Since the file transfer component of the LionShare protocol is HTTP-based, much of the credential verification may be performed by standard SSL libraries available for Java. However, an X.509 certificate must be rooted in a trusted CA. To validate these certificate paths, each LionShare peer must have a copy of each federation member's SASL-CA signing certificate in its trusted CA bundle. This bundle file on each peer must be periodically updated, possibly through an automatic mechanism from a secured web site. Generating and maintaining this bundle is presumed to be covered by the federation's policies and is out of scope for the LionShare project. The LionShare application will support multiple certificate bundles, so that an individual peer may belong to multiple federations and users may import their own certificates.

LionShare does make one change from canonical X.509 certificate path validation: It does not check if the peer's certificates are revoked. As these certificates are only valid for a very brief time, it was decided that revocation checking was not necessary. Further, a scalable mechanism of revocation checking was not identified.

LionShare also handles expired credentials in an atypical way. Please see the section on Metadata Signature Verification for more information.