[xmlsec] another newbie question

Lee, Insoo Insoo.Lee at gs.com
Sun Mar 14 14:08:08 PST 2004

Hello all -
could I ask you another newbie question?
I'm a bit confused with certificate business - I'm lacking the

We are planning to receive a signed XML message from our client.
This XML message will have X509 in its header.
Once I receive this message, I extract the X509 and validate it.

Now here is the question, shouldn't I check the validity of the
Let's say this is the certificate issued by VeriSign.
Do I need to somehow connect to VeriSign to confirm that this certificate is
genuine and still valid?

Can't anybody intercept this message and modify it and use his own private
key to regenerate digest and attach his own certificate?
Then according to this imposter's certificate, it's good message..


Insoo Lee
Goldman, Sachs & Co.
917-343-0973 | insoo.lee at gs.com | 32 Old Slip 9th Fl.

More information about the xmlsec mailing list