[xmlsec] Verify signature after certificate expired

[Rich Salz]

Yes, it is important to be able to verify something after the 
credentials have expired.  As long as the signature was *generated* 
during the validity period, then you can verify it.  There is a reason 
why PKCS7, and XML-DSIG, include the ability to put CRL's into a 
signature:  so you can show -- at the time the sig was generated -- that 
the cert was not revoked.

Hope this helps.
	/r$