Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ?
I think, that either signer or verifier should decide if KeyName makes sense for him/her or not. In xmlsec, there is a way to disable KeyName usage for verification, for example.
Aleksey _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec