Daniel Nagy writes about multiple cleartext signatures:
Some details are missing. For instance, is the order salient? One-pass
signantures have to be bracketed, and clearsigned documents are supposed be
verifiable in one pass as well. But it does not necessarily imply that the
hash algorithms should be listed in reverse signature order in the
beginning. Actually, the standard says very little on how to go about it.
I don't think there is much benefit to putting the hashes in the (reverse)
order of the signatures. Rather, you list all of the hashes that will
be used by any of the signatures, then simultaneously accumulate all
hash values as you scan the message in one pass. Now you can verify
each signature and you would have the hash value at hand.
It
would definitely help one-pass verification, if signatures that refer to
other signatures (e.g. notarization sigs) were mandated to either follow or
precede the signatures they are refering to. Both solutions have their
benefits, but deciding one way or another would be better than allowing
arbitrary order. It would be nice to have a paragraph or two elaborating on
these issues.
I am a bit uncomfortable with the notarization signature in general.
We have it in the draft but have no experience with it in reality,
which is kind of the opposite of the usual IETF procedure. I guess it
was somebody's bright idea that got stuck in, in case people might want
to use it someday.
The fact that we may have to add further rules clarifying how to use it
just emphasizes our lack of experience with the construct. Often with
these things you don't find the problems until you actually try to use it
for something and interoperate with others. Given that notary signatures
have been in the draft in some form or other for years without seeing
any use that I know of, should we consider taking them out?
Hal Finney