OK a proposal.
1) We define a new OID with semantics 'Authenticated header'. The data value
associated with the OID is simply a string that corresponds to an RFC 822
format header. E.g.
184.108.40.206 "From: Fred Hapgood <fred(_at_)hapgood(_dot_)com>"
220.127.116.11 "To: Jane Witherspooon <jane(_dot_)witherspoon(_at_)aol(_dot_)com>"
18.104.22.168 "Content-Type: text/xml"
Clients are required to consider such authenticated headers as being
authoratative. There is no need to create an error because unauthenticated
data does not agree, the unauthenticated data can simply be supressed.
2) The mail address in the cert becomes optional.
3) Signer purpose OIDs are an important but very separate problem.