I have changed the subject line as this is in regard to Ben's citation
of Hugo Krawczyk's paper on the order of signing and encryption,
http://eprint.iacr.org/2001/045, also published in Crypto 01.
This paper doesn't apply to systems like OpenPGP which compose public
key signatures with public key encryption. Rather, it investigates the
composition of symmetric encryption (e.g. AES) with MAC.
Krawczyk shows that it is not always safe to first MAC and then
symmetrically encrypt, even if your MAC is secure and your symmetric
encryption algorithm is secure. He does this by coming up with rather
artificial types of MAC and encryption which are individually secure
but which interact in a bad way when when put together like this.
Krawczyk also shows some constructions that ARE always safe, including
doing CBC with a secure cipher, then MACing the ciphertext.
Again, this analysis is not applicable to the PK digital signatures and
hybrid public/private key encryption used in OpenPGP.
Hal Finney