial registration certificate authority. In this test case, a simulated commercial registration OCSP responder was prepared and used for certificate path construction and verification.

Figure 2-1 GPKI Basic Test Environment Overview

2.3　 Test Case

Included in the test data created for this test were signature data to be verified and certificates to be used in verification.

For each test, certificates used for verifying these items were used to verify signature data.

The following shows acceptance policies used in GPKI Simulation Tests.

Certificate Authority	Policy Code	Acceptance Policy OID
Simulated Ministry of Economy, Trade and Industry certificate authority	policy-METI	0.2.392.200117.1.9.2002.2.1.2.392.100595.8.5.1.1.10
Simulated Ministry of Public Management, Home Affairs, Posts and Telecommunications certificate authority	policy-MPHPT	0.2.392.200117.1.9.2002.2.0.2.440.100145.8.5.1.1.10
Simulated Ministry of Land, Infrastructure and Transport certificate authority	policy-MLIT	0.2.392.200117.1.9.2002.2.0.2.440.100155.8.5.1.1.10
Simulated A-Sign2 (1)	policy-Asign1	0.2.392.200117.1.9.2002.2.1.2.392.200075.3.4
Simulated A-Sign2 (2)	policy-Asign2	0.2.392.200117.1.9.2002.2.1.2.392.200075.3.3
Simulated G-ID	policy-GID	0.2.392.200117.1.9.2002.2.1.2.392.200091.100.621.1
Simulated commercial registration certificate authority	policy-CR	0.2.392.200117.1.9.2002.2.1.2.392.100300.1.3.1

2.3.1 Normal EE certificates

Signer (Signature Data)		Government Signer			Private Signer
Signature Verifier And Trust Anchor		Simulated METI EE	Simulated MPHPT EE	Simulated MLIT EE	Simulated A-Sign2	Simulated G-ID	Simulated Commercial registration EE
Government RP	Simulated METI CA	METI.METI.OK.01	METI.MPHPT.OK.01	METI.MLIT.OK.01	METI.Asign.OK.01	METI.GID.OK.01	METI.CR.OK.01
	Simulated MPHPT CA	MPHPT.METI.OK.01	MPHPT.MPHPT.OK.01	MPHPT.MLIT.OK.01	MPHPT.Asign.OK.01	MPHPT.GID.OK.01	MPHPT.CR.OK.01
	Simulated MLIT CA	MLIT.METI.OK.01	MLIT.MPHPT.OK.01	MLIT.MLIT.OK.01	MLIT.Asign.OK.01	MLIT.GID.OK.01	MLIT.CR.OK.01
private RP	Simulated A-Sign2	Asign.METI.OK.01	Asign.MPHPT.OK.01	Asign.MLIT.OK.01
	Simulated G-ID	GID.METI.OK.01	GID.MPHPT.OK.01	GID.MLIT.OK.01
	Simulated Commercial registration CA	CR.METI.OK.01	CR.MPHPT.OK.01	CR.MLIT.OK.01

(1) When simulated METI root CA serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated METI EE can verify normal signature data.

(iii) Test case references

GPKI Cross-Certification Standard

http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test

http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, Ministry of Economy, Trade and Industry, METI, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

METI.METI.OK.01

(ii) Certification path

Certification Path	Subject	Intermediate Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(Simulated METI Root CA)	None	2000100	2000100	None
<Cross-certification certificate>	(Simulated METI Sub CA)	2000101	None	2000101	None
<Signing certificate>	(Simulated METI EE)	2000199	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

METI.MPHPT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2000200	2000200	None
<Cross-certification certificate>	(simulated BCA)	2000201	2000202	2000201	None
<Cross-certification certificate>	(simulated MPHPTCA)	2000203	2000204	2000203	None
<signing certificate>	(simulated MPHPTEE)	2000299	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

METI.MLIT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2000300	2000300	None
<Cross-certification certificate>	(simulated BCA)	2000301	2000302	2000301	None
<Cross-certification certificate>	(simulated MLIT CA)	2000303	2000304	2000303	None
<signing certificate>	(simulated MLIT EE)	2000399	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	True
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

METI.Asign.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2000400	2000400	None
<Cross-certification certificate>	(simulated BCA)	2000401	2000402	2000401	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2000403	2000404	2000403	None
<signing certificate>	(simulated A-Sign2 EE)	2000499	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

METI.GID.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2000500	2000500	None
<Cross-certification certificate>	(simulated BCA)	2000501	2000502	2000501	None
<Cross-certification certificate>	(simulated G-ID CA)	2000503	2000504	2000503	None
<signing certificate>	(simulated G-ID EE)	2000599	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

METI.CR.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2000600	2000600	None
<Cross-certification certificate>	(simulated BCA)	2000601	2000602	2000601	None
<Cross-certification certificate>	(simulated commercial registration CA)	2000603	2000604	None	6
<signing certificate>	(simulated commercial registration EE)	2000699	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(2) When simulated MPHPT certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated MPHPT EE can verify normal signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/<not confirmed>

(iv) Test keywords

GPKI, Ministry of Public Management, Home Affairs, Posts and Telecommunications, MPHPT, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

MPHPT.METI.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2000700	2000700	None
<Cross-certification certificate>	(simulated BCA)	2000701	2000702	2000701	None
<Cross-certification certificate>	(simulated METI RootCA)	2000703	2000704	2000703	None
<Cross-certification certificate>	(simulated METI SubCA)	2000705	None	2000705	None
<signing certificate>	(simulated METI EE)	2000799	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

MPHPT.MPHPT.OK.01

(ii) Certification Path

Certification Path

subject

Cross-Certification

Certificate #

Self-Signed

Certificate #

CRL#

OCSP#

(simulated MPHPT CA)

None

2000800

None

(simulated MPHPT EE)

2000899

None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

MPHPT.MLIT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2000900	2000900	None
<Cross-certification certificate>	(simulated BCA)	2000901	2000902	2000901	None
<Cross-certification certificate>	(simulated MLIT CA)	2000903	2000904	2000903	None
<signing certificate>	(simulated MLIT EE)	2000999	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

MPHPT.Asign.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2001000	2001000	None
<Cross-certification certificate>	(simulated BCA)	2001001	2001002	2001001	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2001003	2001004	2001003	None
<signing certificate>	(simulated A-Sign2 EE)	2001099	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

MPHPT.GID.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2001100	2001100	None
<Cross-certification certificate>	(simulated BCA)	2001101	2001102	2001101	None
<Cross-certification certificate>	(simulated G-ID CA)	2001103	2001104	2001103	None
<signing certificate>	(simulated G-ID EE)	2001199	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

MPHPT.CR.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2001200	2001200	None
<Cross-certification certificate>	(simulated BCA)	2001201	2001202	2001201	None
<Cross-certification certificate>	(simulated commercial registration CA)	2001203	2001204	None	12
<signing certificate>	(simulated commercial registration EE)	2001299	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(3) When simulated MLIT certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated MLIT EE can verify simulated METI EE signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, Ministry of Land, Infrastructure and Transport, METI, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

MLIT.METI.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2001300	2001300	None
<Cross-certification certificate>	(simulated BCA)	2001301	2001302	2001301	None
<Cross-certification certificate>	(simulated METI RootCA)	2001303	2001304	2001303	None
<Cross-certification certificate>	(simulated METI SubCA)	2001305	None	2001305	None
<signing certificate>	(simulated METI EE)	2001399	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

MLIT.MPHPT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2001400	2001400	None
<Cross-certification certificate>	(simulated BCA)	2001401	2001402	2001401	None
<Cross-certification certificate>	(simulated MPHPT CA)	2001403	2001404	2001403	None
<signing certificate>	(simulated MPHPT EE)	2001499	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

MLIT.MLIT.OK.01

(ii) Certification Path

Certification Path

subject

Cross-Certification

Certificate #

Self-Signed

Certificate #

CRL#

OCSP#

(simulated MLIT CA)

None

2001500

None

(simulated MLIT EE)

2001599

None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

MLIT.Asign.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2001600	2001600	None
<Cross-certification certificate>	(simulated BCA)	2001601	2001602	2001601	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2001603	2001604	2001603	None
<signing certificate>	(simulated A-Sign2 EE)	2001699	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

MLIT.GID.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2001700	2001700	None
<Cross-certification certificate>	(simulated BCA)	2001701	2001702	2001701	None
<Cross-certification certificate>	(simulated G-ID CA)	2001703	2001704	2001703	None
<signing certificate>	(simulated G-ID EE)	2001799	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

MLIT.CR.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2001800	2001800	None
<Cross-certification certificate>	(simulated BCA)	2001801	2001802	2001801	None
<Cross-certification certificate>	(simulated commercial registration CA)	2001803	2001804	None	18
<signing certificate>	(simulated commercial registration EE)	2001899	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(4) When simulated A-Sign2 serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated A-Sign2 EE can verify simulated METI EE signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, A-Sign2, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

Asign.METI.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2001900	2001900	None
<Cross-certification certificate>	(simulated BCA)	2001901	2001902	2001901	None
<Cross-certification certificate>	(simulated METI RootCA)	2001903	2001904	2001903	None
<Cross-certification certificate>	(simulated METI SubCA)	2001905	None	2001905	None
<signing certificate>	(simulated METI EE)	2001999	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

Asign.MPHPT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2002000	2002000	None
<Cross-certification certificate>	(simulated BCA)	2002001	2002002	2002001	None
<Cross-certification certificate>	(simulated MPHPT CA)	2002003	2002004	2002003	None
<signing certificate>	(simulated MPHPT EE)	2002099	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

Asign.MLIT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2002100	2002100	None
<Cross-certification certificate>	(simulated BCA)	2002101	2002102	2002101	None
<Cross-certification certificate>	(simulated MLIT CA)	2002103	2002104	2002103	None
<signing certificate>	(simulated MLIT EE)	2002199	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(5) When simulated G-ID serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated GID EE can verify simulated METI EE signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, G-ID, GID, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

GID.METI.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2002200	2002200	None
<Cross-certification certificate>	(simulated BCA)	2002201	2002202	2002201	None
<Cross-certification certificate>	(simulated METI RootCA)	2002203	2002204	2002203	None
<Cross-certification certificate>	(simulated METI SubCA)	2002205	None	2002205	None
<signing certificate>	(simulated METI EE)	2002299	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

GID.MPHPT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2002300	2002300	None
<Cross-certification certificate>	(simulated BCA)	2002301	2002302	2002301	None
<Cross-certification certificate>	(simulated MPHPT CA)	2002303	2002304	2002303	None
<signing certificate>	(simulated MPHPT EE)	2002399	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

GID.MLIT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2002400	2002400	None
<Cross-certification certificate>	(simulated BCA)	2002401	2002402	2002401	None
<Cross-certification certificate>	(simulated MLIT CA)	2002403	2002404	2002403	None
<signing certificate>	(simulated MLIT EE)	2002499	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(6) When simulated commercial registration certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated commercial registration EE can verify simulated METI EE signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, commercial registration, CR, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

CR.METI.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2002500	None	25
<Cross-certification certificate>	(simulated BCA)	2002501	2002502	2002501	None
<Cross-certification certificate>	(simulated METI RootCA)	2002503	2002504	2002503	None
<Cross-certification certificate>	(simulated METI SubCA)	2002505	None	2002505	None
<signing certificate>	(simulated METI EE)	2002599	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

CR.MPHPT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2002600	None	26
<Cross-certification certificate>	(simulated BCA)	2002601	2002602	2002601	None
<Cross-certification certificate>	(simulated MPHPT CA)	2002603	2002604	2002603	None
<signing certificate>	(simulated MPHPT EE)	2002699	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

CR.MLIT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2002700	None	27
<Cross-certification certificate>	(simulated BCA)	2002701	2002702	2002701	None
<Cross-certification certificate>	(simulated MLIT CA)	2002703	2002704	2002703	None
<signing certificate>	(simulated MLIT EE)	2002799	None	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

2.3.2 Revoked EE certificates

Signer (signature data )		Government Signer			Private Signer
Signature Verifier and Trust Anchor		simulated METI EE	simulated MPHPT EE	simulated MLIT EE	simulated A-Sign2	simulated G-ID	simulated Commercial registration EE
Gov'tRP	simulated METI certificate authority	METI.METI.RVK.01	METI.MPHPT.RVK.01	METI.MLIT.RVK.01	METI.Asign.RVK.01	METI.GID.RVK.01	METI.CR.RVK.01
	simulated MPHPT certificate authority	MPHPT.METI.RVK.01	MPHPT.MPHPT.RVK.01	MPHPT.MLIT.RVK.01	MPHPT.Asign.RVK.01	MPHPT.GID.RVK.01	MPHPT.CR.RVK.01
	simulated MLIT certificate authority	MLIT.METI.RVK.01	MLIT.MPHPT.RVK.01	MLIT.MLIT.RVK.01	MLIT.Asign.RVK.01	MLIT.GID.RVK.01	MLIT.CR.RVK.01
private RP	simulated A-Sign2	Asign.METI.RVK.01	Asign.MPHPT.RVK.01	Asign.MLIT.RVK.01
	simulated G-ID	GID.METI.RVK.01	GID.MPHPT.RVK.01	GID.MLIT.RVK.01
	simulated commercial registration certificate authority	CR.METI.RVK.01	CR.MPHPT.RVK.01	CR.MLIT.RVK.01

