Matt Tesauro mtesauro at gmail.com
Sat Mar 7 23:07:27 EST 2009

Arturo 'Buanzo' Busleiman wrote:
> Hash: SHA512
> Hello team!
> I'm one of the people that raised concerns about reviewing, categorization, etc, during EU Summit
> 08's Tools working session.
> Others know me because of my projects, Enigform and mod_openpgp, the OpenPGP 'enhancements' to HTTP,
> which provides HTTP Request identity and integrity verification, and a secure Session Management
> (user/passworld-less login system, based on a challenge-response mechanism using OpenPGP features).
> As you can see from my projects' description, it is of a very experimental nature. The real value
> behind the tools is the specification of a protocol to allow Sign/Verify, Encrypt/Decrypt operations
> for HTTP, plus the bonus Secure Session Management mechanism.
> That provided, I (and others) find it difficult to properly follow the Assessment Criteria. For
> instance, the first item (one-click installer) is basicly a whole project by itself (for client it's
> quite simple, but needs basic knowledge of GnuPG). But the server-side component is an Apache
> module. Today, only MandrivaLinux packages the module. But a webmaster willing to use it also needs
> GnuPG *AND* Apache *AND* Linux/BSD knowledge.
Buanzo, my friend, this is exactly why we've posted this to the list.

To make sure your concerns live beyond this post, please mark them down 

And even though I'm familiar with your project (and think its very 
cool), I'd not considered the misfit between your project and the 
criteria.  This is exactly the type of feedback needed.  Perhaps your 
project is better assessed under the documentation criteria.  Perhaps 
another category is required beyond tool and documentation.

> My Season of Quality would be geared towards creating a full manual for both client and server
> components, including basic GnuPG tutorials, almost-ready-to-go VMware images for the server
> implementation, etc.
> With all this, I basicly want to say that mine (and other projects, too) are not necessarily 'tools'
> per se, and maybe there is need to assess this situation more throughly. I call for help in this
> matter, or for someone to hit me in the face with a 'hey, you got it wrong, Buanzo! this is the
> deal' explanation :P
This time no smacking is needed.  I would agree that your project isn't 
really a tool nor is it a document.  Its a specification with a 
reference implementation.  How that fits the assessment criteria, I 
honestly don't know but it is something we will have to account for 
going forward.

-- Matt Tesauro
OWASP Live CD Project Lead
http://mtesauro.com/livecd/ - Documentation Wiki

> Sorry for not being clear :)
> - --
> Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107
> Independent Linux and Security Consultant - SANS - OISSG - OWASP
> http://www.buanzo.com.ar/pro/eng.html
> Mailing List Archives at http://archiver.mailfighter.net
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> X/IAniq7zxoG5I87BMzIdDTw06ysUSdu
> =qsM0
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list