Hello,
I propose to deprecate compression support in OpenPGP. The reasons
for this are:
- Compression makes it impossible to reason about the size of a
decrypted message, requiring the use of a streaming interface even
for seemingly small messages, e.g. emails. Experience has shown
that downstream users struggle with the correct use of streaming
interfaces.
- Compression allows the construction of quines.
- Compression interacts badly with encryption, see e.g. CRIME,
BREACH, and hiding of EFAIL-style CFB gadgets [0].
- The downstream application is in a better position to decide whether
and how to compress data that is then encrypted using OpenPGP.
- Compression make the standard more complex, and enlarges the
trusted computing base of implementations.
I realize that we cannot suddenly drop decompression support, but I
would suggest to stop emitting compressed data packets. If this
proposal gathers traction, I would be happy to suggest a change to the
standard.
Cheers,
Justus
0: Section 5.3 of https://efail.de/efail-attack-paper.pdf
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp