Currently X.509 tokens are validated against a truststore that is local to the ws-security deployment. We should offer support for delegating to JAAS/JBossSX so that JEE declarative security can reference known certificates. There is one problem with adding support for this, which is that a WS-Security message may contain many X.509 tokens (perhaps one for signature, and one for encryption), so we would have to somehow decide to pick one.