I have experimentally implemented the integrated message integrity
check within the encryption/decryption layer. It is not difficult to
handle the 20-byte trailing hash during decryption. I use a circular
buffer in which I put the trailing part of each chunk of decrypted data.
It always has the last 20 decrypted bytes in it. The data is passed
through the hash as we output it from this decryption layer; once we
hit EOF we take the 20 bytes in the buffer and we know those should be
matched against the calculated hash.
I can't speak for other implementations, but I found doing it this way to
be fairly straightforward. I don't see implementation difficulty as being
a barrier to this approach, or a reason to put the integrity checking
in a pseudo-signature packet.
The problem with doing it in a signature packet is that it is a
fundamentally different function than signatures. The hash only provides
integrity in the context of an encryption envelope. Logically the
integrity protection is a property of the encryption layer. Doing the
hash without encryption provides no integrity protection. The signature
packet is functionally the wrong place to put it.
Hal Finney
NAI, Inc.