188.8.131.52.1 SignedData Constraints
The digestAlgorithms field MUST contain only one digestAlgorithmIdentifier ([PKCS7] section 6.3), and that digestAlgorithmIdentifier MUST specify the identifier of the algorithm used to create the digest of the signature.<10>
The contentInfo field’s contentType MUST be an Object Identifier ([ITUX680-1994] section 3.8.35) with the value "184.108.40.206.4.1.3220.127.116.11". The content field of the contentInfo of this SignedData structure MUST be a SpcIndirectDataContent structure (section 18.104.22.168.3.1).
The certificates field MUST contain certificates as specified by [PKCS7] section 9.1. This MUST include the signature verification certificate and can contain any intermediate certificates between that end entity and the root, including the root. If the SignedData contains a Countersignature ([PKCS9] section 6.6), the certificates associated with the Countersignature also MUST be contained in the certificates field.
The crls field SHOULD be absent. If present, the crls field MUST be ignored.
The signerInfos field MUST contain a single SignerInfo structure (section 22.214.171.124.2) ([PKCS7] section 9.2).