Mailing List Archive

Re: [openpgp] Deprecating compression support
On Sat 2019-03-23 18:07:23 +0100, ilf wrote:
> So can we change GnuPG to default-preference Uncompressed?

[ switching this implementation-specific message to
gnupg-devel@gnupg.org, please respect Mail-Followup-To: ]

The current implementation of GnuPG creates OpenPGP certificates with
this preference listing:

Compression: ZLIB, BZIP2, ZIP, Uncompressed

Are you suggesting that we change it to:

Compression: Uncompressed, ZLIB, BZIP2, ZIP

or to:

Compression: Uncompressed

?

Setting aside the question of defaults, for your own OpenPGP certificate
right now you can do this with any modern version of GnuPG, if you're
willing to poke at the command line with some arcana:

For the less severe change:

gpg --edit-key $FINGERPRINT showpref 'setpref S9 S8 S7 S2 H10 H9 H8 H11 H2 Z0 Z2 Z3 Z1' save

For the more severe change:

gpg --edit-key $FINGERPRINT showpref 'setpref S9 S8 S7 S2 H10 H9 H8 H11 H2 Z0' save

then of course you'll need to re-publish the cert via whatever your
standard publication mechanism is (keyservers, WKD, keybase, etc).

--dkg
Re: [openpgp] Deprecating compression support [ In reply to ]
Daniel Kahn Gillmor:
> Are you suggesting that we change it to:
> Compression: Uncompressed, ZLIB, BZIP2, ZIP
> or to:
> Compression: Uncompressed
> ?

There seems to be rough consensus on openpgp@ietf.org to phase out
compression, except for backwards compatibility reasons - so proposal #1
should be fine with everyone.

Proposal #2 is more in line with the original proposal by Justus,
Vincent an Neal - and the counter-arguments were not against changing
the defaults for new keys but having to keep compression in
implementations.

So GnuPG development comunity: Would you be fine in changing the default
for new keys to "Compression: Uncompressed"?

--
ilf

If you upload your address book to "the cloud", I don't want to be in it.
Re: [openpgp] Deprecating compression support [ In reply to ]
On Sun, 24 Mar 2019 17:20, ilf@zeromail.org said:

> So GnuPG development comunity: Would you be fine in changing the
> default for new keys to "Compression: Uncompressed"?

That is easy to answer: No.

Removing that feature would break major use cases and deployed
infrastructure. The build in compression support in OpenPGP is actually
a selling point over S/MIME. This can also not be done with a switch to
a new key or key format because key management is independent from
actual use. Please remember that OpenPGP is not only used for mail.

As indicated in the WG I am in favor of fading out bzip2 support on the
ground that its introduction was controversial from the eginnging. Its
presense has been used to try to get xz in, and that the benefits for
plain text compression (e.g. for xml) with bzip2 over zlib is not that
big when considering overall resource use.

Those who do not want to have compression, please specify that in your
keys. MUA authors may pass "-z0" or GPGME_ENCRYPT_NO_COMPRESS to
disable encryption.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: [openpgp] Deprecating compression support [ In reply to ]
On Tue 2019-03-26 09:28:19 +0100, Werner Koch wrote:
> On Sun, 24 Mar 2019 17:20, ilf@zeromail.org said:
>
>> So GnuPG development comunity: Would you be fine in changing the
>> default for new keys to "Compression: Uncompressed"?
>
> That is easy to answer: No.
>
> Removing that feature would break major use cases and deployed
> infrastructure. The build in compression support in OpenPGP is actually
> a selling point over S/MIME.

ilf is asking about a change to the advertised preferences included in
an OpenPGP certificate generated by default with GnuPG.

Someone who wants to use the compression feature because they know
that's what they want needs only to issue a "setpref" command to
indicate that they *do* want it (if it is a "selling feature" that they
consciously care about).

This is not breakage exactly -- it's a question of where we want to push
the ecosystem.

> This can also not be done with a switch to a new key or key format
> because key management is independent from actual use.

If we were to say that v5 keys do not support in-protocol compression by
definition, then it seems like we could well do it with a switch to a
new key format. What did you mean here?

> Please remember that OpenPGP is not only used for mail.

can you elaborate on this? In contexts where OpenPGP is not only used
for e-mail, it's not competing with S/MIME, and it seems likely that a
simple pipeline with gzip or xz or whatever can meet the use case.

> Those who do not want to have compression, please specify that in your
> keys. MUA authors may pass "-z0" or GPGME_ENCRYPT_NO_COMPRESS to
> disable encryption.

itym "disable compression" :)

--dkg
Re: [openpgp] Deprecating compression support [ In reply to ]
On Tue, 26 Mar 2019 17:11, dkg@fifthhorseman.net said:

> ilf is asking about a change to the advertised preferences included in
> an OpenPGP certificate generated by default with GnuPG.

I got that.

> Someone who wants to use the compression feature because they know
> that's what they want needs only to issue a "setpref" command to

Just using setpref instead of using the defaults is not easy but may
require new organizational procedures and training.

> This is not breakage exactly -- it's a question of where we want to push
> the ecosystem.

I see no reason to drop compression form OpenPGP. It has been there
forever and is a part of it. Those folks who are trying to get severe
last minute changes into a revision of a standard may be better off to
start their protocol from scratch.

> definition, then it seems like we could well do it with a switch to a
> new key format. What did you mean here?

At some point new keys will be generated in v5 format and it will be
hard enough to get systems adopted to the longer fingerprint. Forcing
people to change their entire processing by adding another tool into a
list of steps to encrypt and convey data is everything else than user
friendly.

> can you elaborate on this? In contexts where OpenPGP is not only used
> for e-mail, it's not competing with S/MIME, and it seems likely that a
> simple pipeline with gzip or xz or whatever can meet the use case.

You need to change established procedures, test the new setup, fix the
bugs, have meetings with your peers to agree on the changes, and so on.
It is basically a the deployment of a new product.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.