5.1.2 Certificate Validation

When X.509 [X509] certificates are used, relying parties should validate the X.509 certificate that corresponds to the key used to sign the security token.<88> X.509 certificates might expire, might be revoked, or might not be issued by a trusted source. The steps required to validate X.509 certificates and to check the revocation status of an X.509 certificate are specified in [RFC3280]. Implementers have to pay special attention to [RFC3280] section 9 for security considerations involving usage of X.509 certificates.