From e29606fbf36d6f403bc6aa879329c8634e5cc297 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Tue, 9 Mar 2010 08:00:42 +0000
Subject: [PATCH] adding warning about PKIX

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2215 44740490-163a-0410-bde0-09ae8108e29a
---
 docs/simplesamlphp-reference-idp-remote.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index db19b6a79..96cd6bdfc 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -28,7 +28,7 @@ The following options are common between both the SAML 2.0 protocol and Shibbole
 :   Whether attributes received from this IdP should be base64 decoded. The default is `FALSE`.
 
 `caFile`
-:   Alternative to specifying a certificate. Allows you to specify a file with root certificates, and responses from the service be validated against these certificates. Note that simpleSAMLphp doesn't support chains with any itermediate certificates between the root and the certificate used to sign the response.
+:   Alternative to specifying a certificate. Allows you to specify a file with root certificates, and responses from the service be validated against these certificates. Note that simpleSAMLphp doesn't support chains with any itermediate certificates between the root and the certificate used to sign the response. Support for PKIX in SimpleSAMLphp is experimental, and we encourage users to not rely on PKIX for validation of signatures; for background information review [the SAML 2.0 Metadata Interoperability Profile](http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.pdf).
 
 `certData`
 :   The base64 encoded certificate for this IdP. This is an alternative to storing the certificate in a file on disk and specifying the filename in the `certificate`-option.
-- 
GitLab