Don Davis' article Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML is another one of those must-read articles for anyone working with crypto. This 5 year old article shows how even the experienced security engineers can overlook or underestimate security problems.
Some key points the article:
- Encrypt-and-Sign lacks non-repudiation property
- Naive Sign-and-Encrypt leads to problems
- Sign and encrypt interdependently
Some advices from me:
- Sign as you would chain-lock a bicycle – anything not chained down (i.e. front wheel) is not protected
- When in doubt, include – in addition to a timestamp, I would add a system-wide sequence id (i.e. host id + host-specific sequence #) before signing
- When designing a signable structure, create an area for these extras
BTW, Last Call version of the C14N 1.1 spec is out. Given that standards like these have problems after being reviewed by countless experts, I think the open source effect on security is rather exaggerated.