Douglas Otis wrote:
Much of the spam today looks very much like the few lines added at
the end of the typical web mail service or the list server. Who
would be accountable for spam added at the end, when it must be
ignored by signature validation? What was once innocent and
heuristically ignored soon becomes the norm for spammers. Keeping
this behavior to a minimum does ensure greater protection from abuse.
There is no requirement that the recipient display the unsigned content
at the end of a message. A verifying MTA may remove the unsigned
content at its discretion. A suitably equipped MUA could do something
fancier, like Thunderbird does for embedded URLs (click here if you want
to see the embedded content). In other words, the decision to sign only
a portion of the message is made by the sender, but the recipient can
decide whether to accept that or not.
Requiring those that make changes to resign the message does ensure
this process identifies those accountable. A header could be included
to allow signature validation to be cascaded.
I agree that it's desirable for those that make changes to re-sign the
message. But I think it's undesirable to say that signatures will just
fail for a large proportion of mailing lists unless that happens.
Then there's the other question you touch on, of whether a signature is
added or the original signature is replaced. I'm in the "added" camp
even though that means we have to define how messages are treated when
different signatures succeed and fail.
-Jim