Can you clarify when data compression is used?

David Shaw dshaw at jabberwocky.com
Mon Feb 4 21:24:21 CET 2008


On Mon, Feb 04, 2008 at 12:57:34PM -0600, Robert J. Hansen wrote:
> Kevin Hilton wrote:
> > The problem I have, is that no where in the documentation are the
> > defaults specified.
> 
> >From the first full paragraph of the manpage:  "[GnuPG] is a tool to
> provide digital encryption and signing services using the OpenPGP
> standard.  [GnuPG] features complete key management and all bells and
> whistles you can expect from a decent OpenPGP implementation."
> 
> To me, that language is pretty clear about where you should look--the
> OpenPGP standard, aka RFC4880, or its immediate predecessor RFC2440.
> 
> That said, just because I think it's clear doesn't necessarily means it
> /is/ clear.  If it turns out that language is confusing or unclear, it
> should definitely be changed to point people in the right direction.

The RFC doesn't specify default algorithms, aside from requiring 3DES
as the algorithm of last resort.  All decisions about algorithm
ranking are made by the implementations and indirectly, the user.

It's hard to list default algorithms in the man page mainly because
there isn't a single answer.  Different people will get a different
default algorithm depending on who they are sending a message to, and
possibly even by the order in which they specify the recipients on the
command line (see below).  All of this would need many paragraphs of
explanation, and that's not really appropriate for a man page.  I do
agree it would be good for it to be documented somewhere, though.

> > I'm still confused what default cipher is chosen automatically (for
> > me its AES).
> 
> http://en.wikipedia.org/wiki/Stable_marriage_problem

GPG doesn't use the Stable Marriage Problem when picking algorithms,
as this gives too much "power" to the recipients in choosing which
algorithm is used.  Rather, the intersection of preferences for all
recipients is generated, leaving an unordered list of algorithms that
are possible contenders for use.  At this point, note that it would be
possible to pick an algorithm from the list randomly, as there is no
algorithm on the list that isn't usable for all recipients.

GPG uses the personal-(whatever)-preferences as the final decider.  It
works its way down the personal preferences list in ranked order,
consulting the personal preferences against the generated intersection
list of recipient algorithms.  This gives the user the power to decide
what algorithms he or she generates, which is putting the power in the
right place.  If there are no personal-foo-preferences in use, then
GPG uses the first key specified as the decider.  This key is
frequently the user's key, so is a reasonable choice to pick the
favored algorithm.

David



More information about the Gnupg-users mailing list