...
Each <md:KeyDescriptor> is resolved into a set of key names. The enclosing entity's unique identifier (its entityID) is also treated as a key name. The certificate being evaluated is then matched against this set of names. When a TLS connection is being initiated, the destination hostname is also implicitly a key name. The certificate being evaluated is then matched against this set of namesthe only key name involved, because the matching is implicit in the TLS layer.
The following <ds:KeyInfo> children can be resolved into key names without additional plugin support:
...