Stephen Hahn wrote: > I am having difficulty formulating a use case where nested or multiply > signed packages are needed, and in which the consumer makes different > decisions when distinct subsets of the signing entities cannot be > independently verified. Maybe someone has an example?
Multiply signed packages are useful, as others have pointed out, to permit systems to require multiple signatures, or permit alternate signatures. The easiest way to do this is to omit all signatures from the hash; adding a new signature would then not invalidate previous ones. - Bart -- Bart Smaalders Solaris Kernel Performance barts at cyber.eng.sun.com http://blogs.sun.com/barts "You will contribute more with mercurial than with thunderbird."
