In most cases, sure, but what about when I receive an encrypted message I
cannot decrypt myself and want to pass it on to someone else while assuring
that it isn't tampered with? Situations do arise where encrypt-then-sign,
or encrypt-sign-encrypt, or whatever, are useful.
I'm not sure I get your point here. The encryption process should already
have protected the message against unwanted tampering. Do you get some extra
security in signing an encrypted message? I agree, however, that the
flexibility in MOSS is desired.
On the contrary, encryption doesn't protect the message from tampering at all.
Encryption is done with the recipient's public key, which often as not is
common knowledge. Anybody can take message and a recipient's public key,
encrypt it, and substitute it for some other encrypted message. Signatures
are essential to prevent this from happening.
Ned