Threshold Signatures for RSA and DSA

Question

I have a few questions relating to threshold signatures: a scheme where $n$ participants hold a key share and any $t$ of them can conduct a protocol using their shares that results in a valid RSA or DSA signature being applied to a known message.

Questions

1. Several techniques exist for threshold RSA (1,2) that seem reasonably efficient. Is there any impedance to using these protocols with a standards-compliant version of an RSA signature (such as RSA as used in X.509 for SSL/TLS certificates)?
2. Are there any techniques for threshold DSA (aside from this 2-out-of-2 case)?
3. Are there any tools available that implement a threshold signature scheme? A tool that would allows each participant to contribute to the DKG, and would later generate their contribution to the final signature on a shared message given their key share?

It is my belief that (1) is standards-compliant as padding can be done prior to signing without reference to the signing key, (2) does not exits, and (3) does not exist either. But now that this site exists, I figure why not ask?

EDIT: Regarding (2), there are techniques for DSA. I missed them because they are proposed for "DSS" instead.

Answer 1

Regarding your first question, it is my understanding that DKG techniques are in practice mainly used for offline signing, such as when a certificate authority issues new intermediate CA certificates. Using DKG for online signing, such as server side SSL/TLS, is not a problem that is solved by the papers you refer to, since the threat scenario is significantly different from that of offline signing. More precisely, to guard yourself against unauthentic signing requests in the online case, the front end server has to authenticate itself to the back end key share servers, but if it is able to do that, it is able to store a private (or secret) key securely and doesn't really need DKG in the first place.