[Owasp-leaders] OWASP vs. Convergence.io

Konstantinos Papapanagiotou Konstantinos at owasp.org
Wed Oct 12 03:13:18 EDT 2011


I still have my doubts regarding the theory behind Convergence, but
this may be because I still haven't seen the entire video of Moxie's
presentation. Its concept reminds me a lot of PGP's circle of trust
and in general I don't really think that reputation-based systems are
inherently safer than PKI, mainly due to the possibility of Byzantine
attacks (http://en.wikipedia.org/wiki/Byzantine_fault_tolerance).
Regardless of my opinion on Convergence, I don't see why we shouldn't
set up a notary, it actually sounds like a very good idea :)

On the other hand, setting up and maintaining a CA requires a LOT of
effort. Having a CA just for signing our own projects is a good idea,
but as you say it should NOT be used for any other purposes.


On Wed, Oct 12, 2011 at 7:15 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good Evening All -
>
> I would like to propose that OWASP consider bringing up a Notary server
> to help support Convergence.io by Moxie. While I unfortunately missed
> *both* of his talks (Defcon and AppSecUSA) I had the chance to talk with
> him about it at AppSecUSA and I think that it is a potential game
> changer as far as trust relationships between end-users and
> organizations go.
>
> I would be more than happy to volunteer as the SA for this Notary and
> recommend that we bring it up on one of our Rackspace instances.
>
> The code for the server, and instructions can be found on Moxie's Github
> site: https://github.com/moxie0/Convergence/wiki/Running-a-Notary
>
> Additionally, I would like to propose that we assemble a team to
> investigate what resources we would need (if any) to become a CA and
> leverage the notary platform of convergence - we could also lobby to
> Oracle, Microsoft, Mozilla, Google and Apple to add OWASP as a trusted
> CA to their root CA cache. I think the primary task of the team of
> volunteers charged with this research should be to design a system that
> we can run in our current infrastructure that is secure against attacks
> like the ones suffered by recent CA breaches and that we use our voting
> system to elect 3 representatives to be responsible for generating
> certificates and maintaining the system. This CA service could be
> leveraged by OWASP Projects as a CA for project binaries (signed code),
> providing digital signatures for OWASP members, and certificates for
> project websites (www.esapi.org)
>
> I *do not* recommend that the OWASP CA be used for anything outside the
> scope of OWASP itself.
>
> I believe (as I stated at AppSecUSA several times - including at the
> board meeting) that the OWASP brand is a powerful thing - especially in
> the security community. I think that it is time to start leveraging the
> power of the brand to reach out further into the development and
> end-user communities by providing services like this.
>
> We currently have a code-signing certificate issued by GoDaddy (which is
> a problem for a lot of reasons, notably because they are an intermediate
> CA that no one intrinsically trusts). I would like to see us ready to
> move forward with the plan above before that certificate expires.
>
> I would like to open the topics above for debate for a short period of
> time, but would like to move on both of these items before the start of
> the new year. As I said, I would be more than happy to completely drive
> the Notary server - I am 100% bought in to the approach that Moxie has
> designed and think we as an organization can help ourselves and Moxie by
> embracing it. The CA itself, I have a limited amount of knowledge about
> the inner workings of a CA (I have self-signed certificates and brought
> up an *internal* CA before) so I really think that we need more than
> just myself driving that initiative - and in fact, I would even like to
> consider reaching out to Moxie for ideas and support on that one as I
> think he probably knows more about SSL/TLS and CAs than most of us put
> together.
>
> So, thoughts?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOlRRWAAoJEEOkVJOBy86BxfcH/jVoVbk857Owsp8IBhzM556c
> 5Yu7P11dymedmKP4YzTYkjQ7icp2fR+Xf/cv1x9pEczW31rRF9wQLBZzLSBLPuJF
> iV1HVUCDUgBqAgAvfSdrZIGIjg85EmfDvJ7o2Uje9o3J8KSHFY6qR/FrWjMl4BJL
> X/sYw1U2VBSagXhiTc9Qy5SeATiIb9EqhqGofpwXlVI1BEMLwzkgvlIY4h6bL+G8
> zunJPl89X3W7iPhsZbPSEYKCCFBbMtLtX6oLD/pquRW0YawZmeEwFKhTOsDIO9pc
> NjA3ZMqsrpEfD2kMK1D7rLIU6jFQjLXhAGVbZVTLFE60YeMJ+7LHtrS42YpTPE8=
> =M38Y
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list