[149177] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Tony Arcieri)
Tue Jan 21 16:56:14 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <m3bnz5w3do.fsf@carbon.jhcloos.org>
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 21 Jan 2014 13:11:52 -0800
To: James Cloos <cloos@jhcloos.com>
Cc: Crypto <cryptography@metzdowd.com>,
Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0414130529890441520==
Content-Type: multipart/alternative; boundary=001a11c2209e48c38204f0817698
--001a11c2209e48c38204f0817698
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Jan 21, 2014 at 11:17 AM, James Cloos <cloos@jhcloos.com> wrote:
> Some even suggested doing s-e-s, possibly with different signing keys.
Wouldn't it make the most sense to sign-then-encrypt-then-MAC (with the
latter ideally handled by an authenticated encryption mechanism)?
What's the value in being able to verify a signature without decrypting? It
seems like if you can do that then anyone can tie a signature to a
particular message even if they can't decrypt it, which seems like a
drawback to me.
--
Tony Arcieri
--001a11c2209e48c38204f0817698
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On T=
ue, Jan 21, 2014 at 11:17 AM, James Cloos <span dir=3D"ltr"><<a href=3D"=
mailto:cloos@jhcloos.com" target=3D"_blank">cloos@jhcloos.com</a>></span=
> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Some even suggested doing s-e-s, possibly wi=
th different signing keys.</blockquote><div><br></div><div>Wouldn't it =
make the most sense to sign-then-encrypt-then-MAC (with the latter ideally =
handled by an authenticated encryption mechanism)?</div>
<div><br></div><div>What's the value in being able to verify a signatur=
e without decrypting? It seems like if you can do that then anyone can tie =
a signature to a particular message even if they can't decrypt it, whic=
h seems like a drawback to me.</div>
</div><div><br></div>-- <br>Tony Arcieri<br>
</div></div>
--001a11c2209e48c38204f0817698--
--===============0414130529890441520==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0414130529890441520==--
