Ned:
In fact, MOSS is too flexible. In most circumstances, signatures should be
performed before encryption. MOSS allows people to sign ciphertext, by
putting a multipart/encrypted inside a multipart/signed. The MOSS
specification offers no warnings about this "feature."
In most cases, sure, but what about when I receive an encrypted message I
cannot decrypt myself and want to pass it on to someone else while
assuring that it isn't tampered with? Situations do arise where
encrypt-then-sign, or encrypt-sign-encrypt, or whatever, are useful.
I agree that a document talking about the various combinations of security
elements and how they can be used would be a good thing, but not as part of
the specification itself. Been there, done that -- prose along these lines
was part of early drafts but effectively prevented working group closure.
I asked for a one paragraph recommendation in MOSS. In most situations,
signature should be done before encryption. Heck, one sentence would have
been enough for implementors to do the right thing. Imagine a GUI with a
choice between sign, encrypt, and sign+encrypt. When the last option is
selected, signature should be done first.
In any case, this flexibility in MOSS is also present in S/MIME and
in Mike Elkin's PGP/MIME proposal. Similar variations are possible in
X.400 as well.
In X.411, you could define an asymmetric-token to do whatever you want, but
I think that the ones in the standard do signature first.
Russ