I agree with Paul - partly. If you follow Paul's logic, he is correct
to say that if certs are ignored the later signature validation test
could be ambiguous. However, SignerInfo includes an indication of the
cert that should be used for the validation process using its issuer and
serial number. So Denis is correct to say that the message signature
should only be valid until the certificate is revoked.
I believe that if CMS doesn't contain wording for path validation, then
Get Your Private, Free Email at http://www.hotmail.com