Added an analysis of the composite signatures in the security considerations.

[TJ-91]

I agree with the arguments that you make but I think we can omit some of the things you are explaining. I think the second paragraph is useful to have in mind as a protocol designer but it may not be this specification's job to explain this to the implementer. Also, the first paragraph could stop after the first two sentences which explain what the attack is. That would keep it a bit more concise and to the point, i.e., we state what the attack is and why the attack does not apply to this construction.

As for explaining the resistance against the described weak existential forgery attack, I would either add this to a new section, or make the section title more general.

[falko-strenzke]

I agree with the arguments that you make but I think we can omit some of the things you are explaining. I think the second paragraph is useful to have in mind as a protocol designer but it may not be this specification's job to explain this to the implementer. Also, the first paragraph could stop after the first two sentences which explain what the attack is. That would keep it a bit more concise and to the point, i.e., we state what the attack is and why the attack does not apply to this construction.

OK, makes sense. I reduced the text significantly.

As for explaining the resistance against the described weak existential forgery attack, I would either add this to a new section, or make the section title more general.

Yes, I generalized the title.