Because then I could take the message signed by the mailing list and
replay it to a whole lot of people that aren't subscribed to the
mailing list, as well.
Indeed, you could. So what?
The main point of any sender authentication scheme is to identify who to
blame for any particular message. If the mail really came from the
mailing list, the list should sign it. People can draw their own
conclusions about the merits of mail the list sends.
We can't know all of the ways that people set up their mailing list
software. There might be other ways that list software weeds out nasty
mail, e.g., put a password in incoming mail, or only accept mail from the
local LAN. I don't think it's productive to try to create rules about
when senders are supposed to sign their mail and when they aren't.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.