A policy for cryptographic operations.
Returns an error if the signature violates the policy.
This function performs the last check before the library decides that a signature is valid. That is, after the library has determined that the signature is well-formed, alive, not revoked, etc., it calls this function to allow you to implement any additional policy. For instance, you may reject signatures that make use of cryptographically insecure algorithms like SHA-1.
Note: Whereas it is generally better to reject suspicious signatures, one should be more liberal when considering revocations: if you reject a revocation certificate, it may inadvertently make something else valid!