Help with StaticPKIX test

Cantor, Scott cantor.2 at
Wed Sep 7 16:20:28 BST 2011

On 9/7/11 11:05 AM, "Jonathan Bricker" <jbricker at> wrote:

>Using the ExplicitKey method, other than asking for new signed metadata
>every week, what can be done with the SP to ensure the cert is not
>revoked or expired?  And I realized that even getting new metadata every
>week does not prevent the use of an expired cert to be used in signing

The whole point is to allow for expired certs. There is no other way other
than obtaining new metadata, any more than there is any way with PKIX
other than to acquire new CRLs just as often. You were planning on that,

Regardless, I didn't say you couldn't use PKIX, I said that you're using
the wrong PKIX engine. The one intended for runtime messages is called
"PKIX" and is automatically configured. You just aren't using it. Your
metadata has to identify the allowable trust anchors and key names. This
is not well-documented anymore because it is not the recommended approach
in this software.

I suspect there are some federations around with examples of this kind of

-- Scott

More information about the users mailing list