At 12:13 9/1/95, Bill Stewart wrote:

...

I do not think that PGP 2.x can easily (ie: Automatically) use one key for Signing and another for Encrypting a Message (it does both at the same time if you ask). If I "Clear Sign" a message and then Encrypt it, then I get the result but I'm not sure if doing the decrypt on such a message will automatically spot the signature and verify it (as would occur with a E+S pass).

PGP identifies the key for decryption and signature checking from the message. When you're signing a message or key, you can pick which of your keys to use with the -u option.

OK - I'll rephrase my query/quandary. If I create a message by feeding in plain text and asking for an Encrypt and Sign is the FORMAT of the resulting file different from one there I Sign the Text and then (in a separate step/pass) Encrypt the Signed Message (IOW is E+S just a short cut for the two processes done in sequence using the same key for both operations)? If E+S is only a short-cut then doing the steps separately will give the result that PGP3 will get automatically with its Separate Function Keys Feature.

The difficulty is getting people to use your encryption key instead of your signature key when encrypting stuff for you. Derek mentioned one approach (get people to load the encryption key first); unfortunately, you can't predict their behavior, and if you change encryption keys more often than signature keys, they'll load the newest encryption key last. Another approach is to identify them in the names - my key certification key says "KeyCert-only" in the text.

For the problem that started this discussion, though, there's no good solution. Since the Bad Guys _can_ encrypt a message to you with your signature key, and send it to you by anonymous remailer, they can plant a reason to suspect that you may have evidence encrypted with that key.

This will all become (more) academic once PGP3 comes out and Sign-Only keys would not be usable for Encryption.