(1) When simulated METI RootCA serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated METI EE can perform revocation verification on revoked signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, Ministry of Economy, Trade and Industry , METI, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

METI.METI.RVK.01

(ii) Certification Path

Certification Path	subject	Intermediate Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2002800	2002800	None
<Cross-certification certificate>	(simulated METI SubCA)	2002801	None	2002801	None
<signing certificate>	(simulated METI EE)	2002899	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	True
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

METI.MPHPT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2002900	2002900	None
<Cross-certification certificate>	(simulated BCA)	2002901	2002902	2002901	None
<Cross-certification certificate>	(simulated MPHPT CA)	2002903	2002904	2002903	None
<signing certificate>	(simulated MPHPT EE)	2002999	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

METI.MLIT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2003000	2003000	None
<Cross-certification certificate>	(simulated BCA)	2003001	2003002	2003001	None
<Cross-certification certificate>	(simulated MLIT CA)	2003003	2003004	2003003	None
<signing certificate>	(simulated MLIT EE)	2003099	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

METI.Asign.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2003100	2003100	None
<Cross-certification certificate>	(simulated BCA)	2003101	2003102	2003101	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2003103	2003104	2003103	None
<signing certificate>	(simulated A-Sign2 EE)	2003199	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

METI.GID.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2003200	2003200	None
<Cross-certification certificate>	(simulated BCA)	2003201	2003202	2003201	None
<Cross-certification certificate>	(simulated G-ID CA)	2003203	2003204	2003203	None
<signing certificate>	(simulated G-ID EE)	2003299	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

METI.CR.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2003300	2003300	None
<Cross-certification certificate>	(simulated BCA)	2003301	2003302	2003301	None
<Cross-certification certificate>	(simulated commercial registration CA)	2003303	2003304	None	33
<signing certificate>	(simulated commercial registration EE)	2003399	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(2) When simulated MPHPT certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated MPHPT EE can perform revocation verification on revoked signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, Ministry of Public Management, Home Affairs, Posts and Telecommunications, MPHPT, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

MPHPT.METI.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2003400	2003400	None
<Cross-certification certificate>	(simulated BCA)	2003401	2003402	2003401	None
<Cross-certification certificate>	(simulated METI RootCA)	2003403	2003404	2003403	None
<Cross-certification certificate>	(simulated METI SubCA)	2003405	None	2003405	None
<signing certificate>	(simulated METI EE)	2003499	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

MPHPT.MPHPT.RVK.01

(ii) Certification Path

Certification Path

subject

Cross-Certification

Certificate #

Self-Signed

Certificate #

CRL#

OCSP#

(simulated MPHPT CA)

None

2003500

None

(simulated MPHPT EE)

2003599

None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

MPHPT.MLIT.OK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2003600	2003600	None
<Cross-certification certificate>	(simulated BCA)	2003601	2003602	2003601	None
<Cross-certification certificate>	(simulated MLIT CA)	2003603	2003604	2003603	None
<signing certificate>	(simulated MLIT EE)	2003699	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

MPHPT.Asign.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2003700	2003700	None
<Cross-certification certificate>	(simulated BCA)	2003701	2003702	2003701	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2003703	2003704	2003703	None
<signing certificate>	(simulated A-Sign2 EE)	2003799	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

MPHPT.GID.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2003800	2003800	None
<Cross-certification certificate>	(simulated BCA)	2003801	2003802	2003801	None
<Cross-certification certificate>	(simulated G-ID CA)	2003803	2003804	2003803	None
<signing certificate>	(simulated G-ID EE)	2003899	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

MPHPT.CR.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2003900	2003900	None
<Cross-certification certificate>	(simulated BCA)	2003901	2003902	2003901	None
<Cross-certification certificate>	(simulated commercial registration CA)	2003903	2003904	None	39
<signing certificate>	(simulated commercial registration EE)	2003999	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(3) When simulated MLIT certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated MLIT EE can verify simulated METI EE signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, Ministry of Land, Infrastructure and Transport, MLIT, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

MLIT.METI.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2004000	2004000	None
<Cross-certification certificate>	(simulated BCA)	2004001	2004002	2004001	None
<Cross-certification certificate>	(simulated METI RootCA)	2004003	2004004	2004003	None
<Cross-certification certificate>	(simulated METI SubCA)	2004005	None	2004005	None
<signing certificate>	(simulated METI EE)	2004099	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

MLIT.MPHPT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2004100	2004100	None
<Cross-certification certificate>	(simulated BCA)	2004101	2004102	2004101	None
<Cross-certification certificate>	(simulated MPHPT CA)	2004103	2004104	2004103	None
<signing certificate>	(simulated MPHPT EE)	2004199	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

MLIT.MLIT.RVK.01

(ii) Certification Path

Certification Path

subject

Cross-Certification

Certificate #

Self-Signed

Certificate #

CRL#

OCSP#

(simulated MLIT CA)

None

2004200

None

(simulated MLIT EE)

2004299

None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

MLIT.Asign.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2004300	2004300	None
<Cross-certification certificate>	(simulated BCA)	2004301	2004302	2004301	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2004303	2004304	2004303	None
<signing certificate>	(simulated A-Sign2 EE)	2004399	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

MLIT.GID.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2004400	2004400	None
<Cross-certification certificate>	(simulated BCA)	2004401	2004402	2004401	None
<Cross-certification certificate>	(simulated G-ID CA)	2004403	2004404	2004403	None
<signing certificate>	(simulated G-ID EE)	2004499	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

MLIT.CR.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2004500	2004500	None
<Cross-certification certificate>	(simulated BCA)	2004501	2004502	2004501	None
<Cross-certification certificate>	(simulated commercial registration CA)	2004503	2004504	None	45
<signing certificate>	(simulated commercial registration EE)	2004599	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(4) When simulated A-Sign2 serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated A-Sign2 EE can verify simulated METI EE signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI,A-Sign2,hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

Asign.METI.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2004600	2004600	None
<Cross-certification certificate>	(simulated BCA)	2004601	2004602	2004601	None
<Cross-certification certificate>	(simulated METI RootCA)	2004603	2004604	2004603	None
<Cross-certification certificate>	(simulated METI SubCA)	2004605	None	2004605	None
<signing certificate>	(simulated METI EE)	2004699	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

Asign.MPHPT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2004700	2004700	None
<Cross-certification certificate>	(simulated BCA)	2004701	2004702	2004701	None
<Cross-certification certificate>	(simulated MPHPT CA)	2004703	2004704	2004703	None
<signing certificate>	(simulated MPHPT EE)	2004799	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

Asign.MLIT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2004800	2004800	None
<Cross-certification certificate>	(simulated BCA)	2004801	2004802	2004801	None
<Cross-certification certificate>	(simulated MLIT CA)	2004803	2004804	2004803	None
<signing certificate>	(simulated MLIT EE)	2004899	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(5) When simulated G-ID serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated GID EE can perform revocation verification on revoked signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, G-ID, GID, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

GID.METI.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2004900	2004900	None
<Cross-certification certificate>	(simulated BCA)	2004901	2004902	2004901	None
<Cross-certification certificate>	(simulated METI RootCA)	2004903	2004904	2004903	None
<Cross-certification certificate>	(simulated METI SubCA)	2004905	None	2004905	None
<signing certificate>	(simulated METI EE)	2004999	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

GID.MPHPT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2005000	2005000	None
<Cross-certification certificate>	(simulated BCA)	2005001	2005002	2005001	None
<Cross-certification certificate>	(simulated MPHPT CA)	2005003	2005004	2005003	None
<signing certificate>	(simulated MPHPT EE)	2005099	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

GID.MLIT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2005100	2005100	None
<Cross-certification certificate>	(simulated BCA)	2005101	2005102	2005101	None
<Cross-certification certificate>	(simulated MLIT CA)	2005103	2005104	2005103	None
<signing certificate>	(simulated MLIT EE)	2005199	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(6) When simulated commercial registration certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated commercial registration EE can perform revocation verification on revoked EE signature data

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, commercial registration, CR, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

CR.METI.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2005200	None	52
<Cross-certification certificate>	(simulated BCA)	2005201	2005202	2005201	None
<Cross-certification certificate>	(simulated METI RootCA)	2005203	2005204	2005203	None
<Cross-certification certificate>	(simulated METI SubCA)	2005205	None	2005205	None
<signing certificate>	(simulated METI EE)	2005299	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

CR.MPHPT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2005300	None	53
<Cross-certification certificate>	(simulated BCA)	2005301	2005302	2005301	None
<Cross-certification certificate>	(simulated MPHPT CA)	2005303	2005304	2005303	None
<signing certificate>	(simulated MPHPT EE)	2005399	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

CR.MLIT.RVK.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2005400	None	54
<Cross-certification certificate>	(simulated BCA)	2005401	2005402	2005401	None
<Cross-certification certificate>	(simulated MLIT CA)	2005403	2005404	2005403	None
<signing certificate>	(simulated MLIT EE)	2005499	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

2.3.3 Expired EE certificates

Signer (signature data )		Government Signer			Private Signer
Signature Verifier and Trust Anchor		simulated METI EE	simulated MPHPT EE	simulated MLIT EE	simulated A-Sign2	simulated G-ID	simulated commercial registration EE
Gov't RP	Simulated METI certificate authority	METI.METI.EXPR.01	METI.MPHPT.EXPR.01	METI.MLIT.EXPR.01	METI.Asign.EXPR.01	METI.GID.EXPR.01	METI.CR.EXPR.01
	simulated MPHPT certificate authority	MPHPT.METI.EXPR.01	MPHPT.MPHPT.EXPR.01	MPHPT.MLIT.EXPR.01	MPHPT.Asign.EXPR.01	MPHPT.GID.EXPR.01	MPHPT.CR.EXPR.01
	simulated MLIT certificate authority	MLIT.METI.EXPR.01	MLIT.MPHPT.EXPR.01	MLIT.MLIT.EXPR.01	MLIT.Asign.EXPR.01	MLIT.GID.EXPR.01	MLIT.CR.EXPR.01
private RP	simulated A-Sign2	Asign.METI.EXPR.01	Asign.MPHPT.EXPR.01	Asign.MLIT.EXPR.01
	simulated G-ID	GID.METI.EXPR.01	GID.MPHPT.EXPR.01	GID.MLIT.EXPR.01
	simulated commercial registration certificate authority	CR.METI.EXPR.01	CR.MPHPT.EXPR.01	CR.MLIT.EXPR.01

(1) When simulated METI RootCA serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether simulated METI EE can perform revocation verification on expired EE signature data.

(iii) Test case references

GPKI Cross-Certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-Certification Test http://www.gpki.go.jp/<not confirmed>

(iv) Test keywords

GPKI, Ministry of Economy, Trade and Industry , METI, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

METI.METI.EXPR.01

(ii) Certification Path

Certification Path	subject	Intermediate Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2005500	2005500	None
<Cross-certification certificate>	(simulated METI SubCA)	2005501	None	2005501	None
<signing certificate>	(simulated METI EE)	2005599	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

METI.MPHPT.EXPR.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2005600	2005600	None
<Cross-certification certificate>	(simulated BCA)	2005601	2005602	2005601	None
<Cross-certification certificate>	(simulated MPHPT CA)	2005603	2005604	2005603	None
<signing certificate>	(simulated MPHPT EE)	2005699	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

METI.MLIT.EXPR.01

(ii) Certification Path

Certification Path	subject	Cross-Certification Certificate #	Self-Signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2005700	2005700	None
<Cross-certification certificate>	(simulated BCA)	2005701	2005702	2005701	None
<Cross-certification certificate>	(simulated MLIT CA)	2005703	2005704	2005703	None
<signing certificate>	(simulated MLIT EE)	2005799	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

METI.Asign.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2005800	2005800	None
<Cross-certification certificate>	(simulated BCA)	2005801	2005802	2005801	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2005803	2005804	2005803	None
<Signing certificate>	(simulated A-Sign2 EE)	2005899	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

METI.GID.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2005900	2005900	None
<Cross-certification certificate>	(simulated BCA)	2005901	2005902	2005901	None
<Cross-certification certificate>	(simulated G-ID CA)	2005903	2005904	2005903	None
<Signing certificate>	(simulated G-ID EE)	2005999	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

METI.CR.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated METI RootCA)	None	2006000	2006000	None
<Cross-certification certificate>	(simulated BCA)	2006001	2006002	2006001	None
<Cross-certification certificate>	(simulated commercial registration CA)	2006003	2006004	None	60
<Signing certificate>	(simulated commercial registration EE)	2006099	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-METI>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(2) When simulated MPHPT certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether a simulated MPHPT EE can perform verification of expired simulated METI EE signature data.

