Must be clear by what we mean when a signature is "valid"
- Signature Validation
- Does the
SignatureValue
matches the result of processing SignedInfo
with CanonicalizationMethod
and SignatureMethod
as
specified in §6.2?
- Reference Validation
- Does the DigestValue of the derferenced URI matches the
DigetsValue
in SignedInfo
?
- Trust/Application Validation
- Does the application trust the signed assertions? (Was the key strong enough, is it from
a trusted party, how old is the signature ...?)