I was probably referring from memory to the usage of 'zero' in this passage of this document:
'Note: Role of Certificate that Signs the KDM: The KDM shall be signed using a leaf certificate with a SubjectName having zero to many role(s) (See SMPTE ST 430-2 for more information about certificate roles). DCI requires the use of CPL signature in those cases where the CPL references encrypted track files (See DCI Specification v1.2, section 5.2.3 "Packaging Concepts"). The rationale for KDM interpretation presented above explains why this is a desirable practice. It should be noted however that DCI does not require that a player reject a CPL that is not signed, even in the case where the CPL references encrypted track files - except in the special case where the ContentAuthenticator element is present in the KDM.'