I think the original motivation was to remove signatures from the data that is hashed so as to make the hash of the transaction (the TX ID) orthogonal to the signature data, so as to deal with malleability since due to the use of ECDSA there are two versions of the same signature that are equivalent (one of the reasons Wuille says he wants to replace them Schnorr signatures instead).
But then to do what they are calling a "segregated witness", the security model changes from every node verifying every detail for themselves, to every node assuming that some node will publish a proof-of-cheating if any activity was incorrect.
They are suggesting nothing of the sort. Full nodes in Bitcoin will still download the entire chain, including signatures. The peer-to-peer protocol will expect the signatures to be delivered along with the block and will then verify it using a hash stuffed in the coinbase.
They are suggesting to
add a new sort of less-than-full node that is less secure than full nodes, but full nodes will operate under the same security model, just using a different method for fetching (and verifying) the signatures.
Which is what I wrote also:
Which I think is why they are not proposing for segregated witness to exist without the current security model still in force.
I did not suggest they were going to abandon Satoshi's security model. I explicitly stated they are not. Period.
As an additional tangential point, it is possible to get the benefits of using only segregated witness security model, while also still allowing full nodes to download the entire block chain. But Bitcoin better dare not do that, because as I pointed out, the Bitcoin network can't guarantee propagation nor assign blame when some proof-of-cheating doesn't propagate to an innocent less-than-full node. The implications are perhaps less severe in Bitcoin's case because it isn't attempting 1 second transaction confirmations and making PoW orthogonal to transaction confirmation. So when I say they better not do that, I mean (qualify my prior post) within the context of using segregated witness to maximize scaling of distributed transaction confirmation.
Apparently BBR is including the signatures in the hash of the TX ID.
It does not. BBR neither includes the signatures in the TX ID nor does it include an additional hash.
This is the interesting part, in that gmaxwell claims this introduces some sort of vulnerabilities, but it isn't clear to me what they are.
I believe Maxwell is referring to the inability of the segregated witness to construct a proof-of-cheating. And the implication is if you didn't do this historically, then you can't soft fork to add the segregated witness feature. But I didn't read Maxwell's comments, so I am just extrapolating based on the quick read of the one epistle fro Wuille I linked to.
Without a hash of the signature, there is no way to verify that a block chain was constructed with signatures, i.e. a 51% attack could steal coins. I presume BBR avoids this by enforcing that a fork from before a check point (where signatures were discarded) isn't allowed. Problem is even if someone saved the signatures, there is no way to absolutely prove that if a fork of BBR appears with greater cumulative PoW, that it isn't the valid one other than assuming the community and the lead dev can point to which checkpoints are the correct ones.