I agree that combinations of sign and encrypt don't really solve the
problem that the sender can have his plaintext revealed in a way that
cryptographically binds him to it via his signature. At best we can
make it clear that this was done without his intention, but as Adrian von
Bidder points out this could be done equally well by a notation "this is
intended to be private mail from Alice to Bob" at the top of the message.
One addition: it is not necessary for the receiver to reveal his secret
key in order to prove a signature over plaintext on an E/S/E (or S/E)
message (i.e. encrypt and then sign the encryption). He can reveal
the session key (which is used once per message and then thrown away)
and then prove it valid. I have seen some software to do that.
I can't deny that these facts may be contrary to (some) users'
expectations, since users here have explicitly stated that these are
surprising to them. Nevertheless these are the cryptographic realities,
and the solution is to try to improve the users' understandings of
the issue.
Now, there are cryptographic mechanisms by which Alice can send to
Bob a message which could equally have been signed by either Alice or
Bob. Bob can't then show this around and bind it to Alice because he
could have created it as a forgery. These are the "group", "ring"
or perhaps "designated verifier" signatures. We discussed the possibility
of incorporating them into a (future? addendum?) spec at some point.
If people really want to send signed messages which can't be further
revealed to others, this is something we might pursue.
Hal Finney