[xmlsec] Verify signature after certificate expired

Rich Salz rsalz at datapower.com
Wed Oct 9 12:45:41 PDT 2002

 >The document signed with cert means that
>    1) the document was signed by a person to whom the cert was issued;
>    2) the document was not changed since the time it was signed.
> The expired cert could not provide you first item (I hope the reasons 
> are clear).

Not at all, please explain.

> Since you've mentioned S/MIME as an example I would like to cite RFC
> (RFC 2312 : S/MIME Version 2 Certificate Handling):
>   Some of the many places where signature and certificate checking
>   might fail include:
>>> - the certificate is expired

It is not clear from context if they mean: expired at the time it was 
used, or expired at the time the signature is checked.

Signatures must be valid even after the signing certificate has expired. 
Anything else is just non-sensical.  Example:  I go to college, get a 
certificate from my school, use the key to sign a PDF that contains my 
thesis.  I graduate and the cert expires.  Is my thesis no longer 
considered to be signed?

More information about the xmlsec mailing list