[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

[ianG]

On 22/01/14 01:29 AM, Dominik Schürmann wrote:
> Hey,
> 
> I am also very much interested in an answer to this question. Just
> read http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html .

Yes, an inspired and deep critique of sigs, but it is fundamentally
flawed in much the same way as the systems because it does not
consider the semantics.

http://financialcryptography.com/mt/archives/000905.html

As I mentioned in the earlier post, unless you decide what it is that
a digsig is supposed to represent, you're up the creek without a
paddle.  This is an architectural flaw of the times, as is seen by the
confusion in both S/MIME and PGP.  These days, we more typically just
use digsigs for their cryptographic abilities, hide them away entirely
from the user, and generally steer away from signature ideas.


> Has there been progress from 2001 to today in OpenPGP's standard 
> regarding this problem?


Others on that committee that does that standard might disagree, but
I'd say "no".

PGP was invented in the early 1990s.  This was pre-web and
pre-net-explosion.  It was done in an age of manual email preparation,
when techies were the only users, and everyone was comfortable
downloading code and talking directly to pop servers and whathaveyou.
 Few then understood the conflicts between digsigs and signatures.
Some still believed that a CPS could solve all ills, if it was big enough.

Things have changed a lot since then.  Now, everything is GUI, phone,
chat, video, sharing.  Everything is dynamic.  We have way better
knowledge of how to do things.  We understand
industry/proprietary/government dynamics better.  The attack models
have now been solidified with hard data.  We know which were the
theoretical minefields (e.g., PKI which nobody copies today) and which
are the casebook studies on how not to do things.

So much so that some (like myself) claim that email is fundamentally
broken, old, deprecated and cannot be secured.  So don't bother.
That's controversial, not least because I still use email, we all here
in this list do obviously, and some even spend significant amounts of
time designing proposals to secure it!  Notably PHB.  I hope he
succeeds because we're all addicted to it and need it.

But, the fact remains that the list is quiet, and no plans to augment
the OpenPGP draft from its current phase have been aired to my
knowledge.  There is a little attention on adding EC, but even that's
quiet and it doesn't change the overall situation, it's just an
upgrade of an algorithm that should be transparent.



iang