Public key encrypt-then-sign or sign-then-encrypt?

[Florian Weimer]

* Travis H.:

> Also there's a semantic issue; am I attesting to the plaintext,
> or the ciphertext?  It's possible the difference could be important.

With sign, then encrypt, it's also possible that the receiver decrypts
the message, and then leaks it, potentially giving the impression that
the signer authorized the disclosure.  There has been a fair bit of
buzz about this confusion.  But the lesson from that seems to be that
signature semantics are very hard to agree upon, and most marginally
successful standards sidestep the issue anyway, acting as a mere
transport protocol.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com