notaryproject · yizha1 · Aug 1, 2024 · Jul 30, 2024 · Jul 31, 2024
@@ -146,7 +146,7 @@ See [Guidelines for implementations of the Notary Project signature specificatio
 
 ### Unsigned Attributes
 
-These attributes are considered unsigned with respect to the signing key that generates the signature.
+These attributes are considered unsigned with respect to the signing key that generates the signature. These attributes may be independently signed by a third party (e.g. CA, TSA) for various purposes.
 
 - **Certificate Chain**: This is a REQUIRED attribute that contains the ordered list of X.509 public certificates associated with the signing key used to generate the signature. The ordered list starts with the signing certificate, any intermediate certificates and ends with the root certificate. The certificate chain MUST be authenticated against a trust store as part of signature validation. Specific requirements for the certificates in the chain are provided [here](#certificate-requirements).
 - **Timestamp Signature**: An OPTIONAL countersignature generated by a trusted third party, such as a Timestamp Authority (TSA). Its purpose is to demonstrate that the primitive signature, computed on payload and signed attributes, was generated before the timestamp. Only [RFC 3161][ietf-rfc3161] compliant timestamp signatures are supported. If present, this claim is validated and used solely under the [`notary.x509`](./signing-scheme.md/#notaryx509) signing scheme.