Validate signatures using Anchored certificate trust model
irfan sarwar
isarwar3334 at gmail.com
Mon May 13 17:04:55 EDT 2019
Hi,
https://wiki.shibboleth.net/confluence/display/SP3/PKIX+and+StaticPKIX+TrustEngines
above is the documentation i found which i believe is stating i need to use
PKIX (also known as dynamic pkix) or StaticPKIX in order to make use of the
anchored trust model.
what's missing is only StaticPKIX has an explicitly listed attribute for
CRL revocation check. (checkRevocation fullchain)
1.) Does this mean CRL is automatically done on the dynamic PKIX?
2.) what about checking expiration?
3.) does this mean all I would need to do for an Anchor verification is set
the trust engine like so:
<TrustEngine type="PKIX">
and my requirement for Validating signatures using Anchored certificate
trust model would be complete?
Also,
https://wiki.shibboleth.net/confluence/display/SP3/TrustEngine
above lists 3 types of trust engines, not 4 but the text says there are 4.
Thank you,
Irfan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190513/55292559/attachment.html>
More information about the users
mailing list