Tom,
You ask a fair question and you set forth the scenario quite
precisely. Let me use your scenario to pinpoint the issue I have in
mind.
Consider the following scenario: Bob prepares a draft of a contract,
signs it, and emails it to Carol. Carol reads it, prepares some
comments of the form: If you make <these changes> to <that
document>, I will sign <my signature>. Carol then constructs a
multi-part MIME-PEM document consisting of the following parts:
A) the original message, containing the contract,
How does the next reader, or Bob for that matter, know for sure
whether Carol has included the message that Bob sent or some other
message? The signature guarantees that it came from Bob, but it may
be some other version of the same document. The mistake may be
innocent or deliberate.
signed with Bob's signature
B) her comments
Carol then puts her signature on the combined document (A and B),
and sends it back to Bob, with copies to Ted and Alice.
Ted and Alice can clearly see that the original contract (part A)
is what Bob wrote, because his signature is still on it. Also,
Not quite. Ted and Alice can see clearly that part A was written by
Bob at some point. Suppose they received a copy of this document via
a separate channel, they won't be able to tell quickly whether it's
the same version unless they compare checksums.
they can clearly see that Carol has not signed the contract itself,
because her signature applies to parts A and B -- the contract
combined with her comments. And the comments say, in English,
that she will only agree to the contract with the specified changes.
In my opinion, the semantics of a signature should be "I said
these words", and the interpretation of the words should be
done by a process that is defined separately from the
digital signature validation process, such as contrct law.
To try to combine them makes things much too complicated.
In some sense, during the review and commentary process, it's less
important who wrote a particular draft and more important to know
which draft you're delaing with. Signatures matter only when the
words are fully agreed to.
Here's a somewhat nasty way for Bob and Carol to conspire against Ted
and Alice. Bob sends Carol, Ted and Alice part A. Bob then sends
Carol a slightly modified version of A, called A'. A' looks similar
to A but differs in some critical detail. Bob and Carol read A very
carefully and decide they're comfortable with it. They decide they'll
sign it if Alice will sign it. Alice sends Bob, Carol and Ted a
message that contains A' with her comments, which may be as simple as
"if you sign this, I'll sign it too."
Or, in a different scenario, let's suppose Bob and Carol depend on
Alice for advice. Ted sends A to Bob and Carol but sends A' to Alice.
Alice says to Bob and Carol, "This (meaning A') is ok." Bob and Carol
use the original message (containing A) and sign off on it.
At root in each of these scenarios is the question of whether two
copies are the same. Of course, each party can do an explicit
comparison against the original, but that may be time-consuming or
otherwise inconvenient.
Hope this clarifies the issue.
Steve