It depends on what you mean by signing. Signing a message in and of itself ought not hurt anything modulo software bugs, etc. But the real question is what does the receiving program (MTA, MUA) do with that signature? At the very least it could verify the signature, but then what? If it doesn't verify do you drop it? (transitive trust comes into play, but most likely). Does it do anything beyond that?
Let me ask something in return: do you think that just the act of signing mail -- with no trust roots implied -- could help? My sense is that it might in a sow-the-seeds kind of way for some later goodness (it's as you say not a solution). I too would be happy to hear downsides.
Without trust roots, webs of trust, or additional mailing list daemon features, signed e-mail doesn't really add anything, at least not now.
Signed e-mail could help ensure that e-mail sent to a list comes from the same person as the one who subscribed to the list. But then again, the same feature could be implemented much simpler by some header which must stay constant from the same person and is stripped off by the list daemon when forwarding the mail to the subscribers.
More seriously, ensuring the sender's address is right is useless IMHO unless there's a policy for letting people to sign-up to a list. Spammers could get a new address and generate a key pair, sign up using them, send spam, and repeat with another address and key.
So, its the same old question once again: how do we all enroll ourselves to the same trusted root or web of trust? Should the next PGP key signing party be held in the plenary, for everyone? Or maybe Harald stands in the IETF reception desk to look at people's passports and certifies keys? Hmm... maybe we could make PGP key mandatory in registration, and have the secretariat form a web of trust. At least we could trace every key to a credit card number... sounds pretty good but this wouldn't deal with the folks who don't come to the meetings. Maybe we could turn on mandatory PGP signing for all list e-mail for a year, and at the end of the year make a web of trust for the folks who sent e-mail that year. That wouldn't be perfect, but it would sure reduce the size of queue in front of Harald for the passport check ;-)
--Jari
