~~NOTOC~~
====== 5. Validation & Trust ======

<WRAP round info>
**Scenarios:** 5 \\
**FFI Functions:** ~40 \\
**Status:** Planned
</WRAP>

This category covers all scenarios for validating certificates and certificate chains. Chain building, revocation checks, and policy validation.

----

===== Scenarios =====

^  ID  ^  Scenario  ^  Description  ^  Complexity  ^  Status  ^
| [[.:chain_building|5.1]] | Chain Building | Build certificate chain | *** | Planned |
| [[.:chain_validation|5.2]] | Chain Validation | Complete chain verification | **** | Planned |
| [[.:revocation_check|5.3]] | Revocation Check | CRL/OCSP status verification | *** | Planned |
| [[.:policy_validation|5.4]] | Policy Validation | Check certificate policies | *** | Planned |
| [[.:name_constraints|5.5]] | Name Constraints | Verify namespace restrictions | **** | Planned |

----

===== Validation Process =====

<mermaid>
flowchart TB
    START[Receive certificate] --> BUILD[Chain Building]
    BUILD --> SIG[Verify signature]
    SIG --> TIME[Check validity]
    TIME --> REV[Check revocation]
    REV --> POLICY[Check policy]
    POLICY --> CONSTR[Check constraints]
    CONSTR --> RESULT{Result}

    RESULT --> |OK| VALID[Valid]
    RESULT --> |Error| INVALID[Invalid]

    style VALID fill:#e8f5e9
    style INVALID fill:#ffcdd2
</mermaid>

----

===== Validation Steps =====

^  Step  ^  Check  ^  Error Condition  ^
| 1. Chain Building | Build chain to trust anchor | Missing intermediate |
| 2. Signature | Each certificate signed by issuer | Invalid signature |
| 3. Validity | notBefore <= now <= notAfter | Expired / Not yet valid |
| 4. Basic Constraints | CA flag, pathLen | Non-CA signs certificate |
| 5. Key Usage | keyCertSign for CAs | Wrong key usage |
| 6. Revocation | CRL or OCSP | Revoked |
| 7. Policy | Certificate Policies | Policy not accepted |
| 8. Name Constraints | permitted/excluded subtrees | Name outside scope |

----

===== Revocation Strategies =====

^  Method  ^  Advantages  ^  Disadvantages  ^  Usage  ^
| **CRL** | Offline capable, simple | Large files, delay | Enterprise, Offline |
| **OCSP** | Real-time, compact | Server required | Online services |
| **OCSP Stapling** | Performance, privacy | TLS server support needed | Web servers |

----

===== Industry-Specific Requirements =====

^  Industry  ^  Revocation  ^  Specifics  ^
| **Energy/SCADA** | CRL (Offline) | No internet connection possible |
| **Healthcare** | OCSP | Real-time validation for ePrescription |
| **Automotive** | CRL + OCSP | V2X requires fast verification |
| **Industry 4.0** | CRL | Production networks isolated |

----

===== Quick Start Code =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

// Load trust store
var trustStore = ctx.LoadTrustStore("trust-store.p7b");

// Validate certificate
var result = ctx.ValidateCertificate(
    certificate: serverCert,
    trustStore: trustStore,
    options: new ValidationOptions
    {
        CheckRevocation = true,
        RevocationMode = RevocationMode.Online,  // CRL + OCSP
        ValidatePolicy = true,
        AcceptedPolicies = new[] { "1.3.6.1.4.1.99999.1.1" }  // Custom Policy OID
    }
);

if (result.IsValid)
{
    Console.WriteLine("Certificate valid");
    Console.WriteLine($"Chain: {string.Join(" -> ", result.Chain.Select(c => c.Subject))}");
}
else
{
    Console.WriteLine($"Error: {result.ErrorCode} - {result.ErrorMessage}");
}
</code>

----

===== Related Categories =====

^  Category  ^  Relationship  ^
| [[.:pki:start|1. PKI Infrastructure]] | Set up trust store |
| [[.:widerruf:start|6. Revocation]] | Provide CRL/OCSP |
| [[.:tls:start|10. TLS/mTLS]] | Validation in TLS handshake |

----

<< [[en:int:pqcrypt:szenarien:verwaltung:start|<- 4. Manage Certificates]] | [[en:int:pqcrypt:szenarien:start|^ Scenarios]] | [[.:widerruf:start|6. Revocation ->]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>category validation chain trust revocation policy}}