rfc2534 defines the usage of a Signing Certificate Attribut where
actually only exactly one public key certificate + a list
of attribute certs can be indicated.
It happens sometimes that some signature policies require that
several signatures MUST be present before a document becomes
valid. Contrary to the real world it is rather simple to remove
one of multiple signatures on a CMS document, and this may
put the remaining signers into an undesirable situation.
It seems useful to extend have a mecanism for the signer indicating
that his signature is only valid if it is also signed by one
or more other signers.
Would it be useful to allow for multiple occurences of the attribute
to indicate that the overall signature is valid if there are multiple
signatures for all of the indicated attributes.
In addition, multiple attribute values could be used to indicate that
at least one of the indicated certs should match.
Unfortunately there is no "global" attribute set. Thus, the attributes will
occur in all signerinfos.
I would like to propose this as a modification to whatever will be
son of rfc2524.
Any comments are welcome.