On 3/28/19 at 5:30 AM, justuswinter(_at_)gmail(_dot_)com (Justus Winter) wrote:
For me, using an unbounded amount of memory is not an option for a
component processing OpenPGP data if we want to build robust systems
on top.
Can't you follow Jon's advice:
On 3/20/19 at 12:36 PM, joncallas=40icloud(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org
(Jon Callas) wrote:
To address your point, as I said in my long missive, you can do
this today. No changes are needed to the protocol. All you have
to do is put a compression preference on your key that says no
compression, and then you won’t get compression. (Well, to be
completely correct, if someone compresses then they’re
non-compliant to the standard.) Repeating myself, I support and
encourage implementations to do that by default.
You can then treat any message that uses compression as
malicious and refuse to process it.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | When it comes to the world | Periwinkle
(408)356-8506 | around us, is there any choice | 16345
Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos,
CA 95032
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp