[xmlsec] Verify signature after certificate expired

[Aleksey Sanin]

Yes, I am saying this. The signature is not valid forever. It's valid 
only why certificate is valid.
If you don't like this scheme then you should use certs with long 
expiration time or another scheme.
Cert is your digital identity. It's not you who signs something but your 
digital identity. The issuer
of the certificate gurantees that you and your digital identity match. 
But the issuer has a right
to say: "I know that it is true today and for next year. But I am not 
responsible for anything happen
after this." I think that this is a meaning of the expiration time. you 
may think about this as
about another way to revoke certs.

Aleksey

Rich Salz wrote:

>> Yes! When you signed it you claimed that you are the college student. 
>> When you graduated
>> you are not college student anymore and your signature as "college 
>> student" is *not* valid.
>
>
> So you're saying that you believe it is impossible to ever do any 
> after the fact audits.  I can never verify that something happened 
> "back then" without having a current chain of cross-certified 
> certificates up until the present moment.  Suppose the signer dies?  
> All prior signatures are now just ticking clocks, waiting to become 
> invalid?
>
>     /r$
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec