I understand your points. In general, I prefer to sign what I said, not
what I transmitted. It just means that there are fewer software steps
after signature validation to introduce mistakes. I am sure that you
consider this to be more hand waving.
At 03:52 PM 3/16/2002 +1300, Peter Gutmann wrote:
"Housley, Russ" <rhousley(_at_)rsasecurity(_dot_)com> writes:
>A general rule of thumb: sign before compress.
Is there any strong argument for this? The only place where I've seen this
requirement is in RFC 2440, where the justification is some vague handwaving
which fails to convince . I suspect the main reason it's done that way is
because Phil did it that way originally and it just ended up in the standard
There are two good arguments against signing first, which are that it really
screws up the compression and that it slows down signing since you have to
all the data and not just the compressed form, but apart from vague misgivings
about not signing plaintext directly I don't know of a good argument against
it. For that reason I deliberately didn't mandate either option in the RFC
except to point out that compressing first would be faster.
 Having scanned 2440 I can't even find the handwaving I thought was there,
although another reason for doing is is that if you compress
whole PGP format breaks down when you add multiple signatures.