Currenty x509 tokens that are included in a message (most likely for signing) are implicitly trusted. We should verify that each certificate is trusted, or is signed by a trusted authority. This will require a trust store configuration mechanism.