Help with StaticPKIX test

Jonathan Bricker jbricker at
Wed Sep 7 17:53:32 BST 2011

I understand what you are saying and I would rather not use PKIX but what prevents an IDP from signing the metadata with an expired cert?  I'm not sure I can just trust the IDPs admins to police themselves.


-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Wednesday, September 07, 2011 11:20 AM
To: users at
Subject: Re: Help with StaticPKIX test

On 9/7/11 11:05 AM, "Jonathan Bricker" <jbricker at> wrote:

>Using the ExplicitKey method, other than asking for new signed metadata
>every week, what can be done with the SP to ensure the cert is not
>revoked or expired?  And I realized that even getting new metadata every
>week does not prevent the use of an expired cert to be used in signing

The whole point is to allow for expired certs. There is no other way other
than obtaining new metadata, any more than there is any way with PKIX
other than to acquire new CRLs just as often. You were planning on that,

Regardless, I didn't say you couldn't use PKIX, I said that you're using
the wrong PKIX engine. The one intended for runtime messages is called
"PKIX" and is automatically configured. You just aren't using it. Your
metadata has to identify the allowable trust anchors and key names. This
is not well-documented anymore because it is not the recommended approach
in this software.

I suspect there are some federations around with examples of this kind of

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list