[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

James Cloos cloos at jhcloos.com
Tue Jan 21 14:17:30 EST 2014


>>>>> "SN" == Stephan Neuhaus <stephan.neuhaus at tik.ee.ethz.ch> writes:

SN> Knowing that both naively doing sign-then-encrypt and
SN> encrypt-then-sign have their problems, surely it can't be that,
SN> right?  So what *is* actually happening in OpenPGP?

There was a lengthy discussion about which is best on one of the crypto
lists about a decade ago, give or take.  It might have been one of the
gpg lists, the ietf openpgp wg list or coderpunks?

It mostly discussed whether it is better to hide the signature or permit
verification w/o decryption.

Some even suggested doing s-e-s, possibly with different signing keys.

IIRC, the result was that each option has value in different circumstances,
but I do not recall whether there was a consensus on the ideal default.

-JimC
--
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6


More information about the cryptography mailing list