PKIX validation information is used to when performing PKIX validation on X.509 certificates. The PKIX validation information represents a trusted set of material (trusted CAs, CRLs, verification depths) within the IdP from which other trust can be derived. There are two ways to define validation information, depending on where the trust material is resident.
This validation information deceleration is used when the validation information is resident on the local filesystem in either a PEM or DER encoded file.
This validation information is defined by the element <ValidationInfo xsi:type="PKIXFilesystem"> with the require attribute:
the following optional attribute:
and the following elements (each of these elements may occur more than once, but must occur in the ordered listed):
<Certificate> - path to the PEM or DER encoded certificate<CRL> - path to the PEM or DER encoded CRL
<ValidationInfo verifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
<Certificate>/path/to/trusted/cert1</Certificate>
<Certificate>/path/to/trusted/cert2</Certificate>
<CRL>/path/to/trusted/crl</CRL>
</ValidationInfo>
|
This validation information deceleration is used when the validation information is declared inline, that is as content of the configuration elements described below.
This validation information is defined by the element <ValidationInfo xsi:type="PKIXInline"> with the require attribute:
the following optional attribute:
and the following elements (each of these elements may occur more than once, but must occur in the ordered listed):
<Certificate> - PEM encoded certificate<CRL> - PEM encoded CRL
<ValidationInfo verifyDepth="5" xsi:type="PKIXInline" xmlns="urn:mace:shibboleth:2.0:security">
<Certificate>... PEM ENCODED CERT ...</Certificate>
<Certificate>... PEM ENCODED CERT ...</Certificate>
<CRL>... PEM ENCODED CRL ...</CRL>
</ValidationInfo>
|