signing & encrypting

Aurelio Turco a.turco@bom.gov.au
Thu May 16 14:01:02 2002


In the FAQ (http://www.gnupg.org/faq.html) it says:

  There is a small security glitch in the OpenPGP (and therefore GnuPG)
  system; to avoid this you should always sign and encrypt a message
  instead of only encrypting it.

Can someone provide a one or two sentence explanation as to what this
glitch might be?

If one is to both sign and encrypt a message, would I be correct in
saying that one should encrypt before signing?

Does the order in which --sign and --encrypt are specified on the gpg
command line make a difference to the order in which the corresponding
operations are done?

Any help would be much appreciated.

Cheers.