(iii) Test case references

GPKI Cross-certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, Ministry of Public Management, Home Affairs, Posts and Telecommunications, MPHPT, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

MPHPT.METI.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPTCA)	None	2006100	2006100	None
<Cross-certification certificate>	(simulated BCA)	2006101	2006102	2006101	None
<Cross-certification certificate>	(simulated METI RootCA)	2006103	2006104	2006103	None
<Cross-certification certificate>	(simulated METI SubCA)	2006105	None	2006105	None
<Signing certificate>	(simulated METI EE)	2006199	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

MPHPT.MPHPT.EXPR.01

(ii) Certification path

Certification path

subject

Cross-certification

Certificate #

Self-signed

Certificate #

CRL#

OCSP#

(simulated MPHPT CA)

None

2006200

None

(simulated MPHPT EE)

2006299

None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

MPHPT.MLIT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2006300	2006300	None
<Cross-certification certificate>	(simulated BCA)	2006301	2006302	2006301	None
<Cross-certification certificate>	(simulated MLIT CA)	2006303	2006304	2006303	None
<Signing certificate>	(simulated MLIT EE)	2006399	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

MPHPT.Asign.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2006400	2006400	None
<Cross-certification certificate>	(simulated BCA)	2006401	2006402	2006401	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2006403	2006404	2006403	None
<Signing certificate>	(simulated A-Sign2 EE)	2006499	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

MPHPT.GID.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2006500	2006500	None
<Cross-certification certificate>	(simulated BCA)	2006501	2006502	2006501	None
<Cross-certification certificate>	(simulated G-ID CA)	2006503	2006504	2006503	None
<Signing certificate>	(simulated G-ID EE)	2006599	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

MPHPT.CR.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MPHPT CA)	None	2006600	2006600	None
<Cross-certification certificate>	(simulated BCA)	2006601	2006602	2006601	None
<Cross-certification certificate>	(simulated commercial registration CA)	2006603	2006604	None	66
<Signing certificate>	(simulated commercial registration EE)	2006699	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MPHPT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(3) When simulated MLIT certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether a simulated MLIT EE can perform verification of expired simulated METI EE signature data.

(iii) Test case references

GPKI Cross-certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, Ministry of Land, Infrastructure and Transport, MLIT, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

MLIT.METI.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2006700	2006700	None
<Cross-certification certificate>	(simulated BCA)	2006701	2006702	2006701	None
<Cross-certification certificate>	(simulated METI RootCA)	2006703	2006704	2006703	None
<Cross-certification certificate>	(simulated METI SubCA)	2006705	None	2006705	None
<Signing certificate>	(simulated METI EE)	2006799	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

MLIT.MPHPT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2006800	2006800	None
<Cross-certification certificate>	(simulated BCA)	2006801	2006802	2006801	None
<Cross-certification certificate>	(simulated MPHPT CA)	2006803	2006804	2006803	None
<Signing certificate>	(simulated MPHPT EE)	2006899	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

MLIT.MLIT.EXPR.01

(ii) Certification path

Certification path

subject

Cross-certification

Certificate #

Self-signed

Certificate #

CRL#

OCSP#

(simulated MLIT CA)

None

2006900

None

(simulated MLIT EE)

2006999

None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

MLIT.Asign.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2007000	2007000	None
<Cross-certification certificate>	(simulated BCA)	2007001	2007002	2007001	None
<Cross-certification certificate>	(simulated A-Sign2 CA)	2007003	2007004	2007003	None
<Signing certificate>	(simulated A-Sign2 EE)	2007099	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) Verification of simulated G-ID EE signature data

(i) Test case name

MLIT.GID.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2007100	2007100	None
<Cross-certification certificate>	(simulated BCA)	2007101	2007102	2007101	None
<Cross-certification certificate>	(simulated G-ID CA)	2007103	2007104	2007103	None
<Signing certificate>	(simulated G-ID EE)	2007199	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

MLIT.CR.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated MLIT CA)	None	2007200	2007200	None
<Cross-certification certificate>	(simulated BCA)	2007201	2007202	2007201	None
<Cross-certification certificate>	(simulated commercial registration CA)	2007203	2007204	None	72
<Signing certificate>	(simulated commercial registration EE)	2007299	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-MLIT>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(4) When simulated A-Sign2 serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether a simulated A-Sign2 EE can perform verification of expired simulated METI EE signature data.

(iii) Test case references

GPKI Cross-certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, A-Sign2, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

Asign.METI.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2007300	2007300	None
<Cross-certification certificate>	(simulated BCA)	2007301	2007302	2007301	None
<Cross-certification certificate>	(simulated METI RootCA)	2007303	2007304	2007303	None
<Cross-certification certificate>	(simulated METI SubCA)	2007305	None	2007305	None
<Signing certificate>	(simulated METI EE)	2007399	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

Asign.MPHPT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2007400	2007400	None
<Cross-certification certificate>	(simulated BCA)	2007401	2007402	2007401	None
<Cross-certification certificate>	(simulated MPHPT CA)	2007403	2007404	2007403	None
<Signing certificate>	(simulated MPHPT EE)	2007499	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

Asign.MLIT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated A-Sign2 CA)	None	2007500	2007500	None
<Cross-certification certificate>	(simulated BCA)	2007501	2007502	2007501	None
<Cross-certification certificate>	(simulated MLIT CA)	2007503	2007504	2007503	None
<Signing certificate>	(simulated MLIT EE)	2007599	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-Asign1>,<policy-Asign2>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(5) When simulated G-ID serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether a simulated GID EE can perform verification of expired simulated METI EE signature data.

(iii) Test case references

GPKI Cross-certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI,G-ID,GID, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

GID.METI.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2007600	2007600	None
<Cross-certification certificate>	(simulated BCA)	2007601	2007602	2007601	None
<Cross-certification certificate>	(simulated METI RootCA)	2007603	2007604	2007603	None
<Cross-certification certificate>	(simulated METI SubCA)	2007605	None	2007605	None
<Signing certificate>	(simulated METI EE)	2007699	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

GID.MPHPT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2007700	2007700	None
<Cross-certification certificate>	(simulated BCA)	2007701	2007702	2007701	None
<Cross-certification certificate>	(simulated MPHPT CA)	2007703	2007704	2007703	None
<Signing certificate>	(simulated MPHPT EE)	2007799	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

GID.MLIT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated G-ID CA)	None	2007800	2007800	None
<Cross-certification certificate>	(simulated BCA)	2007801	2007802	2007801	None
<Cross-certification certificate>	(simulated MLIT CA)	2007803	2007804	2007803	None
<Signing certificate>	(simulated MLIT EE)	2007899	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-GID>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
Init-any-policy-inhibit	default(false)

(6) When simulated commercial registration certificate authority serves as trust anchor

(i) Test category

GPKI Simulation Test

(ii) Test objective

Confirm whether a simulated commercial registration EE can perform verification of expired simulated METI EE signature data.

(iii) Test case references

GPKI Cross-certification Standard http://www.gpki.go.jp/cross/index.html

GPKI Cross-certification Test http://www.gpki.go.jp/ <not confirmed>

(iv) Test keywords

GPKI, commercial registration, CR, hierarchy

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

CR.METI.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2007900	None	79
<Cross-certification certificate>	(simulated BCA)	2007901	2007902	2007901	None
<Cross-certification certificate>	(simulated METI RootCA)	2007903	2007904	2007903	None
<Cross-certification certificate>	(simulated METI SubCA)	2007905	None	2007905	None
<Signing certificate>	(simulated METI EE)	2007999	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

CR.MPHPT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2008000	None	80
<Cross-certification certificate>	(simulated BCA)	2008001	2008002	2008001	None
<Cross-certification certificate>	(simulated MPHPT CA)	2008003	2008004	2008003	None
<Signing certificate>	(simulated MPHPT EE)	2008099	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

CR.MLIT.EXPR.01

(ii) Certification path

Certification path	subject	Cross-certification Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	(simulated commercial registration CA)	None	2008100	None	81
<Cross-certification certificate>	(simulated BCA)	2008101	2008102	2008101	None
<Cross-certification certificate>	(simulated MLIT CA)	2008103	2008104	2008103	None
<Signing certificate>	(simulated MLIT EE)	2008199	None	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy	<policy-CR>
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

3 NIST Test

3.1　 Test objectives

The following summarizes test cases and documents related to NIST DoD BCA interoperability testing.

X.509 Path Validation Test Suite

http://csrc.nist.gov/pki/testing/x509paths.html

This test case confirms compatibility based on test data similar to the test case above.

3.2　 Test case categories

(1) Requirement types

CP(certificate processing): (subscriber) certificate processing

IC(intermediate certificate processing): intermediate certificate processing

PP(policy processing): certificate policy processing

PL(path length): certification path length

RL(revocation list): revocation list

(2) Test case name

Test case names are assigned according to requirement type for each major and minor category.

(3) Test levels

Level 0: Test requirements not needed to be tested

Level 1: Test required for interoperability and security support

Level 2: Test to guarantee higher interoperability and security

Level 3: Test categories for application developers. Basically not needed as interoperability testing.

3.3　 Test cases

The following is a list of acceptance policies used for DoD/FPKI path verification tests.

Policy Code	Acceptance Policy OID
test-policy-1	0.2.392.200117.1.9.2002.1.2.16.840.1.101.3.1.48.1
test-policy-2	0.2.392.200117.1.9.2002.1.2.16.840.1.101.3.1.48.2
test-policy-3	0.2.392.200117.1.9.2002.1.2.16.840.1.101.3.1.48.3
test-policy-4	0.2.392.200117.1.9.2002.1.2.16.840.1.101.3.1.48.4
test-policy-5	0.2.392.200117.1.9.2002.1.2.16.840.1.101.3.1.48.5

3.3.1 CP

(1) CP.01

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Perform verification of a certificate signature within a certificate path using a public key with higher precedence.

(iii) Test case references

[X.509 10.5.1]Check that the signature verifies

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, signature

(b) CP.01.01

(i) Test case name

CP.01.01 (1000100)

(ii) Certification path

Certification path 1000100

subject

intermediate

Certificate #

Self-signed

Certificate #

CRL#

Trust Anchor

None

1000100

User1-CP.01.01

1000199

None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) CP.01.02

(i) Test case name

CP.01.02 (1000200)

(ii) Certification path

Certification path 1000200	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000200	1000200
<Cross-certification certificate>	CA1-CP.01.02	1000201	None	1000201
<Signing certificate>	User1-CP.01.02	1000299	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) CP.01.03

(i) Test case name

CP.01.03 (1000300)

(ii) Certification path

Certification path 1000300	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000300	1000300
<Cross-certification certificate>	CA1-CP.01.03	1000301	None	1000301
<Signing certificate>	User1-CP.01.03	1003299	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(2) CP.02

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Confirm whether validity start date for a certificate can be correctly verified.

(iii) Test case references

[X.509 10.5.1]"(Check that) that dates are valid"

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, Validity, notBefore

(b) CP.02.01

(i) Test case name

CP.02.01 (1000400)

(ii) Certification path

Certification path 1000400	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000400	1000400
<Cross-certification certificate>	CA1-CP.02.01	1000401	None	1000401
<Cross-certification certificate>	CA2-CP.02.01	1000402	None	1000402
<Signing certificate>	User1-CP.01.02	1000499	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) CP.02.02

(i) Test case name

CP.02.02 (1000500)

(ii) Certification path

Certification path 1000500	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000500	1000500
<Cross-certification certificate>	CA1-CP.02.02	1000501	None	1000501
<Signing certificate>	User1-CP.02.02	1000599	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) CP.02.03

(i) Test case name

CP.02.03 (1000600)

(ii) Certification path

Certification path 1000600	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000600	1000600
<Cross-certification certificate>	CA1-CP.02.03	1000601	None	1000601
<Signing certificate>	User1-CP.02.03	1000699	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(e) CP.02.04

(i) Test case name

CP.02.04 (1000700)

(ii) Certification path

Certification path 1000700	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000700	1000700
<Cross-certification certificate>	CA1-CP.02.04	1000701	None	1000701
<Signing certificate>	User1-CP.02.04	1000799	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) Additional test keywords

UTCTime

(f) CP.02.05

(i) Test case name

CP.02.05 (1000800)

(ii) Certification path

Certification path 1000800	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000800	1000800
<Cross-certification certificate>	CA1-CP.02.05	1000801	None	1000801
<Signing certificate>	User1-CP.02.05	1000899	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) Additional test keywords

GeneralizedTime

(3) CP.03

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Confirm whether validity end date for a certificate can be correctly verified.

(iii) Test case references

[X.509 10.5.1]"(Check that) that dates are valid"

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, Validity, notAfter

(b) CP.03.01

(i) Test case name

CP.03.01 (1000900)

(ii) Certification path

Certification path 1000900	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1000900	1000900
<Cross-certification certificate>	CA1-CP.3.01	1000901	None	1000901
<Signing certificate>	User1-CP.03.01	1000999	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) CP.03.02

(i) Test case name

CP.03.02 (1001000)

(ii) Certification path

Certification path 1001000	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001000	1001000
<Cross-certification certificate>	CA1-CP.3.02	1001001	None	1001001
<Signing certificate>	User1-CP.03.02	1001099	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) CP.03.03

(i) Test case name

CP.03.03 (1001100)

(ii) Certification path

Certification path 1001100	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001100	1001100
<Cross-certification certificate>	CA1-CP.3.03	1001101	None	1001101
<Signing certificate>	User1-CP.03.03	1001199	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) Additional test keywords

UTCTime

(e) CP.03.04

(i) Test case name

CP.03.04 (1001200)

(ii) Certification path

Certification path 1001200	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001200	1001200
<Cross-certification certificate>	CA1-CP.3.04	1001201	None	1001201
<Signing certificate>	User1-CP.03.04	1001299	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) Additional test keywords

GeneralizedTime

(4) CP.04

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Correctly check name chain. Confirm that certificate issuer name within certificate path matches subject name of precedent certificate.

