Russ,
Although the Examples section shows signatures being applied before encryption,
the Introduction and content type discussion should make it clear that signed
contents may be encrypted, but that encrypted contents should not be signed.
Non-repudiation of ciphertext does not appear useful to me.
I have not yet had time to read the referenced document, so I may be taking your
comments out of context. If so, I apologize.
I can think of several reasons for nonrepudiating cipher text. One of the most
obvious
is the equivalent of the Post Office's "Hand Back" service, where they will
postmark
an envelop and hand it back to you. Although this isn't as commonly used as it
used
to be, it was used in the past as a means of "proving" that an idea, invention,
etc.
was invented at some time prior to the date of the postmark without having to
disclose the idea itself to anyone.
Although it might be more convenient to merely sign the digital signature of a
message, that may not always be possible from a packaging standpoint, for
example
if you wanted to sign the encrypted message plus the certificates plus the
message
headers as a way of proving exactly what was sent.
Sead Muftic and I have previously discussed the possibility of having the CA
serve as a trusted timestamp server that would timestamp the message and
confirm
the validity of the certificate used to sign a message and bind that
timestamp/certification to the message itself. I would hope that MIME would
provide a convenient way of encapsulating such a composite message.
Bob