Must be clear by what we mean when a signature is "valid"
- Signature Validation
- Does the
SignatureValue matches the result of processing
specified in §6.2?
- Reference Validation
- Does the DigestValue of the derferenced URI matches the
- Trust/Application Validation
- Does the application trust the signed assertions? (Was the key strong enough, is it from
a trusted party, how old is the signature ...?)