(iii) Test case references

[X.509 10.5.1]"(Check) that the certificate subject and certificate issuer names chain correctly"

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, name

(b) CP.04.01

(i) Test case name

CP.04.01 (1001300)

(ii) Certification path

Certification path 1001300	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001300	1001300
<Cross-certification certificate>	CA1-CP.04.01	1001301	None	1001301
<Signing certificate>	User1-CP.04.01	1001399	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) CP.04.02

(i) Test case name

CP.04.02 (1001400)

(ii) Certification path

Certification path 1001400	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001400	1001400
<Cross-certification certificate>	CA1-CP.04.02	1001401	None	1001401
<Signing certificate>	User1-CP.04.02	1001499	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) CP.04.03

(i) Test case name

CP.04.03 (1001500)

(ii) Certification path

Certification path 1001500	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001500	1001500
<Cross-certification certificate>	CA1-CP.04.03	1001501	None	1001501
<Signing certificate>	User1-CP.04.03	1001599	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(e) CP.04.04

(i) Test case name

CP.04.04 (1001600)

(ii) Certification path

Certification path 1001600	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001600	1001600
<Cross-certification certificate>	CA1-CP.04.04	1001601	None	1001601
<Signing certificate>	User1-CP.04.04	1001699	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(f) CP.04.05

(i) Test case name

CP.04.05 (1001700)

(ii) Certification path

Certification path 1001700	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001700	1001700
<Cross-certification certificate>	CA1-CP.04.05	1001701	None	1001701
<Signing certificate>	User1-CP.04.05	1001799	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(g) CP.04.06

(i) Test case name

CP.04.06 (1001800)

(ii) Certification path

Certification path 1001800	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001800	1001800
<Cross-certification certificate>	CA1-CP.04.06	1001801	None	1001801
<Signing certificate>	User1-CP.04.06	1001899	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(5) CP.05

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Acquire valid revocation data related to a certificate within the certificate path. Reject certificate path if valid revocation data cannot be acquired.

(iii) Test case references

[X.509 10.5.1]"(Check) that the certificate has not been revoked."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, Revocation

(b) CP.05.01

(i) Test case name

CP.05.01 (1001900)

(ii) Certification path

Certification path 1001900	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1001900	1001900
<Cross-certification certificate>	CA1-CP.05.01	1001901	None	1001901
<Signing certificate>	User1-CP.05.01	1001999	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(6) CP.06

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Reject certificate path if any certificate within the certificate path has been revoked.

(iii) Test case references

[X.509 10.5.1]"(Check) that the certificate has not been revoked."

(iv) Test keywords

NIST, X.510 Path Validation Test Suite, CP, Certificate Processing, Revocation

(b) CP.06.01

(i) Test case name

CP.06.01 (1002000)

(ii) Certification path

Certification path 1002000	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002000	1002000
<Cross-certification certificate>	CA1-CP.06.01	1002001	None	1002001
<Signing certificate>	User1-CP.06.01	1002099	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) CP.06.02

(i) Test case name

CP.06.02 (1002100)

(ii) Certification path

Certification path 1002100	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002100	1002100
<Cross-certification certificate>	CA1-CP.06.02	1002101	None	1002101
<Signing certificate>	User1-CP.06.02	1002199	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

3.3.2 IC

(1) IC.01

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Determine whether a basicConstraints extension exists within an intermediate CA certificate within the certificate path.

(iii) Test case references

[X509 10.5.1]"For an intermediate certificate, if the basic constraints extension field is present in the certificate, check that the cA component is present and set to true."

[X509 8.4.2.1 NOTE 1]"If (the basic constraints) extension is not present, or is flagged non-critical and is not recognized by a certificate-using system, then the certificate is to be considered an end-entity certificate and cannot be used to verify certificate signatures."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, basicConstraint

(b) IC.01.01

(i) Test case name

IC.01.01 (1002200)

(ii) Certification path

Certification path 1002200	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002200	1002200
<Cross-certification certificate>	CA1-IC.01.01	1002201	None	1002201
<Signing certificate>	User1-IC.01.01	1002299	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(2) IC.02

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Determine that basicConstraints extension exists and cA=true for all intermediate CA certificates within a certificate path.

(iii) Test case references

[X509 10.5.1]"For an intermediate certificate, if the basic constraints extension field is present in the certificate, check that the cA component is present and set to true."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, basicConstraint

(b) IC.02.01

(i) Test case name

IC.02.01 (1002300)

(ii) Certification path

Certification path 1002300	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002300	1002300
<Cross-certification certificate>	CA1-IC.02.01	1002301	None	1002301
<Signing certificate>	User1-IC.02.01	1002399	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) IC.02.02

(i) Test case name

IC.02.02 (1002400)

(ii) Certification path

Certification path 1002400	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002400	1002400
<Cross-certification certificate>	CA1-IC.02.02	1002401	None	1002401
<Signing certificate>	User1-IC.02.02	1002499	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) IC.02.03

(i) Test case name

IC.02.03 (1002500)

(ii) Certification path

Certification path 1002500	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002500	1002500
<Cross-certification certificate>	CA1-IC.02.03	1002501	None	1002501
<Signing certificate>	User1-IC.02.03	1002599	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(e) IC.02.04

(i) Test case name

IC.02.04 (1002600)

(ii) Certification path

Certification path 1002600	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002600	1002600
<Cross-certification certificate>	CA1-IC.02.04	1002601	None	1002601
<Signing certificate>	User1-IC.02.04	1002699	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(3) IC.04

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Confirm that the keyCertSign bit of keyUsage extension is ON, that basicConstraints extension exists, and that cA=true for an intermediate CA certificate within the certificate path.

(iii) Test case references

[X.509 8.2.2.3]"If KeyUsage is set to keyCertSign and the basic constraints extension is present in the same certificate, the value of the cA component of that extension shall be set to TRUE."

[X.509 8.2.2.3]" If [the keyUsage] extension is present, and the certificate-using system recognizes and processes the keyUsage extension type, then the certificate-using system shall ensure that the certificate shall be used only for a purpose for which the corresponding key usage bit is set to one."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, basicConstraint, keyUsage, keyCertSign

(b) IC.04.01

(i) Test case name

IC.04.01 (1002700)

(ii) Certification path

Certification path 1002700	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002700	1002700
<Cross-certification certificate>	CA1-IC.04.01	1002701	None	1002701
<Signing certificate>	User1-IC.04.01	1002799	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(4) IC.05

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Determine that keyUsage extension exists, and keyCertSign bit is ON for an intermediate CA certificate within the certificate path.

(iii) Test case references

[X.509 8.2.2.3]"Bits in the KeyUsage type are as follows:… keyCertSign: for verifying a CA's signature on certificates; cRLSign: for verifying an authority's signature on CRLs…"

[X.509 8.2.2.3]"If the extension is flagged critical, then the certificate shall be used only for a purpose for which the corresponding key usage bit is set to one."

[X.509 8.2.2.3]"If the extension if flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. If this extension is present, and the certificate-using system recognizes and processes the keyUsage extension type, then the certificate-using system shall ensure that the certificate shall be used only for a purpose for which the corresponding key usage bit is set to one. A bit set to zero indicates that the key is not intended for that purpose. If all bits are zero, it indicates the key is intended for some purpose other than those listed."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, basicConstraint, keyUsage, keyCertSign

(b) IC.05.01

(i) Test case name

IC.05.01 (1002800)

(ii) Certification path

Certification path 1002800	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002800	1002800
<Cross-certification certificate>	CA1-IC.05.01	1002801	None	1002801
<Signing certificate>	User1-IC.05.01	1002899	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) IC.05.02

(i) Test case name

IC.05.02 (1002900)

(ii) Certification path

Certification path 1002900	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1002900	1002900
<Cross-certification certificate>	CA1-IC.05.02	1002901	None	1002901
<Signing certificate>	User1-IC.05.02	1002999	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) IC.05.03

(i) Test case name

IC.05.03 (1003000)

(ii) Certification path

Certification path 1003000	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003000	1003000
<Cross-certification certificate>	CA1-IC.05.03	1003001	None	1003001
<Signing certificate>	User1-IC.05.03	1003099	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(5) IC.06

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Determine that keyUsage extension exists and that keyCRLSign bit is ON for a certificate when the intermediate CA in a certificate path is the signer of the CRL.

(iii) Test case references

[X.509 8.2.2.3]

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, keyUsage, keyCRLSign

(b) IC.06.01

(i) Test case name

IC.06.01 (1003100)

(ii) Certification path

Certification path 1003100	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003100	1003100
<Cross-certification certificate>	CA1-IC.06.01	1003101	None	1003101
<Signing certificate>	User1-IC.06.01	1003199	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) IC.06.02

(i) Test case name

IC.06.02 (1003200)

(ii) Certification path

Certification path 1003200	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003200	1003200
<Cross-certification certificate>	CA1-IC.06.02	1003201	None	1003201
<Signing certificate>	User1-IC.06.02	1003299	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) IC.06.03

(i) Test case name

IC.06.03 (1003300)

(ii) Certification path

Certification path 1003300	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003300	1003300
<Cross-certification certificate>	CA1-IC.06.03	1003301	None	1003301
<Signing certificate>	User1-IC.06.03	1003399	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

3.3.3 PP

(1) PP.01

(a) Common categories

(i) Test category

DoD/FPKI path verification tests

(ii) Test objective

Correctly process policy settings constrained by CA.

(iii) Test case references

[X.509 10]

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, certificatePolicies

(b) PP.01.01

① Certification path

Certification path 1003400	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003400	1003400
<Cross-certification certificate>	CA1-PP.01.01	1003401	None	1003401
<Signing certificate>	User1-PP.01.01	1003499	None	None

(ii) PP.01.01.00

① Test case name

PP.01.01.00 (1003400)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(iii) PP.01.01.01

① Test case name

PP.01.01.01 (1003401)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) PP.01.01.02

① Test case name

PP.01.01.02 (1003402)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(v) PP.01.01.03

① Test case name

PP.01.03 (1003403)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(vi) PP.01.01.04

① Test case name

PP.01.01.04 (1003404)

② Input values for path verification

Expected Value	1
Acceptance Policy	test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(vii) PP.01.01.05

① Test case name

PP.01.01.05 (1003405)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) PP.01.02

① Certification path

Certification path 1003500	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003500	1003500
<Cross-certification certificate>	CA1-PP.01.02	1003501	None	1003501
<Signing certificate>	User1-PP.01.02	1003599	None	None

(ii) PP.01.02.00

① Test case name

PP.01.02.00 (1003500)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.01.02.01

① Test case name

PP.01.02.01 (1003501)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) PP.01.03

① Certification path

Certification path 1003600	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003600	1003600
<Cross-certification certificate>	CA1-PP.01.03	1003601	None	1003601
<Cross-certification certificate>	CA2-PP.01.03	1003602	None	1003602
<Signing certificate>	User1-PP.01.03	1003699	None	None

(ii) PP.01.03.00

① Test case name

PP.01.03.00 (1003600)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.01.03.01

① Test case name

PP.01.03.01 (1003601)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) PP.01.04

① Certification path

Certification path 1003700	subject	intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003700	1003700
<Cross-certification certificate>	CA1-PP.01.04	1003701	None	1003701
<Cross-certification certificate>	CA2-PP.01.04	1003702	None	1003702
<Signing certificate>	User1-PP.01.04	1003799	None	None

(ii) PP.01.04.00

① Test case name

PP.01.04.00 (1003700)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.01.04.01

① Test case name

PP.01.04.01 (1003701)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) PP.01.05

① Certification path

Certification path 1003800	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003800	1003800
<Cross-certification certificate>	CA1-PP.01.05	1003801	None	1003801
<Cross-certification certificate>	CA2-PP.01.05	1003802	None	1003802
<Signing certificate>	User1-PP.01.05	1003899	None	None

(ii) PP.01.05.00

① Test case name

PP.01.05.00 (1003800)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.01.05.01

① Test case name

PP.01.05.01 (1003801)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(g) PP.01.06

① Certification path

Certification path 1003900	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1003900	1003900
<Cross-certification certificate>	CA1-PP.01.06	1003901	None	1003901
<Cross-certification certificate>	CA2-PP.01.06	1003902	None	1003902
<Cross-certification certificate>	CA3-PP.01.06	1003903	None	1003903
<Signing certificate>	CA4-PP.01.06	1003999	None	None

(ii) PP.01.06.00

① Test case name

PP.01.06.00 (1003900)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(iii) PP.01.06.01

① Test case name

PP.01.06.01 (1003901)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) PP.01.06.02

① Test case name

PP.01.06.02 (1003902)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(v) PP.01.06.03

① Test case name

PP.01.06.03 (1003903)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(vi) PP.01.06.04

① Test case name

PP.01.06.04 (1003904)

② Input values for path verification

Expected Value	1
Acceptance Policy	Test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(vii) PP.01.06.05

① Test case name

PP.01.06.05 (1003905)

② Input values for path verification

Expected Value	0
Acceptance Policy	Test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(h) PP.01.07

① Certification path

Certification path 1004000	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004000	1004000
<Cross-certification certificate>	CA1-PP.01.07	1004001	None	1004001
<Cross-certification certificate>	CA2-PP.01.07	1004002	None	1004002
<Cross-certification certificate>	CA3-PP.01.07	1004003	None	1004003
<Signing certificate>	CA4-PP.01.07	1004099	None	None

(ii) PP.01.07.00

① Test case name

PP.01.07.00 (1004000)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.01.07.01

① Test case name

PP.01.07.01 (1004001)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(i) PP.01.08

① Certification path

Certification path 1004100	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004100	1004100
<Cross-certification certificate>	CA1-PP.01.08	1004101	None	1004101
<Cross-certification certificate>	CA2-PP.01.08	1004102	None	1004102
<Cross-certification certificate>	CA3-PP.01.08	1004103	None	1004103
<Signing certificate>	CA4-PP.01.08	1004199	None	None

(ii) PP.01.08.00

① Test case name

PP.01.08.00 (1004100)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.01.08.01

① Test case name

PP.01.08.01 (1004101)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(j) PP.01.09

① Certification path

Certification path 1004200	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004200	1004200
<Cross-certification certificate>	CA1-PP.01.09	1004201	None	1004201
<Cross-certification certificate>	CA2-PP.01.09	1004202	None	1004202
<Cross-certification certificate>	CA3-PP.01.09	1004203	None	1004203
<Cross-certification certificate>	CA4-PP.01.09	1004204	None	1004204
<Signing certificate>	User1-PP.01.09	1004299	None	None

(ii) PP.01.09.00

① Test case name

PP.01.09.00 (1004200)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.01.09.01

① Test case name

PP.01.09.01 (1004201)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(2) PP.06

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Appropriately process explicit policy.

