Help with StaticPKIX test

Cantor, Scott cantor.2 at
Wed Sep 7 15:52:21 BST 2011

On 9/7/11 10:44 AM, "Jonathan Bricker" <jbricker at> wrote:

>The problem I'm trying to solve with this is an expired signing cert in
>the IDP metadata. Because of the setup we have with the metadata from the
>IDPs, the validUntil attribute did not seem practical (We do not have the
>SP pull the metadata from the IDPs automatically).

An expired cert will never work with PKIX by definition. The point of
using PKIX, aside from ensuring your life is hell in perpetuity, is to
substitute path validity and revocation checking for some of what metadata
alone does.

If you want to use PKIX, the way that works is with the PKIX trust engine,
which is based on extending metadata and putting KeyNames into the
KeyDescriptors. It does not use that trust engine.

To use the other trust engine, you would need a fixed set of roots that
work for all transactions, and as I said, probably would need to guarantee
the entityID is in the cert subject. There is no indirection of entities
and key names in that case.

-- Scott

More information about the users mailing list