...
I asked for a one paragraph recommendation in MOSS. In most situations, signature should be done before encryption. Heck, one sentence would have been enough for implementors to do the right thing. Imagine a GUI with a choice between sign, encrypt, and sign+encrypt. When the last option is selected, signature should be done first.
While you're recommendation may be with the best of intentions, it may be misread and cause implementors to place undue constraints on users. As with any tool, MOSS will be used in ways that make sense. Some will do things that don't make sense, but it's very hard to prevent that and still have a useful tool. Go ahead and provide the GUI you described, but don't mandate it. The most common ordering when both signature and encryption are to be applied to a message will probably be sign first, then encrypt. It fits the sign-a-letter-and-place-it-in-an-envelope model. But, as Ned Freed and Donald Eastlake have pointed out, there will be times when other orders make sense. There is a learning curve involved in the use of digital signatures and encryption for email and legislating orderings, while short-circuiting the learning curve somewhat, will become a hinderance once the semantics are well understood. I'm one of the authors of TIS/MOSS and have given more demos than I'd like to think about. The idea of signing an encrypted quantity (which may also contain a signed quantity) is understood by many. You send a letter to Mr. Big, knowing that Mr. Big's secretary screens all of Mr. Big's mail. Your letter contains an encrypted body part that only Mr. Big can read (personal & confidential), as well as a clear-text note for the secretary, all under a single signature. This way the secretary can determine that the note and the encrypted body part came from you and that the encrypted part (if not the whole message) should be passed on to the Mr. Big. Mark
binBUDuF0xgNT.bin
Description: application/moss-signature