[Top] [All Lists]

Re: [openpgp] The combinatorial complexity of OpenPGPv4

2015-03-13 22:57:49
On Friday, March 13, 2015 6:20 PM, Falcon Darkstar Momot 
<falcon(_at_)iridiumlinux(_dot_)org> wrote:

I feel like perhaps this type of exhaustive testing is neither necessary
nor expected, and that a few end-to-end tests designed to exercise edge
cases could be combined with more exhaustive unit tests to achieve
reasonable results. 

The difficulty, as always, is proving that an actual implementation is modular. 
In the case of OpenPGP, it really isn't: A lot of data has to get carried 
between each stage to ensure conformance with the high-level semantics.

In contrast, suppose that I wanted to exhaustively test the different ways of 
doing authenticated encryption with TweetNaCl. That's exactly 1 test, which I 
can then test for 2^32 different parameter values or so quite easily.

That type of exhaustive testing is routinely (though not routinely enough) 
done, and it is expected for critical software.

Protocol modularity is not evil.

Modularity is neutral. "Agility", as folks like to call it, is evil.

The name-sake article of Google and Yahoo's End-to-End project has some good 
arguments for avoiding redundancy in systems design:

(I'd note that I think the article argues for its position a bit too strongly. 
It's clear that transport-layer and message-level encryption are both 
necessary, for example, because they have fundamentally different semantics.)

openpgp mailing list