Rich,
The ANSI financial WG discussion you relate are interesting,
but they represent concerns in a different environment. I do want to
comments on the major points you made.
First, you cite a bottom up certification system and cite
X.509, but I believe X.509 calls for both top down and bottom up
certificates. The model allows a user to certify CAs and CAs to
certify "superior" CAs to develop an up chain to a lest common CA,
from whence one follows the path DOWN to the target user, using
certificates of the sort defined for PEM. Nonetheless, your specific
example is one in which the user community is perceived to be quite
small, vs. the large user community for PEM.
Second, the idea of binding trust info into certificates, if
by this you mean extending the X.509 certificate format, is really a
short cut which may undermine more general utility of certificates.
You can have the same effect by creating a separate, signed data
structure which expresses transaction limits, etc. However, if you do
this in conjunction with "vanilla" X.509 certificates you can make use
of the basic certificates for a variety of applications and more
specialized certificates can be used with applications requiring
additional data. If you are saying that your committee is proposing
to issue only the modified form of certificates, then I think
references to X.509 should just be abandoned and this should be viewed
as a specific application of public key cryptography, not a facility
for general application support such as X.509 or PEM.
Finally, the use of multiple signatures is a time honored
practice in financial institutions and I would be spurized if it were
not carried over into well-conceived, electronic counterparts.
However, it is not obvious that this applies to certificates, vs.
messages. Perhaps you could explain in more detail the circumstances
under which a certificate, vs. a message, requires multiple signatures.
The examples you cited really seemed more appropriate for messages.
Steve