So my proposal for an implementation would be something like this:
(1) If the recipient has already seen the old version, show him
the new version with an obsoletes field.
(2) If the recipient has not yet seen either version, and if
the "From:" of the obsoleting message has authority to
obsolete it, show only the new version, but indicate that
it is an obsoletion and allow the recipient to retrieve
the old version with a suitable command.
(3) Otherwise, show both versions.
(4) When showing an obsoleting message, and where the "From:"
of the obsoleting message does not seem to have authority
to obsolete it, give a warning about this in the heading.
(5) Checking of authority to obsolete might be done in the
(a) If the recipient mailbox owner accepts weak authentication,
accept authority if the "From:" fields are identical,
or accept authority if the "From:" field matches that
of a moderator name for the distribution list in the
"To:" field, which moderator name the recipient UA
owner has stored in his mailbox preferences. One could
discuss whether "matches" should mean identity only
in the formal part of the name, or also in the part
called "phrase" in Internet and "free-form-name" in X.400.
(b) If the recipient mailbox owner requires strong authentication,
require certified digital signatures instead.
All this sounds like good advice to me. I note in passing that this doesn't do
much in practice unless there's a way to generate these headers from agents
people actually use. Perhaps a command akin to a REPLY which instead duplicates
the recipient information for the original message and then references it in an
Obsoletes: header, along with references to any other messages previously
obsoleted? Perhaps some other approach?
The details of this need maybe not be standardised. For example,
a good recipient client software might allow a client to accept
weak authentication for certain distribution lists, but require
strong authentication for other lists.
I think these things belong in an informational document along the lines of
some of the work currently being reviewed by the Mail Extensions Working Group.
Of course it would be valuable if a service is provided for a
UA software to find out who is the moderator of a distribution
list without the UA owner having to store it. Some kind of
directory system would then be needed. My suggestion is that
this should be part of the specification of a more general
distribution list handling in Internet, not part of a specification
of the "obsoletes" field.
I completely agree.