Messages signed by multiple parties

I’d like to be able to used a chained message signature from canister API that uses ICP’s caller-based authentiation.

Here’s the use case:

1. User A signs message M
2. User B approves and signs message M (now Mprime?)
3. User B then sends message Mp to Canister C via API
4. Canister C uses ICP’s caller based auth to see that the caller is B.
5. Canister C then wants to take Mp and deconstruct it to M, proving that it was signed by A.

Essentially, I’m looking for some way of allowing multiple parties to sign a message such that I can know the initial principal that wrote the message, and can verify that another principal has signed off on the initial message. The ordering (knowing that A wrote M) is important.

Ideally this operation would be atomic and not require calls to the management canister to fetch a principal’s public key. It would be lovely if some of these operations could be abstracted away, similar to ICP’s caller based authentication.

There is no way to do this atomically at this time. What you could do today with the existing threshold signature implementation is

1. A signs M generating sig_A
2. A sends M and sig_A to B
3. B combines M and sig_A into a single input (for example by concatenating them together, or putting them into a JSON struct)
4. B signs the combination of M and sig_A generating sig_B
5. C takes M, sig_A and sig_B and verifies both signatures.

Implementing a multi-canister threshold signature would be an interesting extension to what we currently have, but this is not (afaik) currently something on the roadmap.