Help with StaticPKIX test

[Jonathan Bricker]

Using the ExplicitKey method, other than asking for new signed metadata every week, what can be done with the SP to ensure the cert is not revoked or expired?  And I realized that even getting new metadata every week does not prevent the use of an expired cert to be used in signing metadata.

thanks

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, September 07, 2011 10:52 AM
To: users at shibboleth.net
Subject: Re: Help with StaticPKIX test

On 9/7/11 10:44 AM, "Jonathan Bricker" <jbricker at exacttarget.com> wrote:

>The problem I'm trying to solve with this is an expired signing cert in
>the IDP metadata. Because of the setup we have with the metadata from the
>IDPs, the validUntil attribute did not seem practical (We do not have the
>SP pull the metadata from the IDPs automatically).

An expired cert will never work with PKIX by definition. The point of
using PKIX, aside from ensuring your life is hell in perpetuity, is to
substitute path validity and revocation checking for some of what metadata
alone does.

If you want to use PKIX, the way that works is with the PKIX trust engine,
which is based on extending metadata and putting KeyNames into the
KeyDescriptors. It does not use that trust engine.

To use the other trust engine, you would need a fixed set of roots that
work for all transactions, and as I said, probably would need to guarantee
the entityID is in the cert subject. There is no indirection of entities
and key names in that case.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net