Re: A brief comparison of email encryption protocols
Housley, Russ (housley@spyrus.com)
Tue, 20 Feb 96 17:38:53
Ned:
>>In fact, MOSS is too flexible. In most circumstances, signatures should be
>>performed before encryption. MOSS allows people to sign ciphertext, by
>>putting a multipart/encrypted inside a multipart/signed. The MOSS
>>specification offers no warnings about this "feature."
>
>In most cases, sure, but what about when I receive an encrypted message I
>cannot decrypt myself and want to pass it on to someone else while
>assuring that it isn't tampered with? Situations do arise where
>encrypt-then-sign, or encrypt-sign-encrypt, or whatever, are useful.
>
>I agree that a document talking about the various combinations of security
>elements and how they can be used would be a good thing, but not as part of
>the specification itself. Been there, done that -- prose along these lines
>was part of early drafts but effectively prevented working group closure.
I asked for a one paragraph recommendation in MOSS. In most situations,
signature should be done before encryption. Heck, one sentence would have
been enough for implementors to do the right thing. Imagine a GUI with a
choice between sign, encrypt, and sign+encrypt. When the last option is
selected, signature should be done first.
>In any case, this flexibility in MOSS is also present in S/MIME and
>in Mike Elkin's PGP/MIME proposal. Similar variations are possible in
>X.400 as well.
In X.411, you could define an asymmetric-token to do whatever you want, but
I think that the ones in the standard do signature first.
Russ