To the best of my recollection, this is what I put into a product that I
1. I divided all "error" conditions into three categories: absolute
errors, policy errors, and warnings. Some examples of each would be:
"Signature Math Fails" - absolute error.
"No CRL and no CDP" - policy error
"Time stamp in message is weird" - warning
"Unknown Hash Algorithm" - warning
2. For each layer I determined the status of that layer. Policy errors
would be treated eather as warnings or absolute errors depending on policy
settings from the admin.
3. Next processed for some layers based on the set of signatures - i.e. an
error if no signatures exist on a layer where the we successfully validated
the math. This could push a "unknown hash algorithm" warning up to an
"unknown hash algorithm" error.
4. Signature verification passed iff every layer had AT LEAST one signature
and that signature had only warnings.
I think that there are circumstances where the logic of 4 may want to be
reversed. I.e. it passes iff every signature on a layer does not have an
error (just clean or warnings).