At the level of a charter discussion, I agree with everything you said.
I do not believe that PGP or S/MIME are directly applicable, because as
both you and John suggest (and I agreed) there are details that are not
covered. So let's focus on those details.
There have been many issues with the prior secure email technologies,
not the least of which is the requirements this group wants solve. I'm
just suggesting we should focus on those requirements and the adjunct
profile for one of the other technologies to actually create the
signature.
Creating a secure email protocol is hard work. I believe that all of
S/MIME, PGP, and MOSS were done correctly, from the point of view of the
core technology. When it comes to useability we could compare them for
hours. They each have advantages and disadvantages, but none of the
advantages of any one were sufficient to get it "wildly huge'
deployment.
However, useability is not as much an issue in this problem space.
We're talking about MTAs that are going to be running largely
unattended. In theory, the user clue-level will be higher, or at least
vendors will have a smaller community to be concerned about.
So I am much more hopeful this time that incorporating the use of any
one of the technologies will result in "wildly huge" deployment of
secure email, at least in the hop-by-hop space. If that's true, it's
only a matter of time before it finally finds it way into the MUAs.
Jim