We have a service receiving a loot of signed XML documents, some of them are signed with a self-signed certificate and some are signed from a trusted certificate authority.
What is the best way to make sure the certificate used to sign the XML document is in a list of certificates we trust?
Today we are matching the certificates thumbprint against a list of accepted certificate thumbprints.
Can we trust the thumbprint to be unique - or is it possible to fake this?
What would be the best way to solve this? (we cannot make everybody sending signed xml documents use certificates from a trusted certificate authority)