[Owasp-cert] Version Control

J. Oquendo sil at infiltrated.net
Tue Jul 29 14:13:03 EDT 2008

On Tue, 29 Jul 2008, Matthew Chalmers wrote:

> I strongly suggest whatever technology may be used to store privileged exam
> content be hosted on OWASP's servers. Not by a third party, not by an
> individual, and not even by a generous and good-intentioned OWASP
> member/sponsor/volunteer's company. OWASP should be 100% in control of and
> responsible for control of this content, since it's likely not going to be
> public like most everything else. This is something that needs to be done
> right from the start. Not necessarily perfect, but as 'right' as
> possible--which may not be the most convenient or expedient way.
> Also, I believe we need to start keeping track of project 'Decisions,'
> separate from 'Suggestions' or any other documentation that can change at
> any time. This way we can keep it all on one wiki page and refer to it.
> Also, anyone interested in the project's status can go to one page and see
> all the Decisions--these should be things that don't change unless they're
> discussed by whoever's determined to be an active project member, in the
> spirt of OWASP's consensus process (see
> http://www.owasp.org/index.php/How_OWASP_Works#Management).
> One such Decision I think we need to make is whether any one person will
> have access to any and all exam content. There are pros and cons to doing it
> this way and not doing it this way. One of the things I see in favor of one
> or more people having access to all exam content is that it might make the
> exam more consistent overall. One of the things I see in favor of limiting
> everyone to having access only to one or a few content areas is that it may
> still be possible for these people to obtain the cert themselves. As an
> example, say we have 14 subject areas for the basic exam (as it currently
> stands according to
> https://www.owasp.org/index.php/Category:OWASP_Certification_Requirements#Content_Area_.28Developer.29).

I concur with the notion of someone being able to "cert themselves" and
a mechanism around this odd Temporal Paradoxlike situation would be
(*drum roll*) "securify" the cert Q and A's ;) There should be controls in
place to track and monitor who accesses what, why and when

For example, say I reviewed I don't know... 80 questions and help
formulate exam questions, 1) I should not have nor should any one
person been the one to review/create them. There should be at

There should be no reason for me to access any of the material from
there on out. If I did need to for some strange reason, I could ask via
the mailing list where it would need say dual approvals from two different
individuals. This minimizes a collusion of friendly "wink of the eye, hey
good old buddy of mine".

So my take on the Q&A storage, PGP trusted and signed key
storage with a rotation of who has access to what and at no point in
time should there be the entire exam placed in one individual's hands.

We start by splitting the exam in say three portions, PGP encrypt
one portion, have that signed by another individual, then given to
another individual. Might make things a little difficult at first, but
will guarantee that no one individual can "re-compile" the entire


James McGovern, Christian Wenz and Matthew Chalmers are the
elected chairs to oversee the protection of Q&A's.

Exam is split in three and given to each (portion 1, portion 2, portion 3)
James encrypts portion 1 and gives it to Christian for signing
when done, he delivers to Matthew

Christian encrypts portion 2 and gives it to Matthew for signing, when
done, he delivers it to James

And so on. Given a decent rotation time, if done correctly, neither
James, Christian or Matthew would be able to recompile the complete
exam. The duration could be set to make it obsolete if done correctly.
If the exam's content is to be reviewed and remodified to keep in
tune with the changing state of technology - 2 to 4 years I say max,
there can never be an issue of "James cheated... or Christian cheated"

Those in possession would have to be either elected, chosen, etc.,
and even still with the data, it would take all three parties agreeing
on what do decrypt for whatever reason. Heck that could be done
by yet a fourth party. Its the "ssh key in the safe" theory where no
one person can ever have the keys to the kingdom without oversight
and or a huge pain in the rear in trying to get the keys.

J. Oquendo
SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1)

"Experience hath shewn, that even under the best
forms (of government) those entrusted with power
have, in time, and by slow operations, perverted
it into tyranny." Thomas Jefferson

wget -qO - www.infiltrated.net/sig|perl


More information about the Owasp-cert mailing list