PKIX validation options are used to optionally influence how PKIX validation processing is performed. The Shibboleth IdP leverages the Java CertPath API to perform PKIX processing. These options are provided to enable advanced configuration scenarios making use of options present on particular CertPath providers, such as provided by Sun, IBM and Bouncy Castle. Some of these flags may also be useful in dealing with implementation bugs known to have existed in some versions of some CertPath providers.
PKIX validation options are defined by the element <ValidationOptions xsi:type="CertPathValidationOptionsType" />
.
shibmd:KeyAuthority
elements or from static ValidationInfo
on the trust engine.)revocationEnabled
. If false, the revocation behavior is determined dynamically as follows: if any CRL's are effectively present from validation info or in the untrusted X509Credential being evaluated (taking into consideration the processing of the other flags detailed above), revocation is set to true. If no CRL's are present, revocation is set to false.<!-- Force CertPath API PKIXBuilderParameters setRevocationEnabled to "true" --> <ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="true" revocationEnabled="true" xmlns="urn:mace:shibboleth:2.0:security"/> <!-- Force CertPath API PKIXBuilderParameters setRevocationEnabled to "false" --> <ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="true" revocationEnabled="false" xmlns="urn:mace:shibboleth:2.0:security"/> <!-- Allow CertPath API PKIXBuilderParameters setRevocationEnabled to be determined dynamically by the trust engine. --> <ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="false" xmlns="urn:mace:shibboleth:2.0:security"/> |