Am I right in my conclusion that validation of a certificate by a client that wishes to communicate with a server that offers said certificate, is done completely local? As in, the client is supposed to have all information (eg. CA's public key, used to sign the servers certificate) already locally available?
The exceptions being, I think, comparing the ip address/dns information offered through the certificate with the real world servers address and domain name.
An answer in another question (SSL Certificate Trust Model) in fact explictely states "In fact that's the whole idea of certificates: to allow offline validation.". Is that true?