(In reply to comment #11) Summary of this Comment: The key long-term consideration in altering any message is maintaining the chain of responsibility for the message's content. Users should understand that there are consequences in altering a message. Peter's suggested warning dialog box would work for me if it contained the option for users who remove attachments to "sign" that action with their own digital signatures, thereby establishing responsibility for the act of altering the message. Detailed Comment: I won't argue the case for the original bug (2920) here. I assume that all are in agreement that the fix is valuable. For me, this bug (288700) has been part of bug 2920 from the very start, because the vast majority of the messages I receive are signed -- well, at least the ones that I need to archive without attachments. Preserving the original signature is not necessary as long as the person who removes the original signature takes responsibility for having done so. The key issue is whether there is someone who takes RESPONSIBILITY for any changes to the original message, not whether there are any changes at all. At least, that's the long-term consideration for my purposes. Here's the criterion: My mail archives must constitute an accurate record of what happened -- a record of who did what, and when they did it -- that a historian can use 200 years from now to accurately reconstruct the progression of today's events. The burden of proof as to authenticity is mine. Yes...I understand all the arguments asserting that someone might break into my machine and somehow falsify the record, but let's assume for the moment that I've taken measures to make that virtually impossible. Let's assume that there's no (known) way for anyone (including me) to falsify the record without being detected (true). Let's assume that the situation is no more complicated than this: • I want to remove attachments (which entails also removing the original sender's signature) • I want to certify that I have done so by signing that action with my own identity-trusted signature • My digital signature on that action is good enough to establish the chain of responsibility for the message for archival purposes. Clearly, the responsibility for altering the original message in any way must be on the person who makes such alterations. If I absolutely need to have the original message intact (say, for use in a legal case) I will simply leave it intact -- end of story. But for any other purpose that I can imagine, it's perfectly acceptable to alter the message as long as that action is...er, "certified" by my digital signature. That puts me on the hook for having made the alteration, and also for ensuring that the entire process is secure -- by which I mean that I'm on the hook for proving that nobody else tampered with it. I wouldn't have altered the message if I weren't prepared to accept responsibility for it, but that's not relevant here. Here's the relevant question: Have we designed the application in a way that enables users to accept responsibility for their actions, and informs them that they need to make that decision? I believe that everyone has put enough thought into this bug to have addressed all the issues that we can reasonably be expected to have addressed. From an application design standpoint, our responsibility to do social engineering is minimal. The best we can do is enable users to take responsibility for their actions. Whether they choose to do so is up to them. That's why the warning dialog is such a good idea. The user should understand that there are consequences in altering the message. Peter's suggested warning dialog box addresses most of the requirements that the mail application should cover, except for "signing" the action as I've described above. In other words, Peter's dialog would work for me if it contained the option for users who remove the attachments to "sign" that action with their own digital signatures.