I am looking through the spec and I don't see anywhere that says which to do first, Sign or Encrypt. All security protocols of which I am aware always sign first and then encrypt. This may be obvious but I would like to add a note to this effect in section 4.1.4.5. Note: When both signature and encryption are required, sign first and then encrypt. Regards, David Fischer Drummond Group.