"Housley, Russ" <rhousley(_at_)rsasecurity(_dot_)com> writes:
A general rule of thumb: sign before compress.
Is there any strong argument for this? The only place where I've seen this
requirement is in RFC 2440, where the justification is some vague handwaving
which fails to convince . I suspect the main reason it's done that way is
because Phil did it that way originally and it just ended up in the standard
There are two good arguments against signing first, which are that it really
screws up the compression and that it slows down signing since you have to hash
all the data and not just the compressed form, but apart from vague misgivings
about not signing plaintext directly I don't know of a good argument against
it. For that reason I deliberately didn't mandate either option in the RFC
except to point out that compressing first would be faster.
 Having scanned 2440 I can't even find the handwaving I thought was there,
although another reason for doing is is that if you compress first, the
whole PGP format breaks down when you add multiple signatures.