[Owasp-leaders] OWASP vs. Convergence.io

Chris Schmidt chris.schmidt at owasp.org
Wed Oct 12 00:15:18 EDT 2011

Hash: SHA1
Good Evening All -
I would like to propose that OWASP consider bringing up a Notary server
to help support Convergence.io by Moxie. While I unfortunately missed
*both* of his talks (Defcon and AppSecUSA) I had the chance to talk with
him about it at AppSecUSA and I think that it is a potential game
changer as far as trust relationships between end-users and
organizations go.
I would be more than happy to volunteer as the SA for this Notary and
recommend that we bring it up on one of our Rackspace instances.
The code for the server, and instructions can be found on Moxie's Github
site: https://github.com/moxie0/Convergence/wiki/Running-a-Notary
Additionally, I would like to propose that we assemble a team to
investigate what resources we would need (if any) to become a CA and
leverage the notary platform of convergence - we could also lobby to
Oracle, Microsoft, Mozilla, Google and Apple to add OWASP as a trusted
CA to their root CA cache. I think the primary task of the team of
volunteers charged with this research should be to design a system that
we can run in our current infrastructure that is secure against attacks
like the ones suffered by recent CA breaches and that we use our voting
system to elect 3 representatives to be responsible for generating
certificates and maintaining the system. This CA service could be
leveraged by OWASP Projects as a CA for project binaries (signed code),
providing digital signatures for OWASP members, and certificates for
project websites (www.esapi.org)
I *do not* recommend that the OWASP CA be used for anything outside the
scope of OWASP itself.
I believe (as I stated at AppSecUSA several times - including at the
board meeting) that the OWASP brand is a powerful thing - especially in
the security community. I think that it is time to start leveraging the
power of the brand to reach out further into the development and
end-user communities by providing services like this.
We currently have a code-signing certificate issued by GoDaddy (which is
a problem for a lot of reasons, notably because they are an intermediate
CA that no one intrinsically trusts). I would like to see us ready to
move forward with the plan above before that certificate expires.   
I would like to open the topics above for debate for a short period of
time, but would like to move on both of these items before the start of
the new year. As I said, I would be more than happy to completely drive
the Notary server - I am 100% bought in to the approach that Moxie has
designed and think we as an organization can help ourselves and Moxie by
embracing it. The CA itself, I have a limited amount of knowledge about
the inner workings of a CA (I have self-signed certificates and brought
up an *internal* CA before) so I really think that we need more than
just myself driving that initiative - and in fact, I would even like to
consider reaching out to Moxie for ideas and support on that one as I
think he probably knows more about SSL/TLS and CAs than most of us put
So, thoughts?
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

More information about the OWASP-Leaders mailing list