From what I've read it is "encrypt then sign, unless signatures are optional and could be stripped from the message in which case things are complicated"