What if I have a multipart/mixed MIME message. The first part is just text, and the second part itself is a multipart/signed MOSS message. Is this allowed?
Sure.
What would happen if I sent this off to a remote validation server? Would it try to tell me "Well, the first part of your message was not signed and I can't say anything about that, but the other part has a valid signature." ? If so, how would this be different from a remote validation server saying the same thing about the first and second parts of a multipart/alternative message with an S/MIME signed message in the second part?
The difference is that the MOSS specification does not speak in any way to the external use of multipart/alternative or any other MIME body part. MOSS only knows its body parts and that's all a validation server can validate. A multipart/alternative is not required to make a MOSS message readable to a user with a non-MOSS or even non-MIME user agent. A signed text message is readable by default using both non-MOSS and non-MIME user agents, just as a text-only MIME message is. The S/MIME specification explicitly describes "Use of multipart/alternative for showing clear text" (section 6 of the S/MIME Message Specification). The S/MIME protocol prescribes this easily abused and hard to reconcile format in order to make up for messages that are otherwise opaque using both non-MIME and non-S/MIME user agents. In your scenario, there needn't be any relationship between what the user reads and the signed document. This is a red herring in the case of MOSS because multipart/alternative is superfluous with MOSS and outside of the specification. In the case of S/MIME, it is the prescribed message format that is open to abuse. Mark
binJAUGPjaV4D.bin
Description: application/moss-signature