TrustEngine
- Rod Widdowson
- Scott Cantor
- Former user (Deleted)
The <TrustEngine> element configures the trust engine used by the SP to authenticate the security messages it receives. It works in conjunction with the security policy layer to secure the system.
If omitted a chain of the ExplicitKey and PKIX engines is used.
Types
Three types of trust engine are available by default, these are distinguished by the type=""Â attribute.
Type | Description |
|---|---|
Extracts keys to trust directly from the metadata of the peer. | |
Extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, but also extracts sets of trust anchors from a special metadata extension and then applies path validation to candidate certificates. | |
Extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, and then applies path validation to candidate certificates based on a static list of trust anchors. The difference from the previous engine is that the list of anchors is fixed and does not vary based on whose credentials are being examined. |
Common Attributes
Name | Type | Default | Description |
|---|---|---|---|
type | string | Required | Plugin type name. |
Common Child Elements
Name | Cardinality | Description | |
|---|---|---|---|
<KeyInfoResolver> | 0 or 1 | Advanced plugin interface for mapping <ds:KeyInfo> elements into keying material. Mostly for future use. | |