You are referring to ESS, RFC 2634, right?
In some cases, signatures are serial. In this case, a countersignature
that contains the current Signing Certificate Attribute is sufficient.
In this case, too, the first signer or the document policy might want to
indicate: 'my signature is only valid if there is a countersignature from
In other cases, signatures are parallel. I think that your comments apply
to this situation. Here, multiple signer info structures are present, each
with it's own Signing Certificate Attribute. You are looking for a way to
bind two or more signer info structures together. Am I understanding your
Yes, binding together and making the signature validation fail if not all
necessary signatures are present.