An implementation that validates and generates Digital Signatures may claim conformance to the Basic Digital Signatures Secure Use Profile. Any implementation that claims conformance to this Security Profile shall obey the following rules in handling Digital Signatures:
The implementation shall store any SOP Instances that it receives in such a way that it guards against any unauthorized tampering of the SOP Instance.
Wherever possible, the implementation shall validate the Digital Signatures within any SOP Instance that it receives.
If the implementation sends the SOP Instance to another Application Entity, it shall do the following:
remove any Digital Signatures that may have become invalid due to any allowed variations to the format of Attribute Values (e.g. trimming of padding, alternate representations of numbers),
generate one or more new Digital Signatures covering the Data Elements that the implementation was able to verify when the SOP Instance was received.