[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
James A. Donald
jamesd at echeque.com
Sun Jan 26 17:11:16 EST 2014
On 2014-01-27 07:39, Peter Todd wrote:
> I personally have made use of sign-then-encrypt by signing a
> confidential security audit, encrypting it to the client, and telling
> them how they can use the --override-session-key feature of GPG to later
> release my report after the client had fixed the issues.
In such special cases you want to sign.
You seldom want to sign, you always want to authenticate.
Using signatures for authentication is a security flaw.
So, by default, a secure communication system should always authenticate
by default, and check authentication by default, and never sign by default.
Authentication should always be checked, and if authentication is not
present, the recipient's system should silently ignore the message.
Signatures should be checked, and the user notified if the signature
fails. However the recipient system should not expect a signature.
The simplest way to do this is for signature, if present, to be present
in addition to authentication, even though it can substitute for
authentication.
More information about the cryptography
mailing list