Harald:
In fact, MOSS is too flexible. In most circumstances, signatures should be
performed before encryption. MOSS allows people to sign ciphertext, by
putting a multipart/encrypted inside a multipart/signed. The MOSS
specification offers no warnings about this "feature."
Russ, could you give your reasoning for saying that this is a bug, not a
feature? I could imagine some (weird) scenarios where I'd want to sign
ciphertext, for instance if I wanted to sign to the fact that I'd passed
on someone else's encrypted messages. Look at the comp.os.linux.announce
newsgroup for a case where one person is PGP-signing messages that someone
else sent - people will use this stuff in ways I can't even imagine. That
said, an applicability statement for MOSS, saying what is or is not a good
idea, might be a Good Thing.
I wonder why you would want to sign ciphertext generated by someone else?
This is especially "weird" if you do not have the key to decrypt the message.
Yes, I think that a statement saying that signature should be applied before
encryption is a very good idea.
Russ