Bart Smaalders wrote: > Stephen Hahn wrote: > >> I am having difficulty formulating a use case where nested or multiply >> signed packages are needed, and in which the consumer makes different >> decisions when distinct subsets of the signing entities cannot be >> independently verified. Maybe someone has an example? > > Multiply signed packages are useful, as others have pointed out, to > permit systems to require multiple signatures, or permit alternate > signatures. > > The easiest way to do this is to omit all signatures from the > hash; adding a new signature would then not invalidate previous ones.
Which is exactly how elfsign works (even though we do not currently use the multiple signature capability). -- Darren J Moffat
