[Assword] maybe use -compress-algo NULL by default?
Jameson Graef Rollins
jrollins at finestructure.net
Fri May 2 02:35:36 EDT 2014
On Tue, Mar 18 2014, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> the openpgp mailing list has a discussion right now about the riskiness
> of the use of compression when compressing password files when an
> attacker can observe the size of the file and can force the user to add
> a new password of the attackers' choosing (similar to the TLS CRIME attack):
>
> https://www.ietf.org/mail-archive/web/openpgp/current/msg07252.html
>
> I haven't thought through all the consequences here yet, but it's
> possible that we should ensure that assword always uses --compress-algo
> NULL when encrypting its data file.
Hi, Daniel. Do you know how this might be achieved via the python gpgme
interface? I've looked in the python gpgme help documentation and I
don't see any way to specify the compression algorithm.
jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.mayfirst.org/mailman/private/assword/attachments/20140501/042b03c0/attachment.pgp>
More information about the Assword
mailing list