Applications which use WSTS will typically run both Signer and Coordinator state machines, in order to be able to handle all parts of the protocol. Because of this, these state machines do not verify packets as they come in; this would lead to duplicate work, and require the state machines to have all keys in their configs, including knowing who is the active coordinator. This is out of scope for the library. Thus applications must verify packets before calling process_message on them.