[xmlsec] newbie question - not including X509 certificate

Lee, Insoo Insoo.Lee at gs.com
Fri Mar 12 15:20:30 PST 2004

We are looking to receive signed SOAP message from our client.
We like to conform to WS-Security as much as possible while using Apache XML
Security implementation.

A question is:
  Since we have only one client sending us the message, we would like to
eliminate the overhead of keeping X509 certificate in the SOAP message.  
	1) Is it possible to store client's public key on our site and just
use it to validate the signature without having to read extract it from SOAP
	2) Is this recommended practice?

 Thanks much

More information about the xmlsec mailing list