2.3.2.4.5 SignerInfo unauthenticatedAttributes
A Countersignature located in the SignerInfo (section 2.3.2.4.2) unauthenticatedAttributes field SHOULD be generated by a trusted third-party time stamp authority (TSA). Its purpose is to assert that the VBA project signature existed prior to the time specified in the SigningTime attribute, specified in the following attributes.
The Countersignature used MUST consist of the following attributes in the unauthenticatedAttributes field:
ContentType ([PKCS9] section 6.3): The attribute’s value MUST be set to PKCS #7 Data ([PKCS7] section 8).
SigningTime ([PKCS9] section 6.5): The value MUST be set as specified by [PKCS9] section 6.5.
messageDigest ([PKCS9] section 6.4): The value MUST be set as specified by [PKCS9] section 6.6.
In addition, the certificate ([RFC3280]) whose private key signed the Countersignature MUST be added to the SignedData (section 2.3.2.4.1) certificates field. Intermediate and root certificates of the certificate chain, including the signing certificate, MAY also be added to the SignedData (section 2.3.2.4.1) certificates field.