Anderson's attack?

Len Sassaman rabbi at
Thu Feb 7 00:52:02 CET 2002

This was addressed pretty thoroughly on the Cryptography list when Davis's
paper first came out. Basically, the "flaws" the paper is discussing are
social, not technical. The steps that can be taken on a technical level
to prevent this are few. (FWIW, OpenPGP's timestamping helps this a bit.)

As for your Encrypt/Sign question, I think you are asking the order in
which that occurs? The signature is inside the encryption envelope. This
is the proper way to do it, for privacy/traffic analysis purposes.

On Wed, 6 Feb 2002, Ben Pearre wrote:

> I'm sorry if this is in the archives - I looked but didn't find it.
> This seems like a legitimate concern:
> Has this been addressed in GnuPG?  The documentation doesn't mention
> whether gpg --encrypt --sign does Encrypt/Sign or Sign/Encrypt or
> what.  What's really going on in there?
> Should there be an option --both, which does sign/encrypt/sign or some
> such?  I believe that the first time I installed PGP, there was an
> option in my MUA to encrypt the relevant headers, but I don't think
> that this is a problem that should be foisted upon the MUA developers,
> as no-one seems to know about this issue.
> Thoughts?
> Cheers!
> 	-Ben
> --
> bwpearre at      


More information about the Gnupg-devel mailing list