In fact, MOSS is too flexible. In most circumstances, signatures should be
performed before encryption. MOSS allows people to sign ciphertext, by
putting a multipart/encrypted inside a multipart/signed. The MOSS
specification offers no warnings about this "feature."
In most cases, sure, but what about when I receive an encrypted message I
cannot decrypt myself and want to pass it on to someone else while assuring
that it isn't tampered with? Situations do arise where encrypt-then-sign,
or encrypt-sign-encrypt, or whatever, are useful.
I agree that a document talking about the various combinations of security
elements and how they can be used would be a good thing, but not as part of the
specification itself. Been there, done that -- prose along these lines was part
of early drafts but effectively prevented working group closure.
In any case, this flexibility in MOSS is also present in S/MIME and in
Mike Elkin's PGP/MIME proposal. Similar variations are possible in
X.400 as well.
Ned