Is it possible to sign a MIME email (RFC 2822) multiple times using S/MIME, so that all signatures are verifiable and retrievable?
+1
A:
The S/MIME format supports multiple signatures. S/MIME is, mostly, CMS with Base64 encoding so that it fits in text-only emails. In CMS, whenever there is a signature, there is actually some room for an arbitrary number of signatures, all computed over the main data. Signatures can be verified independently of each other. CMS also supports counter-signatures which a signatures computed over other signatures (what counter-signatures actually guarantee is somewhat unclear).
However, you may have trouble finding an emailing software which supports that. Graphical mail application (e.g. Thunderbird, Outlook Express...) have a single "sign" button and do not support adding multiple signatures. I am not sure of how they react upon receiving such an email either.
Programmatically, this is mostly a matter of using a CMS-aware library which allows you to inspect and create arbitrary CMS objects. Apparently, Bouncy Castle is such a library.
Thomas Pornin
2010-04-21 20:59:38