* on the Wed, Apr 09, 2014 at 10:35:30AM +0100, Klaus Ethgen wrote: > [Encryption inside or outside of signing] >> That is not correct. With PGP, we always sign the ciphertext. We don't >> encrypt signed plaintext. (*) > > You might be right with your concerns below but I just tested to encrypt > and sign a file and looking at the packages via gpgsplit. There is a > package 001 and one 018 on top and inside 018 is the signature. If you > have a look at [0] Section 4.3 you can see that 001 is the encrypted > session key. > > It even makes fully sense this way around as the signature itself might > be sensitive data that is protected by the encryption.
I immediately doubted myself after sending that message. I've always had it in my head that that's the way it works, but I could be wrong. I'll have a play with gpgsplit myself. I'd never come across that utility before. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
