Yes, it is important to be able to verify something after the credentials have expired. As long as the signature was *generated* during the validity period, then you can verify it. There is a reason why PKCS7, and XML-DSIG, include the ability to put CRL's into a signature: so you can show -- at the time the sig was generated -- that the cert was not revoked. Hope this helps. /r$