I understood Warwick to ask for an editorial addition to the MOSS
document indicating that certificate chains may be conveyed with
digitally signed body parts.
Steve Crocker correctly described the rationale for why the document
doesn't really say anything but he did not mention one detail.
To summarize some relevant facts, MIME describes a framework for
organizing and transporting body parts. Except for
multipart/alternative and multipart/parallel, it does not specify any
relationship between the body parts in any given message, i.e., all body
parts are independent of all other body parts. What the MOSS
specification does is define a set of new body parts. For two of those
body parts (multipart/signed and multipart/encrypted), it explicitly
defines a relationship between the nested objects.
The issue is that even if an application/mosskey-data body part appears
in a message, there is neither a requirement nor a guarantee that the
certificates (key data) in it have anything to do with any other
digitally signed body part (or any other body part) in the message.
Hence, the following statement:
The information in the body part is entirely independent of any
other body part.
is (already) included in the definition of application/mosskey-data.
In conclusion, we (the authors) believe it would be misleading (from a
security perspective) to say any more than what is already stated in the
current draft of the specification.
Jim