...
Four types of trust engine are available by default, these are distinguished by the type=""
attribute.
Type | Description |
---|---|
Extracts keys to trust directly from the metadata of the peer. | |
Extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, but also extracts sets of trust anchors from a special metadata extension and then applies path validation to candidate certificates. | |
Static PKIX | Extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, and then applies path validation to candidate certificates based on a static list of trust anchors. The difference from the previous engine is that the list of anchors is fixed and does not vary based on whose credentials are being examined. |
...