Terje Braaten wrote:
Derek Atkins <warlord(_at_)MIT(_dot_)EDU> writes:
Repeat to yourself: IT IS A FEATURE THAT SIGN AND ENCRYPT ARE
SEPARABLE OPERATIONS. Once you make that statement, there is no way,
short of layering violations, to do what you want to do except at the
application later duplicating the information.
And I say it is a security flaw that that sign and encrypt must be
separable operations, and for the implementation of an atomic and secure
sign & encrypt you have to make an exception to this layering model.
Your proposal for an extra packet does not address this alleged flaw.
Note that Alice could sign a message saying "encrypted to Bob", and then
encrypt and send the message to Charlie, thus framing Bob for breach
of confidence.
You can't take two operations that are inherently separable and create
a magic hack that makes them inherently and verifiably atomic. Each
layer does what it does - if you want the security services provided
by three layers (ESE), or what S/MIME calls triple-wrapping (SES),
then you must use three layers.