Matthew Byng-Maddick <openpgp(_at_)lists(_dot_)colondot(_dot_)net> wrote:
As others have pointed out, what is the "atomic sign &
encrypt" of which you
speak?
I envision that in a not too far feature, we can call the
sign & encrypt function in PGP an atomic sign & encrypt.
This is the solution of the problem that I have been trying
to describe all the time.
The problem is that even though sign & encrypt is not atomic
now, that is what most users expect. I do not find it
satisfying as a programmer to have to say to the users
"Sorry, but the OpenPGP protocol do not allow any atomic
sign & encrypt that would have solved your problem, so
you will have to do without."
Adding a new signature packet called 'encrypted to' (or something
like that) would allow OpenPGP applications to implement
such an atomic sign & encrypt. It could say in the protocol
that an application MAY implement atomic sign & encrypt,
and if it does, it MUST do such and such.
My suggestion for a protocol for atomic sign & encrypt is
that the application MUST make an 'encrypted to' packet in
the signature for each key the message and signature packet
is encrypted to in the encryption packet.
These 'encrypted to' packets MUST be in the signed part of the signature.
An application that implement decrypt & verify MUST/SHOULD warn the user if
the key used to decrypt the message is not found in an 'encrypted to'
packet in the signature if the signature contains 'encrypted to'
packets and thus indicates that the message is created by an atomic
sign & encrypt.
--
Terje Bråten