Must be clear by what we mean when a signature is "valid"
- Signature Validation
- Does the
SignatureValue matches the result of processing SignedInfo
with CanonicalizationMethod and SignatureMethod as
specified in §6.2?
- Reference Validation
- Does the DigestValue of the derferenced URI matches the
DigetsValue in SignedInfo?
- Trust/Application Validation
- Does the application trust the signed assertions? (Was the key strong enough, is it from
a trusted party, how old is the signature ...?)
