From: Stephen Farrell <farrell(_at_)baboo(_dot_)sse(_dot_)ie>
One example supporting this is to do with providing AC based
delegation control whilst at the same time preventing AC "stealing".
If such delegation is required, (perhaps only as part of ESS, or
for some mailing list cases, or maybe outside of S/MIME), then its
pretty much for sure that simply sending the ACs of the originator
isn't sufficient.
I assume from this example that you are referring to something
like DCE "Privilege Attribute Certificates", which, despite the
similarity in name, have nothing to do with public-key-based
"Attribute Certificates" as defined by X.509 and ANSI X9.
One cannot "steal" a public key certificate - certificates are (in
principle) public knowledge, and possession of a certificate does
not by itself convey any privilege whatsoever.