Dignature verification problem

[Johan Wevers]

Anton Stiglic wrote:

> The thing is that if Alice first encrypts the message under Bob's public
> key, Alice has no control over how Bob's public key was created, and Bob
> could later on change his public key in a way that the ciphertext Alice
> signed decrypts to a different message, thus if Alice signs the ciphertext
> you cannot assume that Alice has any knowledge of the data she actually
> signed.

You forget a much more important issue: if the message is first signed and
then encrypted, someone who intercepts the message can't find out who signed
it. This allows it for example to send signed messages through anonymous
remailers where only the receiver knows who sent it. The --throw-keyid
option does the same for encryption.

-- 
ir. J.C.A. Wevers         //  Physics and science fiction site:
johanw@vulcan.xs4all.nl   //  http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html