On 2002-04-10 10:46:26 -0400, Paul Shields wrote:
Should we have a selectable option on sign-encrypt that specifies
that the signature must be removed from the plaintext after
verifying it?
What, precisely, prevents the recipient's implementation from
ignoring that flag?
In the suggestions circulated in this thread, some folks are making
the same basic design error all over the place: You want to place
trust in software which is under the complete control of an
individual you don't trust. Don't do it. It's impossible.
The features which are being suggested _may_ help against
unintentional errors the recipient may make (like, storing, by
accident, the wrong love letters on the wrong hard drive, which [I
seem to recall] was the original reasoning behind the "for your eyes
only" [or whatever it was called] function of pgp 2).
They don't, however, help against malicious behavior on the
recipient's side.
--
Thomas Roessler <roessler(_at_)does-not-exist(_dot_)org>