* on the Wed, Apr 09, 2014 at 10:35:30AM +0100, Klaus Ethgen wrote:
> [Encryption inside or outside of signing]
>> That is not correct. With PGP, we always sign the ciphertext. We don't
>> encrypt signed plaintext. (*)
>
> You might be right with your concerns below but I just tested to encrypt
> and sign a file and looking at the packages via gpgsplit. There is a
> package 001 and one 018 on top and inside 018 is the signature. If you
> have a look at [0] Section 4.3 you can see that 001 is the encrypted
> session key.
>
> It even makes fully sense this way around as the signature itself might
> be sensitive data that is protected by the encryption.
I immediately doubted myself after sending that message. I've always had
it in my head that that's the way it works, but I could be wrong. I'll
have a play with gpgsplit myself. I'd never come across that utility
before.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
