[87280] in cryptography@c2.net mail archive
Re: Public key encrypt-then-sign or sign-then-encrypt?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed May 2 09:57:33 2007
From: Florian Weimer <fw@deneb.enyo.de>
To: cryptography@metzdowd.com
Date: Wed, 02 May 2007 13:44:54 +0200
In-Reply-To: <20070426021533.GA32415@subspacefield.org> (Travis H.'s message
of "Wed, 25 Apr 2007 21:15:33 -0500")
* Travis H.:
> Also there's a semantic issue; am I attesting to the plaintext,
> or the ciphertext? It's possible the difference could be important.
With sign, then encrypt, it's also possible that the receiver decrypts
the message, and then leaks it, potentially giving the impression that
the signer authorized the disclosure. There has been a fair bit of
buzz about this confusion. But the lesson from that seems to be that
signature semantics are very hard to agree upon, and most marginally
successful standards sidestep the issue anyway, acting as a mere
transport protocol.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