(iii) Test case references

[X.509 10]

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, certificatePolicies, requireExplicitPolicy

(b) PP.06.01

① Certification path

Certification path 1004300	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004300	1004300
<Cross-certification certificate>	CA1-PP.06.01	1004301	None	1004301
<Cross-certification certificate>	CA2-PP.06.01	1004302	None	1004302
<Cross-certification certificate>	CA3-PP.06.01	1004303	None	1004303
<Cross-certification certificate>	CA4-PP.06.01	1004304	None	1004304
<Signing certificate>	User1-PP.06.01	1004399	None	None

(ii) PP.06.01.00

① Test case name

PP.06.01.00 (1004300)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.06.01.01

① Test case name

PP.06.01.01 (1004301)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) PP.06.02

① Certification path

Certification path 1004400	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004400	1004400
<Cross-certification certificate>	CA1-PP.06.02	1004401	None	1004401
<Cross-certification certificate>	CA2-PP.06.02	1004402	None	1004402
<Cross-certification certificate>	CA3-PP.06.02	1004403	None	1004403
<Cross-certification certificate>	CA4-PP.06.02	1004404	None	1004404
<Signing certificate>	User1-PP.06.02	1004499	None	None

(ii) PP.06.02.00

① Test case name

PP.06.02.00 (1004400)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.06.02.01

① Test case name

PP.06.02.01 (1004401)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) PP.06.03

① Certification path

Certification path 1004500	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004500	1004500
<Cross-certification certificate>	CA1-PP.06.03	1004501	None	1004501
<Cross-certification certificate>	CA2-PP.06.03	1004502	None	1004502
<Cross-certification certificate>	CA3-PP.06.03	1004503	None	1004503
<Cross-certification certificate>	CA4-PP.06.03	1004504	None	1004504
<Signing certificate>	User1-PP.06.03	1004599	None	None

(ii) PP.06.03.00

① Test case name

PP.06.03.00 (1004500)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.06.03.01

① Test case name

PP.06.03.01 (1004501)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) PP.06.04

① Certification path

Certification path 1004600	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004600	1004600
<Cross-certification certificate>	CA1-PP.06.04	1004601	None	1004601
<Cross-certification certificate>	CA2-PP.06.04	1004602	None	1004602
<Cross-certification certificate>	CA3-PP.06.04	1004603	None	1004603
<Cross-certification certificate>	CA4-PP.06.04	1004604	None	1004604
<Signing certificate>	User1-PP.06.04	1004699	None	None

(ii) PP.06.04.00

① Test case name

PP.06.04.00 (1004600)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.06.04.01

① Test case name

PP.06.04.01 (1004601)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(iv) PP.06.04.02

① Test case name

PP.06.04.02 (1004602)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(v) PP.06.04.03

① Test case name

PP.06.04.03 (1004603)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(vi) PP.06.04.04

① Test case name

PP.06.04.04 (1004604)

② Input values for path verification

Expected Value	1
Acceptance Policy	test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(vii) PP.06.04.05

① Test case name

PP.06.04.05 (1004605)

② Input values for path verification

Expected Value	1
Acceptance Policy	test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(f) PP.06.05

① Certification path

Certification path 1004700	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004700	1004700
<Cross-certification certificate>	CA1-PP.06.05	1004701	None	1004701
<Cross-certification certificate>	CA2-PP.06.05	1004702	None	1004702
<Cross-certification certificate>	CA3-PP.06.05	1004703	None	1004703
<Cross-certification certificate>	CA4-PP.06.05	1004704	None	1004704
<Signing certificate>	User1-PP.06.05	1004799	None	None

(ii) PP.06.05.00

① Test case name

PP.06.05.00 (1004700)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.06.05.01

① Test case name

PP.06.05.01 (1004701)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(3) PP.08.01～PP.08.05

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Return from verification processing based on an appropriate CA constraint policy. Return from verification processing based on a user constraint policy.

(iii) Test case references

[X.509 10]

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, certificatePolicies

(b) PP.08.01

① Certification path

Certification path 1004800	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004800	1004800
<Cross-certification certificate>	CA1-PP.08.01	1004801	None	1004801
<Signing certificate>	User1-PP.08.01	1004899	None	None

(ii) PP.08.01.00

① Test case name

PP.08.01.00 (1004800)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.08.01.01

① Test case name

PP.08.01.01 (1004801)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(iv) PP.08.01.02

① Test case name

PP.08.01.02 (1004802)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(v) PP.08.01.03

① Test case name

PP.08.01.03 (1004803)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(vi) PP.08.01.04

① Test case name

PP.08.01.04 (1004804)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(vii) PP.08.01.05

① Test case name

PP.08.01.05 (1004805)

② Input values for path verification

Expected Value	1
Acceptance Policy	test-policy-2, test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(c) PP.08.02

① Certification path

Certification path 1004900	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1004900	1004900
<Cross-certification certificate>	CA1-PP.08.02	1004901	None	1004901
<Signing certificate>	User1-PP.08.02	1004999	None	None

(ii) PP.08.02.00

① Test case name

PP.08.02.00 (1004900)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.08.02.01

① Test case name

PP.08.02.01 (1004901)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(iv) PP.08.02.02

① Test case name

PP.08.02.02 (1004902)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(v) PP.08.02.03

① Test case name

PP.08.02.03 (1004903)

② Input values for path verification

Expected Value	1
Acceptance Policy	test-policy-3
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(vi) PP.08.02.04

① Test case name

PP.08.02.04 (1004904)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(vii) PP.08.02.05

① Test case name

PP.08.02.05 (1004905)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) PP.08.03

① Certification path

Certification path 1005000	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005000	1005000
<Cross-certification certificate>	CA1-PP.08.03	1005001	None	1005001
<Signing certificate>	User1-PP.08.03	1005099	None	None

(ii) PP.08.03.00

① Test case name

PP.08.03.00 (1005000)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.08.03.01

① Test case name

PP.08.03.01 (1005001)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(iv) PP.08.03.02

① Test case name

PP.08.03.02 (1005002)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(v) PP.08.03.03

① Test case name

PP.08.03.03 (1005003)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(vi) PP.08.03.04

① Test case name

PP.08.03.04 (1005004)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(vii) PP.08.03.05

① Test case name

PP.08.03.05 (1005005)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(e) PP.08.04

① Certification path

Certification path 1005100	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005100	1005100
<Cross-certification certificate>	CA1-PP.08.04	1005101	None	1005101
<Signing certificate>	User1-PP.08.04	1005199	None	None

(ii) PP.08.04.00

① Test case name

PP.08.04.00 (1005100)

② Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.08.04.01

① Test case name

PP.08.04.01 (1005101)

② Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) PP.08.05

① Certification path

Certification path 1005200	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005200	1005200
<Cross-certification certificate>	CA1-PP.08.05	1005201	None	1005201
<Signing certificate>	User1-PP.08.05	1005299	None	None

(ii) PP.08.05.00

① Test case name

PP.08.05.00 (1005200)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) PP.08.05.01

① Test case name

PP.08.05.01 (1005201)

② Input values for path verification

Expected Value	1
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(iv) PP.08.05.02

① Test case name

PP.08.05.02 (1005202)

② Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(v) PP.08.05.03

① Test case name

PP.08.05.03 (1005203)

② Input values for path verification

Expected Value	1
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(vi) PP.08.05.04

① Test case name

PP.08.05.04 (1005204)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(vii) PP.08.05.05

① Test case name

PP.08.05.05 (1005205)

② Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(4) PP.08.06

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Return from verification processing based on a user constraint policy.

(iii) Test case references

[X.509 10]

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, certificatePolicies, user-constrained-policy-set

(v) Certification path

Certification path 1005300	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005300	1005300
<Cross-certification certificate>	CA1-PP.08.06	1005301	None	1005301
<Signing certificate>	User1-PP.08.06	1005399	None	None

(b) PP.08.06.00

(i) Test case name

PP.08.06.00 (1005300)

(ii) Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) PP.08.06.01

(i) Test case name

PP.08.06.01 (1005301)

(ii) Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(d) PP.08.06.02

(i) Test case name

PP.08.06.02 (1005302)

(ii) Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(e) PP.08.06.03

(i) Test case name

PP.08.06.03 (1005303)

(ii) Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-1, test-policy-2
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(f) PP.08.06.04

(i) Test case name

PP.08.06.04 (1005304)

(ii) Input values for path verification

Expected Value	0
Acceptance Policy	test-policy-4, test-policy-5
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(g) PP.08.06.05

(i) Test case name

PP.08.06.05 (1005305)

(ii) Input values for path verification

Expected Value	1
Acceptance Policy	Test-policy-4, test-policy-5
init-policy-mapping-inihibit	default(false)
init-explicit-policy	True
init-any-policy-inhibit	default(false)

(h) PP.08.06.06

(i) Test case name

PP.08.06.06 (1005306)

(ii) Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(i) PP.08.06.07

(i) Test case name

PP.08.06.07 (1005307)

(ii) Input values for path verification

Expected Value	0
Acceptance Policy	anyPolicy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

3.3.4 PL

(1) PL.01

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Correctly process permitted path length.

(iii) Test case references

[X.509 8.4.2.1]"The pathLenConstraint component shall be present only if cA is set to true. It gives the maximum number of CA-certificates that may follow this certificate in a certification path. "

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, pathLenConstraint

(b) PL.01.01

(i) Test case name

PL.01.01 (1005400)

(ii) Certification path

Certification path 1005400	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005400	1005400
<Cross-certification certificate>	CA1-PL.01.01	1005401	None	1005401
<Cross-certification certificate>	CA2-PL.01.01	1005402	None	1005402
<Signing certificate>	User1-PL.01.01	1005499	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) PL.01.02

(i) Test case name

PL.01.02 (1005500)

(ii) Certification path

Certification path 1005500	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005500	1005500
<Cross-certification certificate>	CA1-PL.01.02	1005501	None	1005501
<Cross-certification certificate>	CA2-PL.01.02	1005502	None	1005502
<Signing certificate>	CA3-PL.01.02	1005599	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) PL.01.03

(i) Test case name

PL.01.03 (1005600)

(ii) Certification path

Certification path 1005600)	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005600	1005600
<Cross-certification certificate>	CA1-PL.01.03	1005601	None	1005601
<Signing certificate>	User1-PL.01.03	1005699	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(e) PL.01.04

(i) Test case name

PL.01.04 (1005700)

(ii) Certification path

Certification path 1005700	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005700	1005700
<Cross-certification certificate>	CA1-PL.01.04	1005701	None	1005701
<Signing certificate>	CA2-PL.01.04	1005799	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(f) PL.01.05

(i) Test case name

PL.01.05 (1005800)

(ii) Certification path

Certification path 1005800	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005800	1005800
<Cross-certification certificate>	CA1-PL.01.05	1005801	None	1005801
<Cross-certification certificate>	CA2-PL.01.05	1005802	None	1005802
<Cross-certification certificate>	CA3-PL.01.05	1005803	None	1005803
<Signing certificate>	User1-PL.01.05	1005899	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(g) PL.01.06

(i) Test case name

PL.01.06 (1005900)

(ii) Certification path

Certification path 1005900	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1005900	1005900
<Cross-certification certificate>	CA1-PL.01.06	1005901	None	1005901
<Cross-certification certificate>	CA2-PL.01.06	1005902	None	1005902
<Cross-certification certificate>	CA3-PL.01.06	1005903	None	1005903
<Signing certificate>	CA4-PL.01.06	1005999	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(h) PL.01.07

(i) Test case name

PL.01.07 (1006000)

(ii) Certification path

Certification path 1006000	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006000	1006000
<Cross-certification certificate>	CA1-PL.01.07	1006001	None	1006001
<Cross-certification certificate>	CA2-PL.01.07	1006002	None	1006002
<Cross-certification certificate>	CA3-PL.01.07	1006003	None	1006003
<Cross-certification certificate>	CA4-PL.01.07	1006004	None	1006004
<Signing certificate>	User1-PL.01.07	1006099	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(i) PL.01.08

(i) Test case name

PL.01.08 (1006100)

(ii) Certification path

Certification path 1006100	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006100	1006100
<Cross-certification certificate>	CA1-PL.01.08	1006101	None	1006101
<Cross-certification certificate>	CA2-PL.01.08	1006102	None	1006102
<Cross-certification certificate>	CA3-PL.01.08	1006103	None	1006103
<Cross-certification certificate>	CA4-PL.01.08	1006104	None	1006104
<Signing certificate>	CA5-PL.01.08	1006199	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(j) PL.01.09

(i) Test case name

PL.01.09 1006200

(ii) Certification path

Certification path 1006200	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006200	1006200
<Cross-certification certificate>	CA1-PL.01.09	1006201	None	1006201
<Cross-certification certificate>	CA2-PL.01.09	1006202	None	1006202
<Cross-certification certificate>	CA3-PL.01.09	1006203	None	1006203
<Cross-certification certificate>	CA4-PL.01.09	1006204	None	1006204
<Signing certificate>	User1-PL.01.09	1006299	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(k) PL.01.10

(i) Test case name

PL.01.10 (1006300)

(ii) Certification path

Certification path 1006300	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006300	1006300
<Cross-certification certificate>	CA1-PL.01.10	1006301	None	1006301
<Cross-certification certificate>	CA2-PL.01.10	1006302	None	1006302
<Cross-certification certificate>	CA3-PL.01.10	1006303	None	1006303
<Cross-certification certificate>	CA4-PL.01.10	1006304	None	1006304
<Signing certificate>	CA5-PL.01.10	1006399	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

3.3.5 RL

(1) RL.02

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Perform verification of a CRL signature with the same public key as that of the certificate signature.

