Derek Atkins <warlord(_at_)MIT(_dot_)EDU> writes:
You see, I view this just like regular mail. There is the envelope
information, and there is the "letter". By _CONVENTION_ the person
writing a letter duplicates the envelope information on the inside.
A very useful picture indeed. The PGP program puts the information
about who it is encrypted to on the envelope on the outside. So
if we want to have this convention the PGP program must also be the
application that put this same information on the inside of the
envelope. The natural place to do this, as I see it, is for the PGP
program to make additional signature packets and put it in the signed
part of the signature.
If the OpenPGP protocol is not changed, there is no way for any PGP
application to implement any such convention. So it has to be a
part of the OpenPGP protocol.
Repeat to yourself: IT IS A FEATURE THAT SIGN AND ENCRYPT ARE
SEPARABLE OPERATIONS. Once you make that statement, there is no way,
short of layering violations, to do what you want to do except at the
application later duplicating the information.
And I say it is a security flaw that that sign and encrypt must be
separable operations, and for the implementation of an atomic and secure
sign & encrypt you have to make an exception to this layering model.