It's silly to require that signatures be validated without some security model relating that signature to some kind of meaningful authentication.
Feeds should be able to provide certificates (self-signed or otherwise) or be required to provide a method to get the cert; the signature on the data should be checked against that certificate; the user should be given some visible information about the identity associated with the certificate used to validate a signature and a chance to accept or reject the signed data. Do you intend to require Keyinfo in the Signature element? Any requirements on that? Hilarie Orman