(iii) Test case references

[X.509 7.3]"The certificates may be revoked by the same certificate-issuing authority directly"

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, CRL, certificate revocation list

(b) RL.02.01

(i) Test case name

RL.02.01 (1006400)

(ii) Certification path

Certification path 1006400	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006400	1006400
<Cross-certification certificate>	CA1-RL.02.01	1006401	None	1006401
<Signing certificate>	User1-RL.02.01	1006499	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(2) RL.03

(a) Common categories

(i) Test category

DoD/FPKI path verification test

Verify whether the names of the certificate issuer and CRL issuer are the same.

(ii) Test case references

[X.509 7.3]"The certificates may be revoked by the same certificate-issuing authority directly"

(iii) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, CRL, certificate revocation list

(b) RL.03.01

(i) Test case name

RL.03.01 (1006500)

(ii) Certification path

Certification path 1006500	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006500	1006500
<Cross-certification certificate>	CA1-RL.03.01	1006501	None	None
<Cross-certification certificate>	CA1-RL.03.01	1006502	None	None
<Signing certificate>	User1-RL.03.01	1006599	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) RL.03.02

(i) Test case name

RL.03.02 (1006600)

(ii) Certification path

Certification path 1006600	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006600	1006600
<Cross-certification certificate>	CA1-RL.03.02	1006601	None	1006601
<Signing certificate>	User1-RL.03.02	1006699	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) RL.03.03

(i) Test case name

RL.03.03 (1006700)

(ii) Certification path

Certification path 1006700	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006700	1006700
<Cross-certification certificate>	CA1-RL.03.03	1006701	None	1006701
<Signing certificate>	User1-RL.03.03	1006799	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(3) RL.05

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Reject certificate path if a critical crlEntryExtensions field that cannot be interpreted by the CRL is encountered.

(iii) Test case references

[X.509 7.3]"When an implementation processing a certificate revocation list does not recognize a critical extension in the crlEntryExtensions field, it shall assume that, at a minimum, the identified certificate has been revoked and is no longer valid and perform additional actions concerning that revoked certificate as dictated by local policy."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, CRL, certificate revocation list

(b) RL.05.01

(i) Test case name

RL.05.01 (1006800)

(ii) Certification path

Certification path 1006800	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006800	1006800
<Cross-certification certificate>	CA1-RL.05.01	1006801	None	1006801
<Cross-certification certificate>	CA2-RL.05.01	1006802	None	1006802
<Signing certificate>	User1-RL.05.01	1006899	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) RL.05.02

(i) Test case name

RL.05.02 (1006900)

(ii) Certification path

Certification path 1006900	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1006900	1006900
<Cross-certification certificate>	CA1-RL.05.02	1006901	None	1006901
<Signing certificate>	User1-RL.05.02	1006999	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(4) RL.06

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Reject certificate path if a critical crlExtensions field that cannot be interpreted by the CRL is encountered.

(iii) Test case references

[X.509 7.3]"When an implementation does not recognize a critical extension in the crlExtensions field, it shall assume that identified certificates have been revoked and are no longer valid"

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, CRL, certificate revocation list

(b) RL.06.01

(i) Test case name

RL.06.01 (1007000)

(ii) Certification path

Certification path 1007000	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1007000	1007000
<Cross-certification certificate>	CA1-RL.06.01	1007001	None	1007001
<Cross-certification certificate>	CA2-RL.06.01	1007002	None	1007002
<Signing certificate>	User1-RL.06.01	1007099	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) RL.06.02

(i) Test case name

RL.06.02 (1007100)

(ii) Certification path

Certification path 1007100	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1007100	1007100
<Cross-certification certificate>	CA1-RL.06.02	1007101	None	1007101
<Signing certificate>	User1-RL.06.02	1007199	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(5) RL.07

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Declare a CRL unacceptable if the nextUpdate date/time of the CRL is earlier than the current date/time.

(iii) Test case references

[X.509 7.3]"nextUpdate, if present, indicates the date/time by which the next revocation list in this series will be issued. The next revocation list could be issued before the indicated date, but it will not be issued any later than the indicated time."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, CRL, certificate revocation list

(b) RL.07.01

(i) Test case name

RL.07.01 (1007200)

(ii) Certification path

Certification path 1007200	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1007200	1007200
<Cross-certification certificate>	CA1-RL.07.01	1007201	None	1007201
<Signing certificate>	User1-RL.07.01	1007299	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) RL.07.02

(i) Test case name

RL.07.02 (1007300)

(ii) Certification path

Certification path 1007300	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1007300	1007300
<Cross-certification certificate>	CA1-RL.07.02	1007301	None	1007301
<Signing certificate>	User1-RL.07.02	1007399	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) RL.07.03

(i) Test case name

RL.07.03 (1007400)

(ii) Certification path

Certification path 1007400	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1007400	1007400
<Cross-certification certificate>	CA1-RL.07.03	1007401	None	1007401
<Signing certificate>	User1-RL.07.03	1007499	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(6) RL.08

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Recognize a CRL containing deltaCRLIndicator.

(iii) Test case references

[X.509 8.6.2.4]"The delta CRL indicator field identifies a CRL as being a delta CRL (dCRL) that provides updates to a referenced base CRL. The referenced base CRL is a CRL that was explicitly issued as a CRL that is complete for a given scope. The CRL containing the delta CRL indicator extension contains updates to the certificate revocation status for that same scope. This scope does not necessarily include all revocation reasons or all certificates issued by a CA, especially in the case where the CRL is a CRL distribution point."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, CRL, certificate revocation list

(b) RL.08.01

(i) Test case name

RL.08.01 (1007500)

(ii) Certification path

Certification path 1007500	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1007500	1007500
<Cross-certification certificate>	CA1-RL.08.01	1007501	None	1007501
<Signing certificate>	User1-RL.08.01	1007599	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(7) RL.09

(a) Common categories

(i) Test category

DoD/FPKI path verification test

(ii) Test objective

Recognize a CRL containing issuingDistributionPoint.

(iii) Test case references

[X.509 8.6.2.2]"This CRL extension field identifies the CRL distribution point for this particular CRL, and indicates if the CRL is limited to revocations for end-entity certificates only, for authority certificates only, or for a limited set of reasons only."

(iv) Test keywords

NIST, X.509 Path Validation Test Suite, CP, Certificate Processing, CRL, certificate revocation list

(b) RL.09.01

(i) Test case name

RL.09.01 (1007600)

(ii) Certification path

Certification path 1007600	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	Trust Anchor	None	1007600	1007600
<Cross-certification certificate>	CA1-RL.09.01	1007601	None	1007601
<Signing certificate>	User1-RL.09.01	1007699	None	None

(iii) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

4 Original Tests

4.1　 Test objectives

Create more complex test cases related to non-required or unstipulated items not tested in the above-mentioned test cases.

4.2　 Basic test environment

4.3　 Test categories

4.3.1 CA key update

The framework of the CA key update is clearly defined in the RFC2510 (PKIX CMP) and the GPKI Interoperability Specification. Even in cases where this type of CA key update is conducted, confirmation is conducted in this test category as to whether the EE can perform certification path construction and verification using an appropriate self-issued certificate, and correctly verify signature data.

(1) Common categories

(i) Test category

Original tests

(ii) Test case references

[X.509 8.1.5] Self-issued certificates

[RFC2510 2.4] Root CA key update

(iii) Test keywords

Original tests, KeyUpdate, ca, self-issue

The following defines four certificate codes used in key updates under this specification.

Standard Description	Code	Meaning
OldwithNew	O/N	Issue an old public key certificate with a new signed private key.
OldwithOld	O/O	Old public key certificate
NewwithOld	N/O	Issue a new public key certificate with an old signed private key.
NewwithNew	N/N	New public key certificate.

(2) Case using OldWithOld

CA-X(issuedToOld) -> OldWithOld -> CA-Y(issuedByOld)

(i) Test case name

KeyRollover-OldWithOld

(ii) Test objective

Cases where OldWithOld is included in a key update CA within a certification path.

(iii) Certification path

Certification path	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000101	O/O 3000020	3000020
<Cross-certification certificate>	CA4	3000102	3000040	3000040
<Signing certificate>	CA4-EE	3000199	None	None

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(3) Cases using NewWithOld

CA-X(issuedToOld) -> NewWithOld -> CA-Y(issuedByNew)

(i) Test case name

KeyRollover-NewWithOld

(ii) Test objective

Cases where NewWithOld is included in a key update CA within the certification path.

(iii) Certification path

Certification path:3000102	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	O/CA4 3000101	O/O 3000020
	CA2	N/O 3000122	N/N 3000021	3000021
<Cross-certification certificate>	CA4	N/CA4 3000123	3000040	3000040
<Signing certificate>	CA4-EE	3000199	None	None

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(4) Cases using OldWithNew

CA-X(issuedToNew) -> OldWithNew -> CA-Y(issuedByOld)

(i) Test case name

KeyRollover-OldWithNew

(ii) Test objective

Cases where OldWithNew is included in a key update CA within the certification path.

(iii) Certification path

Certification path:3000103	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	N/CA4 3000101	N/N 3000021
	CA2	O/N 3000132	O/O 3000020	3000021
<Cross-certification certificate>	CA4	O/CA4 3000102	3000040	3000040
<Signing certificate>	CA4-EE	3000199	None	None

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(5) Cases using NewWithNew

CA-X(issuedToNew) -> NewWithNew -> CA-Y(issuedByNew)

(i) Test case name

KeyRollover-NewWithNew

(ii) Test objective

Cases where NewWithNew is included in a key update CA within the certification path.

(iii) Certification path

Certification path : 3000104	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000131	N/N 3000021	3000021
<Cross-certification certificate>	CA4	3000123	3000040	3000040
<Signing certificate>	CA4-EE	3000199	None	None

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

4.3.2 Mixture of PrintableString and UTF8String

Under X.509, current certificates are allowed to use several encoding methods including PrintableString for the DN. However, after December 31, 2003, certificates must be issued being encoded with UTF8String.

In this testing, we are confirming whether an EE can perform proper certification path construction and verification, and correctly verify signature data for certificates encoded either in PrintableString or UTF8String, a combination expected to be encountered in the immediate future before and after the new standard is enforced.

(1) Cases with cross-certification involving PrintableString CA-X and UTF8String CA-Y.

(a) Cases where the subject of a cross-certification certificate can be encoded according to the method of the receiver of the certificate.

(i) Printable -> UTF8

① Test case name

Printable2UTF-CC-conformance

② Certification path

Certification path:3000201	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Ip, Su 3000202	3000022	3000022
<Signing certificate>	CA2-EE	Iu, Su 3000299	None	None

※Notation:Issuer is UTF8(Is), Printable(Ip), Subject is UTF8(Su)、Printable(Sp)

③ Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(ii) UTF8 -> Printable

① Test case name

UTF2Printable-CC-conformance

② Certification path

Certification path:3000202	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000012	3000012
<Cross-certification certificate>	CA2	Iu, Sp 3000221	3000020	3000020
<Signing certificate>	CA2-EE	Ip, Sp 3000029	None	None

③ Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(b) Cases where the subject of a cross-certification certificate cannot be encoded according to the method of the receiver of the certificate.

(i) Printable -> UTF8

① Test case name

Printable2UTF-CC-unconformance

② Certification path

Certification path:3000203	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Ip,Sp 3000101	3000022	3000022
<Signing certificate>	CA2-EE	Iu,Su 3000229	None	None

③ Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(ii) UTF8 -> Printable

① Test case name

UTF2Printable-CC-unconformance

② Certification path

Certification path:3000204	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000012	3000012
<Cross-certification certificate>	CA2	Iu,Su 3000241	3000020	3000020
<Signing certificate>	CA2-EE	Ip,Sp 3000029	None	None

※Notation:Issuer is UTF8(Is), Printable(Ip); Subject is UTF8(Su), Pritable(Sp)

③ Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(2) Cases where CA key update moves from PrintableString to UTF8String

(a) Cases using OldWithOld

(i) Test case name

P2U-KeyRollOver-O/O

(ii) Test objective

Cases where a certificate authority moves from PrintableString to UTF8String with NameRollover includes OldWithOld within the certification path.

