ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Disabling compression in OpenPGP

2014-03-18 11:08:12
On Tue, Mar 18, 2014 at 9:00 AM, Alfredo Pironti
<alfredo(_dot_)pironti(_at_)inria(_dot_)fr> wrote:
I believe similar attacks can be mounted in different contexts where OpenPGP
is used. Hence, I propose to start discussion to amend RFC 4880 to at least
discourage (if not forbid) the use of compression.

OpenPGP compression (well, the unawareness there-of) compromised the privacy
of the Wikimedia Foundation board election a couple years ago.  Users publically
submitted ballots encrypted to the election officials, the ballots
were constant length
but the compression trivially revealed information about their content.

If it isn't disabled it may be useful to quantize the size somewhat
for a minor overhead
in order to reduce the information leak somewhat.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp