Delegated Path Validation

Delegated Path Validation (DPV) is a cryptographic method used to offload the task of validating the certification path of digital certificates from the client to a trusted server.

Certificate path validation

thumb|upright=1.7|Diagram illustrating the [[chain of trust of a digital certificate, showing the hierarchy from the root CA to the end-entity certificate.]]

Certificate path validation is a crucial process in PKI that ensures the authenticity and trustworthiness of a digital certificate. This process is standardized in and involves verifying a chain of certificates, starting from the certificate being validated (the end-entity certificate) up to a trusted root certificate authority (CA). The validation process includes several key steps: A self-signed certificate can be used to designate the public key, issuer name, and the validity period for a trust anchor. Additional constraints for trust anchors can be defined, such as certification policy constraints or naming constraints. These constraints can also be part of self-signed certificates.

When a certificate is validated successfully according to the specified policy, the DPV server should include this information in the response if requested by the client. However, if the certificate is found to be invalid or if the server cannot determine its validity, the server may choose to omit this information to avoid unnecessary disclosure of potentially sensitive details.