-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Some of the discussion I've seen thus far has gone a bit too far it
seems.
Proposals such as using pre-determined session keys or other
low-level crypto items may require ripping apart the software
packages being subjected to the testing and writing new code in order
to perform the test. This is not going to prove anything other than
the fact that the new code (which isn't necessarily part of the
product) enabled a piece of software to complete an obscure low-level
test, and will lengthen the testing cycle from something that could
be done in a couple of weeks to something that will likely take many
months to agree upon, design, write, perform testing, repeat.
Any test designed to prove interoperability should adhere stricly to
the principle that interoperability between OpenPGP products is a
high-level operation basically limited to the following:
* Public/Private Key import/export
* Encrypted and/or signed message interop in its various forms
Things like PGP/MIME, and low-level testing of crypto algorithms are
irrelevant to this task except insofar as they have an effect on the
above two items (which for instance PGP/MIME does not -- that
document will require its own separate interop testing). We're not
doing a FIPS crypto test on every product here, we're just testing
interop of the items generated by our common products which apply
directly to RFC 2440.
Making a test suite of messages and keys which use an array of
algorithms and variations should be a simple task any user can
perform sitting at any of our products without rewriting code,
turning on debug features, recompiling, etc...
This set of data would be termed the OpenPGP Compatibility Suite, and
each vendor could perform the testing on their own product, submit
that to the list, and any other vendor could use that same data to
verify the results.
- -- Will
Will Price, Director of Engineering
PGP Security, Inc.
a division of Network Associates, Inc.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0 (Build 144 Alpha)
iQA/AwUBOOFNMKy7FkvPc+xMEQJtdQCfTzZrTm9faAlZRfrgpSGfQjEbrqcAniGR
9NHfkzlUee6nCdrK+Nr/DrIO
=5URX
-----END PGP SIGNATURE-----