Versions Compared

Old Version 6

changes.mady.by.user Ian Young

Saved on

compared with

New Version 7

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The PKIX engines (type="PKIX", type="StaticPKIX")  this Trust Engine evaluate certificates against "key names" identified in metadata and then against a set of PXIX validation rules either embedded in a metadata extension or configured locally/statically. It is a superset of the older ShibbolethTrustEngine.

Table of Contents

Experience has shown that this approach is significantly more complex than the ExplicitKeyTrustEngine, and it is not recommended for most deployments.

...

Attributes

Common Attributes

Name

Type

Default

Description

type 

type 

string

Required
PKIXK or StaticPKIX

Plugin type name.

Specific Attributes (StaticPKIX only)

Name

Type

Default

Description

verifyDepth

integer

1

Length of CA chain to permit.

certificate 

local pathname


Optional path to a file with one or more CA certificate to trust.

checkRevocation 

"off", "entityOnly", "fullChain"

"off"

Controls the behavior of CRL checking by the trust engine. If omitted or set to "off", no CRLs are used at all. The other options require that at least one CRL be available and will fail the check otherwise. The "fullChain" option requires that a CRL be available for all untrusted certificates in the validation path, otherwise only a CRL for the end entity certificate is required.

Child Elements

Common child Elements

Name

Cardinality

Description

<KeyInfoResolver> 

<KeyInfoResolver> 

0 or 1

Advanced plugin interface for mapping <ds:KeyInfo> elements into keying material. Mostly for future use.

Specific Child Elements (StatixPKIX only)

Name

Cardinality

Description

<CredentialResolver

0 or 1

A credential resolver plugin to use to load the CA certificate(s) to trust

Validating Signatures

This engine is predicated on the assumption that the actual signing key isn't known ahead of time. Therefore, the signature MUST carry keying material (in the form of X.509 certificates) inside an accompanying <ds:KeyInfo> element inside the signature/message.

...

The following <ds:KeyInfo> children can be resolved into key names without additional plugin support:

  • <ds:KeyName>

The following names from the certificate being validated are used to find a name that matches one of the key names:

  • subject DN in reverse/LDAP comma-separated syntax, with or without spaces (see RFC 2253)

  • subject CN

  • any DNS and URL subjectAltNames

Matches are performed in a case-insensitive way, so that for example <ds:KeyName>example.org</ds:KeyName> will match a subject CN of Example.Org, and
<ds:KeyName>Example.Org</ds:KeyName> will match a subject CN of example.org.

...

The following <ds:KeyInfo> children can be resolved into trust anchors and CRLs without additional plugin support:

  • <ds:X509Data> / <ds:X509Certificate>

  • <ds:X509Data> / <ds:X509CRL>

Each <ds:KeyInfo> represents a single trust anchor (possibly including a chain of intermediates) along with any applicable CRLs. Multiple trust anchors should be captured in separate <ds:KeyInfo> elements.

...