[xmlsec] Verify signature after certificate expired

Rich Salz rsalz at datapower.com
Wed Oct 9 10:34:41 PDT 2002

Yes, it is important to be able to verify something after the 
credentials have expired.  As long as the signature was *generated* 
during the validity period, then you can verify it.  There is a reason 
why PKCS7, and XML-DSIG, include the ability to put CRL's into a 
signature:  so you can show -- at the time the sig was generated -- that 
the cert was not revoked.

Hope this helps.

More information about the xmlsec mailing list