OK -- Here is a concrete proposal for this:
Add a new section 11.5 to the CMS document.
11.5 Signing Certificate Attribute
The signing-certificate attribute type specifies the exact certificate used
to sign the signed-data. This provides for an authencticated method of
linking the certificate used to create the signed-data object and the
signed-data object itself. If this attribute is not used and two different
certificates are used for the same keys, it is possible to substitute the
certificates without breaking the signature. It is suggested that the
signing-certificate attribute be present if there are any authenticated
attributes present.
The signing-certificate attribute MAY be critical. The signing-certificate
attribute MUST be authenticated. Only one instance of the
signing-certficiate attribute may appear in an attribute set.
The following object identifier identifies the signing-certificate
attribute:
id-signingCert OBJECT IDENTIFIER ::= <TBD>
Signing-certficate attribute value has the ASN.1 type IssuerAndSerialNumber.
--- END ---
Some people suggested that we put the hash either as a choice to or instead
of the issuer and serial number. I did not do this for two reasons: A)
You would need to have a field defining which hash algrithm you are going to
use to compute the has and B) this would create a new ASN structure to hold
the data. There is already well understood ways of doing the issure and
serial number look up, so this is current code which already exists.
jim