PlayStation 3 predicts next US president

Ian G iang at
Thu Dec 6 10:26:48 EST 2007

dan at wrote:
> If on the one hand, the correct procedure is sign-encrypt-sign,
> then why, on the other hand, is the parallel not sign-hash-sign ?

What is "correct" depends on requirements and semantics, and 
neither is well addressed in that paper nor in standards, 
w.r.t. email and signing.

Ditto, in terms of your question.

As an example (Ricardian Contract [1]), we might say that a 
signed contract is done as


[2] With this procedure, the first hash-digsig is a human 
signing (classical cleartext openpgp signature) and the last 
hash is a signature that causes sharing of the exact 
document [3].


[1] To complete the picture, even this evidence is 
distributed by means of transactions over the document;  to 
be extreme, the end result is this:


[2] a public key signature is normally done hash-digsig, 
right?  So your sign-hash-sign might really be:


but that's a guess.


> --dan
> =============
> Donald T. Davis, "Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
> PGP, and XML.", Proc. Usenix Tech. Conf. 2001 (Boston, Mass., June
> 25-30, 2001), pp. 65-78.(180 Kbytes) (PDF, 200 Kbytes) (HTML, 80 Kbytes)
> Summary of the paper.
> Abstract: 
> Simple Sign & Encrypt, by itself, is not very secure. Cryptographers
> know this well, but application programmers and standards authors still
> tend to put too much trust in simple Sign-and-Encrypt. In fact, every
> secure e-mail protocol, old and new, has codified naïve Sign &
> Encrypt as acceptable security practice. S/MIME, PKCS#7, PGP, OpenPGP,
> PEM, and MOSS all suffer from this flaw. Similarly, the secure document
> protocols PKCS#7, XML- Signature, and XML-Encryption suffer from the
> same flaw. Naïve Sign & Encrypt appears only in file-security and
> mail-security applications, but this narrow scope is becoming more
> important to the rapidly-growing class of commercial users. With file-
> and mail-encryption seeing widespread use, and with flawed encryption in
> play, we can expect widespread exposures.
> In this paper, we analyze the naïve Sign & Encrypt flaw, we
> review the defective sign/encrypt standards, and we describe a
> comprehensive set of simple repairs. The various repairs all have a
> common feature: when signing and encryption are combined, the inner
> crypto layer must somehow depend on the outer layer, so as to reveal any
> tampering with the outer layer.
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list