x.509 questions

Just wondering what is the process that a system goes through to
validate
an x.509 certificate.

For example, say a web client gets a certificate from a web server
that has been signed by a trusted certificate authority, how does the
client
check the validity?

Does client connect with the CA for this verification and if so, what
protocol
defines how this communication takes place? Is there an RFC that
defines this?

Or does the client have a bunch of built in public keys for well
known
CA's?

I hope I am phrasing my question correctly. In a nutshell. How does
a
client figure out if a ceritifcate is valid? If it needs to connect
with a CA,
which RFC defines the protocol it uses for the connection?

Assuming it does have to connect with the CA, how does the client know
that it is really connected to the CA and not some other place because
Garth has mucked with the DNS server?

Thank in advance.
-Mike

Re: x.509 questions

bsd_mike writes:

[...]

> Does client connect with the CA for this verification and if so,
> what protocol defines how this communication takes place? Is there
> an RFC that defines this?
>
> Or does the client have a bunch of built in public keys for well
> known CA's?

Yes, the latter. You need a set of trust anchors---
pairs that you trust. That's something you can't really get safely
over protocol, as you indicate. So it's assumed to be local.

Probably the easiest place to look is RFC 3280. Section 6 describes
certificate path validation.

[...]