Best debug logging to enable

Cantor, Scott cantor.2 at
Thu Sep 6 13:26:44 EDT 2018

Just turn off the PKIX engine altogether (you wouldn't even have it on unless it's a V2 SP or an old config). With that off, the KeyInfo simply doesn't matter and you have a simple answer, either the metadata's wrong or their code is.

As it is, you still know that. If it falls into PKIX then by definition the metadata did not work, but that means nothing when you can't trust the signer's code to be correctly implemented. All you can do is narrow the options and then get ready for an endless argument with a vendor.

I would put all of the certificates they embed into the metadata for testing, in separate KeyDescriptors, and then you know with no doubt that none of them work and they have a bug.

-- Scott

More information about the users mailing list