According to Open eBay User guide, public key can be changed at any time. Should I read the public key directly from http://developer.ebay.com/certificates/production.cert in my program in order to in-sync with eBay ?
Detailed Description
It's highly recommended that you store the Public Key locally and do not make a real time request to the key in your program.
The best practices are:
1. download and save the Public Key in your server
2. ping the developer center once a day and grab the key if it's changed
3. if you are getting the "un-verified" error, download the fresh key and re-execute the signature verification method against the latest Public Key saved.