Is signing the body at all an essential requirement? Yes, some potential
risk for a replay attack but otherwise "whoami I sent this" should be
sufficient for some providers,
As long as people support the l= tag, they could use l=0 to not sign the
body. This capability has been cited as a reason to get rid of l=
because it facilitates such "dangerous" behavior. IMO, if they want to
sign such messages, and recipients want to accept them, let them do that.
NOTE WELL: This list operates according to