[Owasp-leaders] FW: REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Sat Mar 7 14:54:41 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello team!

I'm one of the people that raised concerns about reviewing, categorization, etc, during EU Summit
08's Tools working session.

Others know me because of my projects, Enigform and mod_openpgp, the OpenPGP 'enhancements' to HTTP,
which provides HTTP Request identity and integrity verification, and a secure Session Management
(user/passworld-less login system, based on a challenge-response mechanism using OpenPGP features).

As you can see from my projects' description, it is of a very experimental nature. The real value
behind the tools is the specification of a protocol to allow Sign/Verify, Encrypt/Decrypt operations
for HTTP, plus the bonus Secure Session Management mechanism.

That provided, I (and others) find it difficult to properly follow the Assessment Criteria. For
instance, the first item (one-click installer) is basicly a whole project by itself (for client it's
quite simple, but needs basic knowledge of GnuPG). But the server-side component is an Apache
module. Today, only MandrivaLinux packages the module. But a webmaster willing to use it also needs
GnuPG *AND* Apache *AND* Linux/BSD knowledge.

My Season of Quality would be geared towards creating a full manual for both client and server
components, including basic GnuPG tutorials, almost-ready-to-go VMware images for the server
implementation, etc.

With all this, I basicly want to say that mine (and other projects, too) are not necessarily 'tools'
per se, and maybe there is need to assess this situation more throughly. I call for help in this
matter, or for someone to hit me in the face with a 'hey, you got it wrong, Buanzo! this is the
deal' explanation :P

Sorry for not being clear :)

- --
Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107
Independent Linux and Security Consultant - SANS - OISSG - OWASP
http://www.buanzo.com.ar/pro/eng.html
Mailing List Archives at http://archiver.mailfighter.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkmy0QEACgkQAlpOsGhXcE2ipACdHVZP7WECcw64Ylz3dXS0zmmS
X/IAniq7zxoG5I87BMzIdDTw06ysUSdu
=qsM0
-----END PGP SIGNATURE-----


More information about the OWASP-Leaders mailing list