So to sum up, I'll have to write a message specific to the situation with also a name that identifies me and a name that identifies him and a date.
That's one option. The specific method isn't important. What's important is that you think about what you are signing, and determine if the message and signature could be re-used.
giving him the public key in the signature does not pose a problem.
As long as the signature was created by properly written software, it should be fine. If you are using some closed source software, or software that hasn't been reviewed by knowledgeable people, then there is a chance that the signing software could have a bug that leaks the private key with the signature.
And signing online
What do you mean when you say "signing online"? Are you using a website to generate the signature? That would be bad, since you'd have to give the website your private key. Are you just using software on a computer that is connected to the internet? How did you generate the address or original transaction? Were they created on an offline computer?
If I do all the steps above, I can then proceed without risk?
There is no such thing as 0 risk in life. All you can do is manage and mitigate risk. There is always more that can be done, but it isn't always reasonable to do so in a given circumstance.