[Owasp-leaders] OWASP vs. Convergence.io

dinis cruz dinis.cruz at owasp.org
Wed Oct 12 10:06:02 EDT 2011


Chris, I agree that we should be trying to push Convergence at OWASP (I also
spoke with Moxie at the AppSec conference and he was quite supportive to
work with the OWASP's community around Convergence). I really like his
solution and I think we should try to make it work.

One of the areas we (OWASP) could help a LOT is in promoting
his Convergence presentation to a much wider audience.* What about if OWASP
chapters around the world redo his presentation* (i.e. grab his slides and
get a local OWASP leader/participant to deliver it locally). We should do
the same for the forthcomming OWASP conferences, since I don't think Moxie
is going to go to all of them :)

This should help to raise awareness, reach a number of key players (from
devs, to business,  to government) and if we have an OWASP project on this
topic, then that will also be a great way to recruit contributors.

On the topic of the Notaries, two things:

   a) shouldn't we be moving away from CAs? Since we adopt Convergence we
are not dependent on the browsers to make it work (we just need to manually
add the OWASP Notary Cert to the browser Convergence extension right?).
   b) lets be realistic on how much 'secure' we could make such
OWASP  Notary (or even CA). We are not set-up at all to provide
high-security services SLAs, and in fact I would be much more interested in
figuring out a model where we can achieve high-security in a low-security
environment (i.e. one where some of the parties used to validate the certs
is/could-be compromised), which coincidently is what Convergence is also
proposing :)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 12 October 2011 05:15, Chris Schmidt <chris.schmidt at owasp.org> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good Evening All -
>
> I would like to propose that OWASP consider bringing up a Notary server
> to help support Convergence.io by Moxie. While I unfortunately missed
> *both* of his talks (Defcon and AppSecUSA) I had the chance to talk with
> him about it at AppSecUSA and I think that it is a potential game
> changer as far as trust relationships between end-users and
> organizations go.
>
> I would be more than happy to volunteer as the SA for this Notary and
> recommend that we bring it up on one of our Rackspace instances.
>
> The code for the server, and instructions can be found on Moxie's Github
> site: https://github.com/moxie0/Convergence/wiki/Running-a-Notary
>
> Additionally, I would like to propose that we assemble a team to
> investigate what resources we would need (if any) to become a CA and
> leverage the notary platform of convergence - we could also lobby to
> Oracle, Microsoft, Mozilla, Google and Apple to add OWASP as a trusted
> CA to their root CA cache. I think the primary task of the team of
> volunteers charged with this research should be to design a system that
> we can run in our current infrastructure that is secure against attacks
> like the ones suffered by recent CA breaches and that we use our voting
> system to elect 3 representatives to be responsible for generating
> certificates and maintaining the system. This CA service could be
> leveraged by OWASP Projects as a CA for project binaries (signed code),
> providing digital signatures for OWASP members, and certificates for
> project websites (www.esapi.org)
>
> I *do not* recommend that the OWASP CA be used for anything outside the
> scope of OWASP itself.
>
> I believe (as I stated at AppSecUSA several times - including at the
> board meeting) that the OWASP brand is a powerful thing - especially in
> the security community. I think that it is time to start leveraging the
> power of the brand to reach out further into the development and
> end-user communities by providing services like this.
>
> We currently have a code-signing certificate issued by GoDaddy (which is
> a problem for a lot of reasons, notably because they are an intermediate
> CA that no one intrinsically trusts). I would like to see us ready to
> move forward with the plan above before that certificate expires.
>
> I would like to open the topics above for debate for a short period of
> time, but would like to move on both of these items before the start of
> the new year. As I said, I would be more than happy to completely drive
> the Notary server - I am 100% bought in to the approach that Moxie has
> designed and think we as an organization can help ourselves and Moxie by
> embracing it. The CA itself, I have a limited amount of knowledge about
> the inner workings of a CA (I have self-signed certificates and brought
> up an *internal* CA before) so I really think that we need more than
> just myself driving that initiative - and in fact, I would even like to
> consider reaching out to Moxie for ideas and support on that one as I
> think he probably knows more about SSL/TLS and CAs than most of us put
> together.
>
> So, thoughts?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOlRRWAAoJEEOkVJOBy86BxfcH/jVoVbk857Owsp8IBhzM556c
> 5Yu7P11dymedmKP4YzTYkjQ7icp2fR+Xf/cv1x9pEczW31rRF9wQLBZzLSBLPuJF
> iV1HVUCDUgBqAgAvfSdrZIGIjg85EmfDvJ7o2Uje9o3J8KSHFY6qR/FrWjMl4BJL
> X/sYw1U2VBSagXhiTc9Qy5SeATiIb9EqhqGofpwXlVI1BEMLwzkgvlIY4h6bL+G8
> zunJPl89X3W7iPhsZbPSEYKCCFBbMtLtX6oLD/pquRW0YawZmeEwFKhTOsDIO9pc
> NjA3ZMqsrpEfD2kMK1D7rLIU6jFQjLXhAGVbZVTLFE60YeMJ+7LHtrS42YpTPE8=
> =M38Y
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111012/76bd8b63/attachment.html 


More information about the OWASP-Leaders mailing list