Validate signatures using Anchored certificate trust model

Cantor, Scott cantor.2 at
Mon May 13 17:51:11 EDT 2019

On 5/13/19, 5:05 PM, "users on behalf of irfan sarwar" <users-bounces at on behalf of isarwar3334 at> wrote:

> 1.) Does this mean CRL is automatically done on the dynamic PKIX?

There's a revocation topic under "Dynamic PKIX" on that page that answers your question.
> 2.) what about checking expiration?

Expiration is always checked because OpenSSL does it. There are things that violate PKIX in that code (e.g. all roots must be self signed) , and those are because OpenSSL has bugs in its verifier.

> 3.) does this mean all I would need to do for an Anchor verification is set the trust engine like so:
>         <TrustEngine type="PKIX">
> and my requirement for Validating signatures using Anchored certificate trust model would be complete?

No, since that engine requires proprietary extensions in the metadata, as it documents. There are no trust anchors defined unless you use the static engine and define them. The dynamic engine does not have any by definition, they come from the metadata.
Don't do this. It's a very bad idea and that code is essentially unofficially deprecated; the static variant is there for verifying metadata or configuration files.

-- Scott

More information about the users mailing list