Help with StaticPKIX test

Cantor, Scott cantor.2 at
Wed Sep 7 18:02:14 BST 2011

On 9/7/11 12:53 PM, "Jonathan Bricker" <jbricker at> wrote:

>I understand what you are saying and I would rather not use PKIX but what
>prevents an IDP from signing the metadata with an expired cert?  I'm not
>sure I can just trust the IDPs admins to police themselves.

Shibboleth is designed around trusted third party federation. Point to
point federation essentially makes the whole issue moot. If you have so
few partners, you can exchange metadata out of band and notify partners of
changes, just like the commercial products do it.

But if you don't trust the IdP administrator, there are probably no
solutions that will work. Any trust model will devolve on some level to
the administrator doing some things correctly, and you should probably not
trust the IdP. If you want to be explicit about what you don't trust, that
might make it clearer.

But to answer the question, if you plan to trust somebody to sign their
own metadata and use some out of band process to get the signing key, then
you can verify the metadata explictly with that key (a la InCommon), or
you can apply PKIX via the StaticPKIX engine inside the SignatureFilter,
which means the metadata signature can't use an expired certificate (a la

At this point, I don't know what the actual goal is here or what you're
trying to use where.

You might want to start by explaining what exactly you're trying to
verify. The original message implied to me you meant runtime, not metadata.

-- Scott

More information about the users mailing list