[149175] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (James Cloos)
Tue Jan 21 15:24:07 2014
X-Original-To: cryptography@metzdowd.com
From: James Cloos <cloos@jhcloos.com>
To: Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>
In-Reply-To: <52DE99DF.1050900@tik.ee.ethz.ch> (Stephan Neuhaus's message of
"Tue, 21 Jan 2014 17:01:35 +0100")
Date: Tue, 21 Jan 2014 14:17:30 -0500
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
>>>>> "SN" == Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch> writes:
SN> Knowing that both naively doing sign-then-encrypt and
SN> encrypt-then-sign have their problems, surely it can't be that,
SN> right? So what *is* actually happening in OpenPGP?
There was a lengthy discussion about which is best on one of the crypto
lists about a decade ago, give or take. It might have been one of the
gpg lists, the ietf openpgp wg list or coderpunks?
It mostly discussed whether it is better to hide the signature or permit
verification w/o decryption.
Some even suggested doing s-e-s, possibly with different signing keys.
IIRC, the result was that each option has value in different circumstances,
but I do not recall whether there was a consensus on the ideal default.
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
