Currently, there's no way to control the RevocationEnabled flag of the PKIXParameters when a trust engine is built by the IdP. Quoting http://download.oracle.com/javase/1.4.2/docs/api/java/security/cert/PKIXParameters.html#setRevocationEnabled%28boolean%29
"Sets the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used)."
For the 2.3 release, it would be useful to have an additional attribute for the <security:TrustEngine> element which allows the IdP admin to control the value of that flag. I realize that this can't be used to configure the underlying PKIX provider in a way suggested in SIDPT-1, but for the time being, I would consider it sufficient to add support for a "revocationEnabled" attribute (boolean, with "true" and "false" as its values) to the edu.internet2.middleware.shibboleth.common.config.security.AbstractPKIXValidationInformationBeanDefinitionParser, which in turn would call the respective methods of org.opensaml.xml.security.x509.CertPathPKIXValidationOptions (as implemented with
PKIX provider options are often configurable through system properties (e.g. "com.sun.security.enableCRLDP", "onlyCheckRevocationOfEECert"), which is fine - but as far as I'm aware of, there's no straightforward way right now to control the revocationEnabled flag with the IdP configuration. This is what this issue is about.