(iii) Certification path

Certification path : 3000301

subject

Intermediate

Certificate #

Self-signed

Certificate #

CRL#

CA1

None

3000010

CA1-EE

3000019

None

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(b) Cases using NewWithOld

(i) Test case name

P2U-KeyRollOver-N/O

(ii) Test objective

Cases where a certificate authority moves from PrintableString to UTF8String with NameRollover includes NewWithOld within the certification path.

(iii) Certification path

Certification path:3000302	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	Op/Op 3000010	3000320
<Cross-certification certificate>	CA1	Nu/Op 3000301	Nu/Nu 3000320
<Signing certificate>	CA1-EE	3000199	None	None

※Notation:O=Old, N=New, p=PrintableString, u=UTF8String

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) Cases using OldWithNew

(i) Test case name

P2U-KeyRollOver-O/N

(ii) Test objective

Cases where a certificate authority moves from PrintableString to UTF8String with NameRollover includes OldWithNew within the certification path.

(iii) Certification path

Certification path:3000303	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	Nu/Nu 3000320	3000320
<Cross-certification certificate>	CA1	Op/Nu 3000331	Op/Op 3000010
<Signing certificate>	CA1-EE	3000019	None	None

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(d) Cases using NewWithNew

(i) Test case name

P2U-KeyRollOver-N/N

(ii) Test objective

Cases where a certificate authority moves from PrintableString to UTF8String with NameRollover includes NewWithNew within the certification path.

(iii) Certification path

Certification path : 3000304

subject

Intermediate

Certificate #

Self-signed

Certificate #

CRL#

CA1

None

N/N 3000320

3000320

CA1-EE

3000399

None

(iv) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

4.3.3 Mixture of UTCTime and GeneralizedTime

Under X.509 current certificate expiration dates can be encoded with either UTCTime or GeneralizedTime. However, when issuing certificates which will be valid after 2050, they must be encoded under GeneralizedTime.

In this testing, we confirmed whether an EE can properly perform certification path construction and verification, and correctly verify signature data for valid certificates encoded either in UTCTime or GeneralizedTime, a combination expected to be encountered in the future until the new standard is enforced.

(1) Cases where a UTCTime CA-X and a GeneralizedTime CA-Y perform cross-certification

(a) CA-X -> CA-Y

(i) Test case name

UTC2Gen-CC

(ii) Certification path

Certification path : 3000402	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000101 UTC	3000420	3000420
<Signing certificate>	CA2-EE	3000429 Generalized	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(b) CA-Y -> CA-X

(i) Test case name

Gen2UTC-CC

(ii) Certification path

Certification path : 3000402	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000410	3000410
<Cross-certification certificate>	CA2	3000421 Generalized	3000020	3000020
<Signing certificate>	CA2-EE	3000029 UTC	None	None

(iii) Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

4.3.4 Mixture of OCSP and CRL

Under PKI there are two main methods for providing revocation information. One method is to publicly release a revocation list using a repository, and another method is to use an OCSP responder to provide revocation information for individual certificates. Under GPKI, the government CA releases a CRL/ARL from an integrated repository. On the other hand, a commercial registration certificate authority uses an OCSP responder to provide individual revocation information.

In this testing, we confirmed whether an EE can properly perform certification path construction and verification, and correctly verify signature data in a GPKI environment including both the OCSP model and CRL model.

(1) Cases where a commercial registration OCSP responder exists within the certificate path.

(a) Test case name

mixedOCSP w/CR-Responder

(b) Certification path

Certification path : 3000501	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	CA1	None	3000010	3000010	None
<Cross-certification certificate>	commercial registration CA	3000501	2000604	None	6
<Signing certificate>	commercial registration -EE	2000699	None	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(2) Cases where a general OCSP responder exists within the certificate path.

(a) Test case name

mixedOCSP w/normal-Responder

(b) Certification path

Certification path : 3000502	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	CA1	None	3000010	3000010	None
<Cross-certification certificate>	CA2	3000101	3000520	None	3000520
<Signing certificate>	CA2-EE	3000599	None	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(3) Cases where verification cannot be performed for an OCSP responder.

(a) Test case name

mixedOCSP w/normal-Responder unverified

(b) Objective

Cases where a general OCSP responder exists within a certification path, but the OCSP response cannot be verified.

(c) Certification path

Certification path : 3000503	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#	OCSP#
<Trust anchor certificate>	CA1	None	3000010	3000010	None
<Cross-certification certificate>	CA2	3000501	3000520	None	3000523
<Signing certificate>	CA2-EE	3000599	None	None	None

(d) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

4.3.5 Policy constraints

When cross-certification is performed using a bridge certificate authority between government and private certificate authorities of GPKI, a certificate policy showing each certificate authority used by GPKI is determined, and by mapping this policy, an appropriate level of security is maintained.

In this testing, we confirmed whether an EE can perform certification path construction and verification including certificate policy and policy mapping, as well as correctly verify signature data.

(1) Cases where a requested certificate policy is included within a certificate path.

(a) Test case name

certPolicy-accept

(b) Certification path

Certification path : 3000601	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000611	3000020	3000020
<Cross-certification certificate>	CA3	3000612	3000030	3000030
<Signing certificate>	CA3-EE	3000699	None	None

(c) Input values for path verification

Expected Value	0
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(2) Cases where a requested certificate policy is not included within a certificate path.

(a) Test case name

certPolicy-accept

(b) Certification path

Certification path : 3000602	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000611	3000020	3000020
<Cross-certification certificate>	CA3	3000622	3000030	3000030
<Signing certificate>	CA3-EE	3000698	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(3) Cases where a certificate policy within a certificate path has been correctly mapped.

(a) Test case name

policyMapping-accept

(b) Certification path

Certification path : 3000701	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000711	3000020	3000020
<Cross-certification certificate>	CA3	3000712	3000030	3000030
<Signing certificate>	CA3-EE	3000799	None	None

(c) Input values for path verification

Expected Value	0
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(4) Cases where a certificate policy within a certificate path has not been correctly mapped.

(a) Test case name

policyMapping-accept

(b) Certification path

Certification path : 3000702	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000721	3000020	3000020
<Cross-certification certificate>	CA3	3000712	3000030	3000030
<Signing certificate>	CA3-EE	3000799	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

4.3.6 Constraints

Under GPKI, verification of certification path using certificate policies subject to policy constraints is necessary in order to maintain a security level between certificate authorities belonging to different operational groups. Also, in order to prevent B2B over a bridge certificate authority, it is necessary to include name constraints on the cross-certification certificate issued from the private certificate authority to the bridge certificate authority.

Although not necessary under GPKI, X.509 defines a path length constraint in order to limit the length of the certification path.

In this testing, we confirmed whether an EE could perform construction and verification of a certification path including these constraints, and whether the EE could correctly conduct signature data verification.

(1) Cases where the certificate path length is constrained

(a) Test case name

pathLenConstraint

(b) Certification path

Certification path : 3000801	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000811	3000020	3000020
<Cross-certification certificate>	CA3	3000712	3000030	3000030
<Signing certificate>	CA3-EE	3000799	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(2) Cases where the certificate policy within a certificate path is constrained

(a) Test case name

policyConst-rEP

(b) Certification path

Certification path : 3000901	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3000911	3000020	3000020
<Cross-certification certificate>	CA3	3000912	3000030	3000030
<Signing certificate>	CA3-EE	3000699	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(3) Cases where policy mapping within a certificate path is constrained

(a) Test case name

policyConst-iPM

(b) Certification path

Certification path : 3001001	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3001011	3000020	3000020
<Cross-certification certificate>	CA3	3000712	3000030	3000030
<Signing certificate>	CA3-EE	3000799	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	true
init-any-policy-inhibit	default(false)

(4) Cases where a name space within the certification path is constrained

(a) Test case name

nameConst

(b) Certification path

Certification path : 3001101	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	3001111	3000020	3000020
<Cross-certification certificate>	CA3	3001112	3001130	3001130
<Signing certificate>	CA3-EE	3001199	None	None

(c) Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

4.3.7 Test cases related to DN encoding

DN encoding problems generally occur in one of two areas:

(1) Evaluation of constraints

After December 31, 2003, DN encoding will be conducted in UTF8. Once this change has been implemented, there is a possibility that self-signed certificates will cease to be recognized as self-signed.

In this testing, we have performed a "black box" test by removing the sections referencing names from the RFC3280 path verification algorithm.

The following is an extract of related text from the RFC3280 (Japan Certification Services, Inc. translation omitted).

6.1.3 Basic Certificate Processing

b) If certificate i is self-issued and it is not the final certificate in the path, skip this step for certificate i. Otherwise, verify that the subject name is within one of the permitted_subtrees for X.500 distinguished names, and verify that each of the alternative names in the subjectAltName extension (critical or non-critical) is within one of the permitted_subtrees for that name type.

c) If certificate i is self-issued and it is not the final certificate in the path, skip this step for certificate i. Otherwise, verify that the subject name is not within one of the excluded_subtrees for X.500 distinguished names, and verify that each of the alternative names in the subjectAltName extension (critical or non-critical) is not within one of the excluded_subtrees for that name type.

6.1.4 Preparation for Certificate i+1

h) If the issuer and subject names are not identical:

(1) If explicit_policy is not 0, decrement explicit_policy by 1.

(2) If policy_mapping is not 0, decrement policy_mapping by 1.

(3) If inhibit_any-policy is not 0, decrement inhibit_any-policy by 1.

l) If the certificate was not self-issued, verify that max_path_length is greater than zero and decrement max_path_length by 1.

6.1.5 Wrap-up Procedure

(a) If certificate n was not self-issued and explicit_policy is not 0, decrement explicit_policy by 1.

The following extensions are affected by the rules above:

- NameConstraints

- PolicyConstraints

- PolicyMappings

- BasicConstraints

(a) BasicConstraints

Confirm the self-signed certificate appearing in the verification path does not contain a path length constraint, regardless of the format of the DN encoding.

(i) Cases of failed Printable→UTF8

① Test case name

NameRollOverWithBasicConstraints-01-01

② Test objective

Confirm whether the pathLenConstraint is correctly decremented as a result of NameRollover for a CA. The expected test result value is "fail".

③ Certification path

Certification path:3001201	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Op/CA1 3001211	Op/Op 3000020
	CA2	Nu/Op 3001212	Nu/Nu 3001220	3001220
<Signing certificate>	CA2-EE	3001299	None	None

④ Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(ii) Cases of successful Printable→UTF8

① Test case name

NameRollOverWithBasicConstraints-01-02

② Test objective

Confirm whether the pathLenConstraint is correctly decremented as a result of NameRollover for a CA. The expected test result value is "pass".

③ Certification path

Certification path:3001202	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Op/CA1 3001221	Op/Op 3000020
	CA2	Nu/Op 3001212	Nu/Nu 3001220	3001220
<Signing certificate>	CA2-EE	3001299	None	None

④ Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) Cases of successful UTF8→Printable

① Test case name

NameRollOverWithBasicConstraints-02-01

② Test objective

Confirm whether the pathLenConstraint is correctly decremented as a result of NameRollover for a CA. The expected test result value is "fail".

③ Certification path

Certification path:3001301	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Ou/CA1 3001311	Ou/Ou 3000022
	CA2	Np/Ou 3001312	Np/Np 3000021	3000021
<Signing certificate>	CA2-EE	3001399	None	None

④ Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) Cases of failed UTF8→Printable

① Test case name

NameRollOverWithBasicConstraints-02-02

② Test objective

Confirm whether the pathLenConstraint is correctly decremented as a result of NameRollover for a CA. The expected test result value is "pass".

③ Certification path

Certification path:3001302	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Ou/CA1 3001321	Ou/Ou 3000022
	CA2	Np/Ou 3001312	Np/Np 3000021	3000021
<Signing certificate>	CA2-EE	3001399	None	None

④ Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(b) NameConstraints

Confirm behavior in cases where DN encoding used for constraints and subjects are different.

Testing categories consist of three areas, similar to that of BasicConstraints: 1) determining whether certificate is self-signed, 2) problems related to constraint and DN matching, and 3) problems related to constraint updates.

(i) Tests related to intermediately positioned self-signed certificate (intermediate encoding mismatch)

① NameRollOverWithNameConstraints-02-01

I. Test case name

NameRollOverWithNameConstraints-02-01

II. Test objective

Confirm whether a self-signature existing in an intermediate position in a path is recognized and processing related to NameConstraint is voided, in connection with NameConstraint processing as a result of NameRollover for a CA. The expected test result value is "pass".

III. Certification path

Certification path:3001401	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	O/CA1 3001411	O/O 3000022
	CA2	N/O 3001312	N/N 3000021	3000021
<Signing certificate>	CA2-EE	3001499	None	None

IV. Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

② NameRollOverWithNameConstraints-02-02

I. Test case name

NameRollOverWithNameConstraints-02-02

II. Test objective

III. Certification path

Certification path:3001401	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	O/CA1 3001421	O/O 3000020
	CA2	N/O 3001212	N/N 3001220	3001220
<Signing certificate>	CA2-EE	3001498	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(ii) Constraint and subject encoding matches

① NameRollOverWithNameConstraints-03-01

I. Test case name

NameRollOverWithNameConstraints-03-01

II. Test objective

Confirm behavior when NameConstraint encoding and subject encoding does not match. Expected value is "pass".

