I was doing some research online at work today, trying to optimize
some of the security infrastructure I’ve been working on for my client. I ran
across this article in
my search to remember whether, when both signing and encrypting a message, one is
supposed to sign first or encrypt first. I knew that doing it one way was bad, but
couldn’t remember which was which.
The article goes on at length about the many issues around signature
and encryption, but I mostly want to point out the first part, where it talks about
why you should always sign first, then encrypt second.