[Owasp-leaders] OWASP vs. Convergence.io

Thomas Brennan tomb at owasp.org
Wed Oct 12 08:08:34 EDT 2011


Spin it up, in scope for the owasp mission. Matt has the creds to get started.  Should we do a Tor exit node too? ;)

Attack shift is to the border routers for mitm attackers but that is a different discussion...

Call me (9732020122) with questions sent from a mobile device

On Oct 12, 2011, at 3:13 AM, Konstantinos Papapanagiotou <Konstantinos at owasp.org> wrote:

> I still have my doubts regarding the theory behind Convergence, but
> this may be because I still haven't seen the entire video of Moxie's
> presentation. Its concept reminds me a lot of PGP's circle of trust
> and in general I don't really think that reputation-based systems are
> inherently safer than PKI, mainly due to the possibility of Byzantine
> attacks (http://en.wikipedia.org/wiki/Byzantine_fault_tolerance).
> Regardless of my opinion on Convergence, I don't see why we shouldn't
> set up a notary, it actually sounds like a very good idea :)
> 
> On the other hand, setting up and maintaining a CA requires a LOT of
> effort. Having a CA just for signing our own projects is a good idea,
> but as you say it should NOT be used for any other purposes.
> 
> 
> On Wed, Oct 12, 2011 at 7:15 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Good Evening All -
>> 
>> I would like to propose that OWASP consider bringing up a Notary server
>> to help support Convergence.io by Moxie. While I unfortunately missed
>> *both* of his talks (Defcon and AppSecUSA) I had the chance to talk with
>> him about it at AppSecUSA and I think that it is a potential game
>> changer as far as trust relationships between end-users and
>> organizations go.
>> 
>> I would be more than happy to volunteer as the SA for this Notary and
>> recommend that we bring it up on one of our Rackspace instances.
>> 
>> The code for the server, and instructions can be found on Moxie's Github
>> site: https://github.com/moxie0/Convergence/wiki/Running-a-Notary
>> 
>> Additionally, I would like to propose that we assemble a team to
>> investigate what resources we would need (if any) to become a CA and
>> leverage the notary platform of convergence - we could also lobby to
>> Oracle, Microsoft, Mozilla, Google and Apple to add OWASP as a trusted
>> CA to their root CA cache. I think the primary task of the team of
>> volunteers charged with this research should be to design a system that
>> we can run in our current infrastructure that is secure against attacks
>> like the ones suffered by recent CA breaches and that we use our voting
>> system to elect 3 representatives to be responsible for generating
>> certificates and maintaining the system. This CA service could be
>> leveraged by OWASP Projects as a CA for project binaries (signed code),
>> providing digital signatures for OWASP members, and certificates for
>> project websites (www.esapi.org)
>> 
>> I *do not* recommend that the OWASP CA be used for anything outside the
>> scope of OWASP itself.
>> 
>> I believe (as I stated at AppSecUSA several times - including at the
>> board meeting) that the OWASP brand is a powerful thing - especially in
>> the security community. I think that it is time to start leveraging the
>> power of the brand to reach out further into the development and
>> end-user communities by providing services like this.
>> 
>> We currently have a code-signing certificate issued by GoDaddy (which is
>> a problem for a lot of reasons, notably because they are an intermediate
>> CA that no one intrinsically trusts). I would like to see us ready to
>> move forward with the plan above before that certificate expires.
>> 
>> I would like to open the topics above for debate for a short period of
>> time, but would like to move on both of these items before the start of
>> the new year. As I said, I would be more than happy to completely drive
>> the Notary server - I am 100% bought in to the approach that Moxie has
>> designed and think we as an organization can help ourselves and Moxie by
>> embracing it. The CA itself, I have a limited amount of knowledge about
>> the inner workings of a CA (I have self-signed certificates and brought
>> up an *internal* CA before) so I really think that we need more than
>> just myself driving that initiative - and in fact, I would even like to
>> consider reaching out to Moxie for ideas and support on that one as I
>> think he probably knows more about SSL/TLS and CAs than most of us put
>> together.
>> 
>> So, thoughts?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.14 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> 
>> iQEcBAEBAgAGBQJOlRRWAAoJEEOkVJOBy86BxfcH/jVoVbk857Owsp8IBhzM556c
>> 5Yu7P11dymedmKP4YzTYkjQ7icp2fR+Xf/cv1x9pEczW31rRF9wQLBZzLSBLPuJF
>> iV1HVUCDUgBqAgAvfSdrZIGIjg85EmfDvJ7o2Uje9o3J8KSHFY6qR/FrWjMl4BJL
>> X/sYw1U2VBSagXhiTc9Qy5SeATiIb9EqhqGofpwXlVI1BEMLwzkgvlIY4h6bL+G8
>> zunJPl89X3W7iPhsZbPSEYKCCFBbMtLtX6oLD/pquRW0YawZmeEwFKhTOsDIO9pc
>> NjA3ZMqsrpEfD2kMK1D7rLIU6jFQjLXhAGVbZVTLFE60YeMJ+7LHtrS42YpTPE8=
>> =M38Y
>> -----END PGP SIGNATURE-----
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list