ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Disabling compression in OpenPGP

2014-03-20 08:56:20
Compression is on by default because it improves security.


I disagree. Compression is not a tool designed to build secure systems. Can
you be more precise in what improvement to security compression would bring?

In this discussion, the "input distribution" argument has already been
debunked: a good crypto scheme works equally well regardless of the input
distribution.

Also attacks that seemed to be thwarted by compression turned out to be
actually thwarted by the different message format that compression implies.

What other security arguments would remain in favor of compression?

Applications that rely on compression for functionality (not security) are
another matter. If your application relies on gpg compression so crucially
that a system crash would occur otherwise, then you may want to set an
explicit -z X flag to gpg anyway.


It meets that goal. It is, however, a default. Defaults can be changed.
Moreover, there's a way to work around the issue in the existing standard.
Make the vote-submission key not support compression. Poof, it works.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp