Versions Compared

Old Version 4

changes.mady.by.user Brent Putman

Saved on

compared with

New Version Current

changes.mady.by.user Brent Putman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

  • processEmptyCRLs - (boolean) Default is true. Flag indicates whether or not an empty CRL should be processed, whether specified as trusted validation info or carried inline in the X509Credential being evaluated (e.g. within a signature's KeyInfo element). Some implementations have been known to fail on empty CRL's.
  • processExpiredCRLs - (boolean) Default is true. Flag indicates whether or not an expired CRL should be processed, whether specified as trusted validation info or carried inline in the X509Credential being evaluated (e.g. within a signature's KeyInfo element).
  • processCredentialCRLs - (boolean) Default is true. Flag indicates whether CRL's carried inline with an X509Credential should be processed (e.g. within a signature's KeyInfo element).
  • defaultVerificationDepth - (intenger) Default is 1. The PKIX path verification depth to use, of not otherwise specified in the resolved PKIX validation info (e.g. from metadata shibmd:KeyAuthority elements or from static ValidationInfo on the trust engine.)
  • forceRevocationEnabled - (boolean) Default is false. If true, the revocation behavior of the CertPath PKIXBuilderParameters setRevocationEnabled will be forced to the value supplied by revocationEnabled. If false, the revocation behavior is determined dynamically as follows: if any CRL's are effectively present from validation info or in the untrusted X509Credential being evaluated (taking into consideration the processing of the other flags detailed above), revocation is set to true. If no CRL's are present, revocation is set to false.
  • revocationEnabled - (boolean) Default is true. See description of forceRevocationEnabled.
Code Block
xml
xml
1Examplesxml
<!-- Force CertPath API PKIXBuilderParameters setRevocationEnabled to "true" -->
<ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="true" revocationEnabled="true" xmlns="urn:mace:shibboleth:2.0:security"/>

<!-- Force CertPath API PKIXBuilderParameters setRevocationEnabled to "false" -->
<ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="true" revocationEnabled="false" xmlns="urn:mace:shibboleth:2.0:security"/>

<!-- Allow CertPath API PKIXBuilderParameters setRevocationEnabled to be determined dynamically by the trust engine. -->
<ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="false" xmlns="urn:mace:shibboleth:2.0:security"/>