...
In my opinion, the semantics of a signature should be "I said
these words", and the interpretation of the words should be
done by a process that is defined separately from the
digital signature validation process, such as contrct law.
Thanks Tom for your message, which gives a much better example and is far more
lucid than my explanation was. It is such a good example that I may try to use
it in the MIME-PEM draft, if that's OK with you...
I would however, generalize this in only one way that more or less parallels
your example -- the semantics of signing something don't necessarily mean that
I said every single word contained therein. For a single plain text part, yes,
but for an excapsulated message the only thing my signature warrants is that I
received this object at some point. Of course, if the embedded message object
is also signed by its originator you have the added assurance that I didn't
tamper with its content.
To try to combine them makes things much too complicated.
I agree that the semantics should receive as simple an interpretation as
possible, but we do have to take forwarding of objects authored by others
into account. I don't think there's any formal action to take here -- it is
just something to be aware of.
Ned