I asked for a one paragraph recommendation in MOSS. In most situations,
signature should be done before encryption. Heck, one sentence would have
been enough for implementors to do the right thing. Imagine a GUI with a
choice between sign, encrypt, and sign+encrypt. When the last option is
selected, signature should be done first.
I don't agree. Donald Eastlake already pointed out the obvious counterexample
-- suppose the intent of the signature is to negotiate access to a restricted
mailing list? It has to be exposed in this case; putting it under the
encryption means the list expander has to decrypt to see it, and this is simply
not something the list expander should have access to.
I also agree with Donald that this is going to be a *very* command use for
signatures in the future. As such, I could argue quite effectively for
inclusion of prose in the specification that says that the preferred sequence
should be encrypt then sign. Do you really want that?
But as I said before, this sort of thing has no place being in the
specification of the protocol. If someone wants to write a document describing
the application of various security nestings and their implications, I have no
problem with that. But not in the protocol itself.
Ned