Hello all - could I ask you another newbie question? I'm a bit confused with certificate business - I'm lacking the fundamentals...
We are planning to receive a signed XML message from our client. This XML message will have X509 in its header. Once I receive this message, I extract the X509 and validate it. Now here is the question, shouldn't I check the validity of the certificate?? Let's say this is the certificate issued by VeriSign. Do I need to somehow connect to VeriSign to confirm that this certificate is genuine and still valid? Can't anybody intercept this message and modify it and use his own private key to regenerate digest and attach his own certificate? Then according to this imposter's certificate, it's good message.. Thanks Lee Insoo Lee Goldman, Sachs & Co. 917-343-0973 | [EMAIL PROTECTED] | 32 Old Slip 9th Fl. _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
