Making a language that is really secure for mail use, given non-trusted
or unauthenticated senders, is *very* hard. It has, in fact, been my
major research area for the last two years. It can be done -- I have a
formal spec for a language called ATOMICMAIL that was designed for this
very purpose -- but it can't easily be done by just hacking at existing
languages such as Display Postscript. That is a very dangerous path to
take.
If there's enough interest, I could post or otherwise make available a
draft paper on ATOMICMAIL that I've submitted to the IFIP MHS conference
in Vancouver next spring. -- Nathaniel