Help with StaticPKIX test

Jonathan Bricker jbricker at
Wed Sep 7 16:05:28 BST 2011

Using the ExplicitKey method, other than asking for new signed metadata every week, what can be done with the SP to ensure the cert is not revoked or expired?  And I realized that even getting new metadata every week does not prevent the use of an expired cert to be used in signing metadata.


-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Wednesday, September 07, 2011 10:52 AM
To: users at
Subject: Re: Help with StaticPKIX test

On 9/7/11 10:44 AM, "Jonathan Bricker" <jbricker at> wrote:

>The problem I'm trying to solve with this is an expired signing cert in
>the IDP metadata. Because of the setup we have with the metadata from the
>IDPs, the validUntil attribute did not seem practical (We do not have the
>SP pull the metadata from the IDPs automatically).

An expired cert will never work with PKIX by definition. The point of
using PKIX, aside from ensuring your life is hell in perpetuity, is to
substitute path validity and revocation checking for some of what metadata
alone does.

If you want to use PKIX, the way that works is with the PKIX trust engine,
which is based on extending metadata and putting KeyNames into the
KeyDescriptors. It does not use that trust engine.

To use the other trust engine, you would need a fixed set of roots that
work for all transactions, and as I said, probably would need to guarantee
the entityID is in the cert subject. There is no indirection of entities
and key names in that case.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list