Interesting problem. I expect Jim and others will have some
things to say. Here's a couple of my own observations.
First, your "beep real loud" has some appeal. The signature checking
process results in either the display of the message to the user or
the storage of an annotated message. In both cases, one can suggest
that the implementation take note of extraneous headers and make it
clear to the user that they are not part of the signed body of the
message.
Second, a similar problem occurs in the RFC 1421 spec. Anything that
occurs before the --PRIVACY-ENHANCED-MAIL-- boundary is not part of
the body of the message. One can argue that in the 1421 case, it's
clearer to the user that the extraneous material is not part of the
signed body, but that's essentially a matter of degree. In the
PEM-MIME case, the user could also be told that the headers are not
part of the protected material.
I'm opposed to suggestions A and D that attempt to protect the user by
forbidding him to look at the signed but unverified message. In a
different culture or with more control over the implementation
environment or with a different legacy, this might be an acceptable
approach. We have enough experience in the present situation to know
this is not going to work.
I don't think there will be much room for people to be fooled. If
there a few incidents, we'll see rapid increase in awareness. I'm not
worried about spoofing of automatic programs that read mail; they
should be written to know what's in versus what's out of the message.
Steve