[Top] [All Lists]

RE: Ordering of encryption and signing of a S/MIME message

2002-10-21 02:45:04

For security reasons, you should first sign your message and then encrypt 
it with the recipient's public key. If you
perform the the reverse operation (encrypt then sign), then a threat 
agent may
intercept you message, skip your signature and sign "your encrypted" 
message. So the recipient will hence receive a
signed message from the threat agent and no more from you.

And how can the threat agent do this using the expected private key? And if 
it can't, wouldn't the receving agent have a serious security hole if it 
accepted such a message?

Curiously yours.