III. Certification path

Certification path:3001501	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Pu 3001411	3000022	3000022
<Signing certificate>	EE	Iu, Su 3000299	None	None

※Notation:permittedSubtrees value is Pu=UTF8/Pp=Printable

IV. Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

② NameRollOverWithNameConstraints-03-04

I. Test case name

NameRollOverWithNameConstraints-03-04

II. Test objective

Confirm behavior when NameConstraint encoding and subject encoding does not match. Expected value is "pass".

III. Certification path

Certification path:3001504	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Pp 3001521	3000022	3000022
<Signing certificate>	EE	Sp, Iu 3001599	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iii) Constraint and subject encoding mismatch.

① NameRollOverWithNameConstraints-03-02

I. Test case name

NameRollOverWithNameConstraints-03-02

II. Test objective

Confirm behavior when NameConstraint encoding and subject encoding does not match. Expected value is "pass".

III. Certification path

Certification path:3001502	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Pp 3001521	3000022	3000022
<Signing certificate>	EE	Su, Iu 3000299	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

② NameRollOverWithNameConstraints-03-03

I. Test case name

NameRollOverWithNameConstraints-03-03

II. Test objective

Confirm behavior when NameConstraint encoding and subject encoding does not match. Expected value is "pass".

III. Certification path

Certification path:3001503	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Pu 3001411	3000022	3000022
<Signing certificate>	EE	Sp, Iu 3001599	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(iv) Encoding mismatch related to constraint node calculation.

① NameRollOverWithNameConstraints-04-01

I. Test case name

NameRollOverWithNameConstraints-04-01

II. Test objective

Test for case when NameConstraint is semantically the same as CA[12], and encoding is different. Expected value is "pass".

III. Certification path

Certification path:3001601	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Pu 3001611	3000020	3000020
	CA3	Pp 3001612	3000030	3000030
<Signing certificate>	EE	3000039	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

② NameRollOverWithNameConstraints-02-02

I. Test case name

NameRollOverWithNameConstraints-02-02

II. Test objective

Test for case when NameConstraint is semantically the same as CA[12], and encoding is different. Expected value is "pass".

III. Certification path

Certification path:3001601	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Pp 3001621	3000020	3000020
	CA3	Pu 3001622	3000030	3000030
<Signing certificate>	EE	3000039	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(c) Policy Constraints and Policy Mappings

Normally, it would be most desirable to perform policy constraint testing with a mixture of encoding methods; however, a substitute test confirming whether the explicit_policy/policy_mapping/inhibit_anypolicy state variable is accurately decremented will be performed.

① NameRollOverWithPolicyMapping-01-01

I. Test case name

NameRollOverWithPolicyMapping-01-01

II. Test objective

Confirm whether a self-signed NameRollOver certificate existing in an intermediate position in a path is recognized and the explicit_policy/policy_mapping/inhibit_any_policy state variable is appropriately decremented. Expected value is "fail".

III. Certification path

Certification path:3001701	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Op/CA1 rEP=0 3001711	Op/Op 3000020
	CA2	Nu/Op 3001212	Nu/Nu 3001220	3001220
<Signing certificate>	EE	3001498	None	None

IV. Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

② NameRollOverWithPolicyMapping-01-02

I. Test case name

NameRollOverWithPolicyMapping-01-02

II. Test objective

III. Certification path

Certification path:3001702	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Op/CA1 rEP=1 3001721	Op/Op 3000020
	CA2	Nu/Op 3001212	Nu/Nu 3001220	3001220
<Signing certificate>	EE	3001498	None	None

IV. Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

③ NameRollOverWithPolicyMapping-01-03

I. Test case name

NameRollOverWithPolicyMapping-01-03

II. Test objective

III. Certification path

Certification path:3001703	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Op/CA1 rEP=2 3001731	Op/Op 3000020
	CA2	Nu/Op 3001212	Nu/Nu 3001220	3001220
<Signing certificate>	EE	3001498	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

④ NameRollOverWithPolicyMapping-02-01

I. Test case name

NameRollOverWithPolicyMapping-02-01

II. Test objective

III. Certification path

Certification path:3001801	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Ou/CA1 rEP=0 3001811	Ou/Ou 3000022
	CA2	Np/Ou 3001312	N/N 3000021	3000021
<Signing certificate>	EE	3001499	None	None

IV. Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

⑤ NameRollOverWithPolicyMapping-02-02

I. Test case name

NameRollOverWithPolicyMapping-02-02

II. Test objective

III. Certification path

Certification path:3001802	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Ou/CA1 rEP=1 3001821	Ou/Ou 3000022
	CA2	Np/Ou 3001312	N/N 3000021	3000021
<Signing certificate>	EE	3001499	None	None

IV. Input values for path verification

Expected Value	1
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

⑥ NameRollOverWithPolicyMapping-02-03

I. Test case name

NameRollOverWithPolicyMapping-02-03

II. Test objective

III. Certification path

Certification path:3001803	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Ou/CA1 rEP=2 3001321	Ou/Ou 3000022
	CA2	Np/Ou 3001312	N/N 3000021	3000021
<Signing certificate>	EE	3001499	None	None

IV. Input values for path verification

Expected Value	0
Acceptance Policy	org-policy-1
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(2) Acquisition and verification of revocation information

Subsection a) of section "6.1.3 Basic Certificate Processing" of RFC3280 contains the following.

(3) At the current time, the certificate is not revoked and is not on hold status. This may be determined by obtaining the appropriate CRL (section 6.3) and status information, or by out-of-bounds mechanisms.

Normally, nullified information is searched using the signer name (DN) and serial number. The problem here is the CRL DN and the issuer DN included in the certificate.
In addition, when raising the OCSP (RFC2560) problem, the certificate identifier included in the request is defined as:

CertID ::= SEQUENCE {

HashAlgorithm AlgorithmIdentifier,

IssuerNameHash OCTET STRING, -- Hash of Issuer's DN

IssuerKeyHash OCTET STRING, -- Hash of Issuers public key

SerialNumber CertificateSerialNumber }

and rely on DN encoding.

(a) CRL and certificate matching

The following condition illustrates a condition wherein the CA is trusted from the trust anchor, and the DN encoding is updated to UTF8. In this case, the current CRL may be issued either in UTF8 or in PrintableString.

The real nature of this problem in connection with a continued information search is essentially the same as when a key update is performed. The meaning that a search cannot be performed using a key, is that a more undefined search is required.

Case in which the End Entity signer DN and the CRL issuer uses different encoding (pattern for cases in which NameRollOver only is used):

① NameRollOverWithCRLMatching-01

I. Test case name

NameRollOverWithCRLMatching-01

II. Test objective

Confirm correct recognition of nullified information for cases in which a CA (for which only NameRollOver has been performed) has cancelled an EE, regardless of issuance time.

III. Certification path

Certification path:3001901	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Sp 3000101	Su, Ip 3001910	Iu 3000022
<Signing certificate>	EE	Ip 3000029	None	None

IV. Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

② NameRollOverWithCRLMatching-03

I. Test case name

NameRollOverWithCRLMatching-03

II. Test objective

Confirm correct recognition of nullified information for cases in which a CA (for which only NameRollOver has been performed) has cancelled an EE, regardless of issuance time.

III. Certification path

Certification path:3001701	subject	Intermediate Certificate #	Self-signed Certificate #	CRL#
<Trust anchor certificate>	CA1	None	3000010	3000010
<Cross-certification certificate>	CA2	Sp 3000101	Su, Ip 3001910	Ip 3000020
<Signing certificate>	EE	Iu 3000299	None	None

IV. Input values for path verification

Expected Value	1
Acceptance Policy
init-policy-mapping-inihibit	default(false)
init-explicit-policy	default(false)
init-any-policy-inhibit	default(false)

(b) OCSP and certificates

With respect to OCSP v1, an issuer's public key must be identified in order for a request to be issued. One appropriate method is use of an i-1 certificate from among the path information used with RFC3280; however, it may not be the case that the i-1 DN encoding is the same as the encoding for the i issuer DN. However, any combination that does not appear in the path (DN encoding and public key) cannot be considered acceptable, and therefore the End Entity should not send such an OCSP request (somewhat close to the proposed specification, in a sense).

The following is an example:

	UTF8	Printable
Key A	○	×
Key B	×	○

Figure 4-1 Combination of OCSP Response—Request Content

5 Optional test cases and test specification additions

The Interoperability Test Suite was designed not only to allow that addition of new test cases, but also the addition of test categories. However, the addition of test categories is more difficult than simply adding/ deleting data, requiring detailed test category design work.

Because of this, a special test case loader/ unloader script has been prepared to provide easier addition/ deletion for allowable test levels. This makes it possible to add/ delete optional test cases to existing test categories.

Additional test cases can appropriate existing key pairs/ certificates/ CRL (/OCSP response) stored in the test database, and construct an appropriate certification path.

5.1　 Test case additions

To add test cases, the following factors must be defined (at a minimum), and a record must be added to the test case table:

- Test case name (option)

- Test category ID (GPKI simulation test or original test case)

- Test Expected Value

- Acceptance Policy

- init-policy-mapping-inihibit

- init-explicit-policy

- init-any-policy-inhibit

- Explanation of test details

- Reference source for specifications

- Certification path data (explained in 5.2)

5.2　 Certification path data addition

5.2.1 Certification path definition using existing certificate, etc.

Defines certification path used for test case. If existing certificates/ CRL (/OCSP response) stored in the test database are appropriated, it is sufficient to define each certificate/ CRL (/OCSP) number, and only add as many records as the number of paths in the certificate path table.

- Certificate No.

- CRL No.

- OCSP No.

- Certificate order No.

5.2.2 Certification path definition using a new certificate

In cases where new certificates, etc. are defined for a test case, records must also be added to the certificate value table, etc.

- Add records to certificate table (equal to number of paths).

- Add records to certificate category table and certificate value table (as appropriate).

- Add records to CRL table (equal to number of paths).

- Add records to the CRL category table and CRL value table (as appropriate).

- Add records to OCSP table (equal to number of paths).

- Add records to OCSP category table and OCSP value table (as appropriate).

- Add records to key pair table (as appropriate).

5.3　 Creation of test case specifications

Each test case specification is created from the added certification path data and test case. The created test case specification consists of a document body, which is output as a portion of a document, and a data part, which is output as referenced appendix data.

- Document body

Ø Test category

Ø Test case name

Ø Test objective

Ø Test case references

Ø Test keywords

Ø Certification path

Ø Input values for path verification

- Data

Ø Parameters for trust anchor certificates

Ø Parameters for intermediate certificate included in certification path

Ø Parameters for revocation list included in certification path

Ø Parameters for OCSP response included in certification path

Ø Parameters for signer's certificate (subject to verification)

The test case specification created here would not give us comprehensive documentation, details specifications including mechanically created data would be automatically created to a certain extent.

5.4　 Designating categories to be added

Within the Interoperability Test Suite, it is possible to use the test case loader/ unloader to add or delete test cases to existing test categories. The following explains what type of test cases should be added to what type of category.

5.4.1 GPKI simulation test

For this test category, a test case that appropriates the GPKI simulation test environment is added. For example, a test case can be added anticipating the addition of a new government certificate authority and a private certificate authority.

5.4.2 DoD/FPKI path verification test

For this test category, sample data from each test case related to the DoD/FPKI path verification test is saved, but new test cases will not be added.

5.4.3 Original tests

For this test category, the model cases that do not directly affect the GPKI environment itself are added. For example, these are test cases that do not necessarily require GPKI certificate authorities, such as performing path verification with a more complex constraint assigned to a name constraint.

1.1 Test Flow

1.2.1 Test Category Design

(1) GPKI Simulation Test

(2) NIST Test (Sample)

(3) Original Tests

1.2.2 Test Case Design

(1) GPKI bridge certificate authority

(2) Ministry of Economy, Trade and Industry certificate authority

(a) METI root certificate authority

(b) METI subordinate certificate authority

(3) Ministry of Land, Infrastructure and Transport certificate authority

(4) Ministry of Public Management, Home Affairs, Posts and Telecommunications certificate authority

(5) Commercial registration CA

(6) Japan Certification Services, Inc.'s A-Sign2 (A-Sign2, below)

(7) SECOM Trust.net Co., Ltd.'s Passport for G-ID (G-ID, below)

2.2.2 Repositories used for testing

(1) Simulated integrated repository

(2) Simulated A-Sign2 repository

(3) Simulated G-ID repository

2.3.1 Normal EE certificates

(1) When simulated METI root CA serves as trust anchor

(i) Test category

(ii) Test objective

(iii) Test case references

(iv) Test keywords

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

(ii) Certification path

(iii) Input values for path verification

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(f) Verification of simulated G-ID EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(2) When simulated MPHPT certificate authority serves as trust anchor

(i) Test category

(ii) Test objective

(iii) Test case references

(iv) Test keywords

(b) Verification of simulated METI certificate authority EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(c) Verification of simulated MPHPT certificate authority EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(d) Verification of simulated MLIT certificate authority EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(e) Verification of simulated A-Sign2 EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(f) Verification of simulated G-ID EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(g) Verification of simulated commercial registration EE signature data

(i) Test case name

(ii) Certification Path

(iii) Input values for path verification

(3) When simulated MLIT certificate authority serves as trust anchor

(i) Test category

1.1　 Test Flow