I wonder why you would want to sign ciphertext generated by someone else?
This is especially "weird" if you do not have the key to decrypt the message.
You are assigning semantics to signatures that simply are not there, and then
assuming that all signatues have these semantics and no others. All a signature
says is that the owner of a given private key had the message content in hand
and was willing to sign it. The motive of the owner for doing this is not and
cannot be specified by the signature process itself. And in addition,
the meaning of the signature has to appear in the signed content, as it
is unacceptable for it to not be protected by the signature.
Suppose I operate an electonic timestamp service. The intent of my business is
to provide a demonstrable indication that some content existed at a given point
in time. I operate this as follows: Someone sends me an encrypted message, I
add an attachment specifying the time I received the content and that timestamp
is all my signature means and that my signature does not constitute any sort of
endorsement of the content, and I sign the result. In this case it is
absolutely in my best interested *not* to know what is underneath that
encryption.
We've been over this ground countless times in this WG, BTW. See the
list archives for specifics.
Yes, I think that a statement saying that signature should be applied before
encryption is a very good idea.
I do not. There are lots of cases where signatures on top of encryption
are incredibly useful.
Ned