Help with StaticPKIX test
Jonathan Bricker
jbricker at exacttarget.com
Wed Sep 7 17:53:32 BST 2011
I understand what you are saying and I would rather not use PKIX but what prevents an IDP from signing the metadata with an expired cert? I'm not sure I can just trust the IDPs admins to police themselves.
thanks
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, September 07, 2011 11:20 AM
To: users at shibboleth.net
Subject: Re: Help with StaticPKIX test
On 9/7/11 11:05 AM, "Jonathan Bricker" <jbricker at exacttarget.com> wrote:
>Using the ExplicitKey method, other than asking for new signed metadata
>every week, what can be done with the SP to ensure the cert is not
>revoked or expired? And I realized that even getting new metadata every
>week does not prevent the use of an expired cert to be used in signing
>metadata.
The whole point is to allow for expired certs. There is no other way other
than obtaining new metadata, any more than there is any way with PKIX
other than to acquire new CRLs just as often. You were planning on that,
right?
Regardless, I didn't say you couldn't use PKIX, I said that you're using
the wrong PKIX engine. The one intended for runtime messages is called
"PKIX" and is automatically configured. You just aren't using it. Your
metadata has to identify the allowable trust anchors and key names. This
is not well-documented anymore because it is not the recommended approach
in this software.
I suspect there are some federations around with examples of this kind of
metadata.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list