in the suggested change to ESS (draft-ietf-smime-escertid-06.txt),
(as well as in the current RFC2634 actually), it is said:
"If more than one certificate is present, subsequent certificates limit
the set of certificates that are used during validation. Certificates
can be either attribute certificates (limiting authorizations) or public
key certificates (limiting path validation)."
Is this set of certificates limiting:
1) Only the "primary" path from the EE certificate to the Trust Anchor.
2) All the certificates used in the validation (including possibly
OCSP responder certificates, Indirect CRL issuers, etc).