2) The problem with this solution is that that's just another unilateral imposition of a broken redemption scheme on Goat, just a slightly less broken one. It still causes substantially the same problems. Two people can still come to Goat with possession of the same private key. Goat still has to decide whether to redeem twice or once. If twice, he's still getting massive liability crammed down his throat that he never agreed to accept. If once, then he's still taking the risk of being branded a scammer if Nefario issues the same code to two people, and he'll never even know whether it was Nefario or the claimant is lying. (Consider the same scenario as in 1 above.)
Actually it solves nearly all of the fraud problems from Goat's perspective, I think, so long as the list of addresses and amounts is made public by Nefario. If Goat checks the signature on and keeps all the signed messages transferring ownership, he can easily prove that someone with the appropriate private key did redeem the shares and there's no way for him to fake this himself. It doesn't really matter to him whether Nefario or the claimant is trying to scam him, especially since Nefario could do the exact same thing with normal shares listed on GLBSE.
(Really this needs full-blown distributed timestamping and a public record of transfers in order to prevent certain kinds of fraud between stockholders when transferring shares, but that's a lot more complicated to achieve.)