Re: gpg > addphoto
On Wed, Jan 09, 2019 at 11:29:06PM +0100, dirk1980ac via Gnupg-users wrote: > > I only wanted to know why such a large image size in the first > > place was chosen, when GnuPG suggest a much much smaller > > size. :-) > > I think the 16M are from times, where RAM was nbot measured in GB. Not quite. If you look at the code’s history, you’ll find that the 16MB limit is actually from 2014 [1]. There was no limitation on the size of user attribute packets before that. It is wise to be careful when you abruptly introduce a limitation that did not exist before; 16MB was chosen because it is big enough to avoid breaking any existing key with a legitimate user attribute packet, while still preventing DoS attempts with deliberately oversized packets. Of note, the OpenPGP RFC does allow arbitrary large attribute packets, which means that strictly speaking, GnuPG is already "wrong" to reject a packet larger than 16MB. - Damien [1] https://dev.gnupg.org/rGbab9cdd971f35ff47e153c00034c95e7ffeaa09a signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg > addphoto
Stefan Claas wrote: > I only wanted to know why such a large image size in the first > place was chosen, when GnuPG suggest a much much smaller > size. :-) I'd guess that it's not about image size. It's a maximum packet size. Things other than images have to go in there as well (although an image would no doubt usually take up most of the space). It's part of GNU philosophy to not implement unnecessary hard limits in software but one good reason to impose limits is to prevent denial of service conditions. Perhaps a 16MB packet size limit was chosen because it would be more than enough to support keys with a huge number of signatures, and an image, without causing problems for users, and without permitting a denial of service condition. 16MB isn't that much RAM these days. But I am just guessing. I hope it's not to support hi-res iris scans, voice prints and compressed DNA. :-) cheers, raf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg > addphoto
Hello Stefan. Am Mittwoch, den 09.01.2019, 22:50 +0100 schrieb Stefan Claas: > On Wed, 09 Jan 2019 22:25:21 +0100, > dirk.gottschalk1...@googlemail.com wrote: > > Hi Dirk, > > > But, this is more a Problem of SKS. When SKS accepts such keys, > > it's > > not GPG's fault. > Forget SKS for a moment, i send you, or distribute, such a key via > other mediums and your GnuPG will accept it. :-D As long, as the size of the picture doesn't exceed 16M, it surely will be accepted. But this should not take a long time, 16M is nothing, so there is no Problem with this. Nobody says it has to be prevented. Sure, GPG can be "abused" in many ways. I also do this by using it for a purpose it was not invented for. This is not an evil functionality. If dome people like to put HiRes photos or other pictures in their UID, for whatever purpose, so it is not an evil thing. Distributing a key via email is no problem in this case and SKS, WKS and others should oinly prevent storing those key for storage and sanity reasons. > I only wanted to know why such a large image size in the first > place was chosen, when GnuPG suggest a much much smaller > size. :-) I think the 16M are from times, where RAM was nbot measured in GB. In this case it was to avoid long package computation times because the RAM was smaller than 1GB. They had to choose a limit to avoid DDoS attacks to GPG on a users computer. There was no intention to limit the size of the photo because nobody thought about this at the moment of decision. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg > addphoto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 09 Jan 2019 22:25:21 +0100, dirk.gottschalk1...@googlemail.com wrote: Hi Dirk, > But, this is more a Problem of SKS. When SKS accepts such keys, it's > not GPG's fault. Forget SKS for a moment, i send you, or distribute, such a key via other mediums and your GnuPG will accept it. :-D I am also not complaining or suggesting here something. I only wanted to know why such a large image size in the first place was chosen, when GnuPG suggest a much much smaller size. :-) Regards Stefan -BEGIN PGP SIGNATURE- iHUEARYIAB0WIQTsFcZEw1lI/LR+FYmaI04LDh8f6AUCXDZsmQAKCRCaI04LDh8f 6A9AAQCxUMdjYFbVYfEXyVkpCbT/UDeUDO7ZSD7I0lNBihVvFQD+Kj6T55Du6YAj /rFZ1awzTJSuIER1M8XC1peazzBLbgk= =TzJh -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg > addphoto
Hi Stefan. Am Mittwoch, den 09.01.2019, 18:06 +0100 schrieb Stefan Claas: > On Tue, 8 Jan 2019 20:16:59 +0100, Stefan Claas wrote: [...] > The provided Chief Wiggum image contains a 2 seconds .mp4 movie > clip. Pretty awesome imho! So this means that one can hide in a PGP > key movies and other files too, hidden in jpeg images and distribute > it securely via SKS... But, this is more a Problem of SKS. When SKS accepts such keys, it's not GPG's fault. Anyways, anybody can generate anything he wants witrh GPG. Such restriction would NOT have any effects, because the key generation is done by the users GPG. Anybody can change the source code of GPG in any way and generate everything. Restictions at the end is senseless in open source world. Thje Servers are controlled by their owners so it is in their hands, what can be distributed. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg > addphoto
On Tue, 8 Jan 2019 20:16:59 +0100, Stefan Claas wrote: > Since this is an interesting subject, i believe, i may check out how much > payload can be put in such large jpeg images, just out of of interest > and i may, if time allows, try to get hold of a complete key server dump > to try to see if i can find something interesting. O.k. i did a quick check on github for proper tools and found this very interesting tool, written in Golang. https://github.com/umahmood/steg The provided Chief Wiggum image contains a 2 seconds .mp4 movie clip. Pretty awesome imho! So this means that one can hide in a PGP key movies and other files too, hidden in jpeg images and distribute it securely via SKS... Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
