I would wager, but Alexsey is the expert, that it might be a good idea to ignore the KeyName if an X509Certificate is present when Verifying. After all the reason it got there in the first place is that it was used to select the cert/key when you originally signed it with xmlsec and is left over from the sign operation. It will verify fine if you manually remove the KeyName. Comments Alexsey ?
Well, when you verify a signature, you have to find a key. If both KeyName and Certificate are present then you have to try both since you don't know which one will work.... Aleksey _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec