> 1) Is it possible to store client's public key on our site and just
> use it to validate the signature without having to read extract it from SOAP
> head?
Yes. Aleksey will have to answer with a pointer to the specific
API's or CLI flags you'll need to use. :)
> 2) Is this recommended practice?
It's perfectly fine to avoid the certificate. I would, however, ask
your signer to include *some* identifier, so that later on you can
handle multiple signers without breaking. Even a simple dsig:KeyName.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
