Yes, it is important to be able to verify something after the
credentials have expired. As long as the signature was *generated*
during the validity period, then you can verify it. There is a reason
why PKCS7, and XML-DSIG, include the ability to put CRL's into a
signature: so you can show -- at the time the sig was generated -- that
the cert was not revoked.
Hope this helps.
/r$
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
