Validate signatures using Anchored certificate trust model
Cantor, Scott
cantor.2 at osu.edu
Mon May 13 17:51:11 EDT 2019
On 5/13/19, 5:05 PM, "users on behalf of irfan sarwar" <users-bounces at shibboleth.net on behalf of isarwar3334 at gmail.com> wrote:
> 1.) Does this mean CRL is automatically done on the dynamic PKIX?
There's a revocation topic under "Dynamic PKIX" on that page that answers your question.
> 2.) what about checking expiration?
Expiration is always checked because OpenSSL does it. There are things that violate PKIX in that code (e.g. all roots must be self signed) , and those are because OpenSSL has bugs in its verifier.
> 3.) does this mean all I would need to do for an Anchor verification is set the trust engine like so:
>
> <TrustEngine type="PKIX">
>
> and my requirement for Validating signatures using Anchored certificate trust model would be complete?
No, since that engine requires proprietary extensions in the metadata, as it documents. There are no trust anchors defined unless you use the static engine and define them. The dynamic engine does not have any by definition, they come from the metadata.
Don't do this. It's a very bad idea and that code is essentially unofficially deprecated; the static variant is there for verifying metadata or configuration files.
-- Scott
More information about the users
mailing list