Sounds pretty much what I wanted. My question was mainly intended to see
if there is a documented way to automatically identify any locally-added
privacy/signature enveloping so that when a message is saved, forwarded,
etc, the extra stuff is removed, and the original message is used instead.
It's a question of knowing when to stop so that remotely-added enveloping
is not removed unless the user really wants it removed.
I think the trick is to know the signatures of the local agents so
they can be discarded as not having any value outside the local
environment. If <u,m> is a message m signed by u, then
<ulocal,<uremote,m>> symbolizes a message signed first by a remote
user and then by a local agent. If the local user forwrds this to
someone and he or his software recognizes ulocal, then it would
incorporate only <uremote,m> into the forwarded message. On the other
hand, if it sees <uendorser,<uremote,m>>, where uendorser is some
signature the local user can't dismiss, the local user will forward
the entire doubly-signed message.
The paper analogy is a document with a cover note. If the cover note
is generated internally, e.g. from a boss or a subordinate, it's
reasonable to strip it off before sending it outside the organization.
But there are other circumstances in which the entire chain of actions
needs to be recorded, so it's at least partly a policy issue and not
merely one of mechanics.
Steve