-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Jun 05, 2003 at 02:18:31AM +0200, Imad R. Faiad wrote:
Hello Mr. Callas,
And while we are hacking, by hacking, I mean
chopping with an axe. Let us spruce the
compression algorithms.
The zlib compression algorithm seems to be only
implemented in the GnuPG variants, and
is causing a lot of inter-operability problems.
The compression function is breaking inter
operability, therefore, we ought to state what is a
"MUST" and what isn't, so that the issue may be resolved,
once and for all.
I think the text in the draft is pretty clear on this point. To my
reading, it says:
* You MUST support uncompressed data.
* You SHOULD support ZIP.
* You MAY support ZLIB.
* If a key states compression preferences, they MUST be followed at
least to the point of knowing when to send uncompressed. An easy
way to do this is to to always send uncompressed data since it is
known to always be supported.
* If a key does not state compression preferences, they are assumed
to be "ZIP, Uncompressed".
It all seems pretty clear-cut to me.
I have seen a few interoperability problems between GnuPG and PGP due
to ZLIB, but each and every one falls into one of two groups:
1) A GnuPG user who insists on forcing the use of ZLIB when
communicating with a PGP user, and ignores the "forcing compression
algorithm ZLIB violates recipient preferences" error message. This
is depressingly common, but still is not a problem that the OpenPGP
design can solve.
2) A key is generated in GnuPG, then later the user switches over to
using PGP. Since the ZLIB preference still exists on the key,
a correspondant using GnuPG will naturally use ZLIB when encrypting
to that key. This is a problem that OpenPGP addresses in section
5.2.3.3 ("Notes on Self-Signatures"):
Since a self-signature contains important information about the
key's use, an implementation SHOULD allow the user to rewrite
the self-signature, and important information in it, such as
preferences and key expiration.
Especially so, when, forgive
my expression, some implementors, default to zilb,
while others seem to be unwilling to implement it.
Which implementation is that? Both GnuPG and PGP default to ZIP.
The problem here is actually wider than the ZIP/ZLIB issue. The same
thing happens with any two OpenPGP programs that support any different
cipher or hash algorithms. The answer is not to force all
implementations to have the exact same algorithms. The answer is to
properly use the preference lists. That's what they are there for.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE+3pRv4mZch0nhy8kRAs0gAKDJkU7Y0RJmWg5oeJjKICAQ+LTgCACgth2C
E2mSyLcJoDRwAMzEIXs4jRA=
=poNL
-----END PGP SIGNATURE-----