[Owasp-leaders] OWASP vs. Convergence.io

Chris Schmidt chris.schmidt at owasp.org
Wed Oct 12 16:16:54 EDT 2011

Dinis -

I absolutely agree that yes we *should* be moving away from CA's - but
the reality is that at least for the time being, they are not going
anywhere. Convergence is a beta project, which currently AFAIK only
support Firefox through inclusion of a Firefox Extension. The point of
the plugin was to provide a proof-of-concept of the system itself in a
usable fashion, but the reality is that until browser vendors and
language shops (Oracle, Microsoft, PHP, etc.) start utilizing the
system, CA's are still needed. I would love to see everyone drop the
CA's like a bad habit and implement Moxie's Convergence system, or even
something else entirely - however, that hasn't happened and likely won't
happen in the very near future.

There is a need *right now* for OWASP as an organization as well as the
projects under the OWASP umbrella to leverage certificates both for
https and code signing. Provided OWASP does not provide this as a
*public* service, I see absolutely no reason that the people in this
organization cannot come up with a "High Security Solution in a Low
Security Environment" to address this need. Some of the best security
minds in the world are gathered under the OWASP Banner, so I know we can
accomplish this task.

The concerns of most CA's are due to the public nature of those CA's and
I don't think we will have to address a lot of those problems. For
example, we don't need to provide a public interface to request
certificates, we can build a VM that has our tool set on it - distribute
that to the people managing certs for OWASP and ensure that the keys are
provided outside of the VM in a secure manner. This is just one idea,
and I am sure there are even better ways to do it - but I also think it
is doable.
On 10/12/2011 8:06 AM, dinis cruz wrote:
> Chris, I agree that we should be trying to push Convergence at OWASP (I
also spoke with Moxie at the AppSec conference and he was quite
supportive to work with the OWASP's community around Convergence). I
really like his solution and I think we should try to make it work.
> One of the areas we (OWASP) could help a LOT is in promoting his
Convergence presentation to a much wider audience. What about if OWASP
chapters around the world redo his presentation (i.e. grab his slides
and get a local OWASP leader/participant to deliver it locally). We
should do the same for the forthcomming OWASP conferences, since I don't
think Moxie is going to go to all of them :)
> This should help to raise awareness, reach a number of key players
(from devs, to business, to government) and if we have an OWASP project
on this topic, then that will also be a great way to recruit contributors.
> On the topic of the Notaries, two things:
> a) shouldn't we be moving away from CAs? Since we adopt Convergence we
are not dependent on the browsers to make it work (we just need to
manually add the OWASP Notary Cert to the browser Convergence extension
> b) lets be realistic on how much 'secure' we could make such OWASP
Notary (or even CA). We are not set-up at all to provide high-security
services SLAs, and in fact I would be much more interested in figuring
out a model where we can achieve high-security in a low-security
environment (i.e. one where some of the parties used to validate the
certs is/could-be compromised), which coincidently is what Convergence
is also proposing :)
> Dinis Cruz
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
> On 12 October 2011 05:15, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> Good Evening All -
> I would like to propose that OWASP consider bringing up a Notary server
> to help support Convergence.io by Moxie. While I unfortunately missed
> *both* of his talks (Defcon and AppSecUSA) I had the chance to talk with
> him about it at AppSecUSA and I think that it is a potential game
> changer as far as trust relationships between end-users and
> organizations go.
> I would be more than happy to volunteer as the SA for this Notary and
> recommend that we bring it up on one of our Rackspace instances.
> The code for the server, and instructions can be found on Moxie's Github
> site: https://github.com/moxie0/Convergence/wiki/Running-a-Notary
> Additionally, I would like to propose that we assemble a team to
> investigate what resources we would need (if any) to become a CA and
> leverage the notary platform of convergence - we could also lobby to
> Oracle, Microsoft, Mozilla, Google and Apple to add OWASP as a trusted
> CA to their root CA cache. I think the primary task of the team of
> volunteers charged with this research should be to design a system that
> we can run in our current infrastructure that is secure against attacks
> like the ones suffered by recent CA breaches and that we use our voting
> system to elect 3 representatives to be responsible for generating
> certificates and maintaining the system. This CA service could be
> leveraged by OWASP Projects as a CA for project binaries (signed code),
> providing digital signatures for OWASP members, and certificates for
> project websites (www.esapi.org)
> I *do not* recommend that the OWASP CA be used for anything outside the
> scope of OWASP itself.
> I believe (as I stated at AppSecUSA several times - including at the
> board meeting) that the OWASP brand is a powerful thing - especially in
> the security community. I think that it is time to start leveraging the
> power of the brand to reach out further into the development and
> end-user communities by providing services like this.
> We currently have a code-signing certificate issued by GoDaddy (which is
> a problem for a lot of reasons, notably because they are an intermediate
> CA that no one intrinsically trusts). I would like to see us ready to
> move forward with the plan above before that certificate expires.
> I would like to open the topics above for debate for a short period of
> time, but would like to move on both of these items before the start of
> the new year. As I said, I would be more than happy to completely drive
> the Notary server - I am 100% bought in to the approach that Moxie has
> designed and think we as an organization can help ourselves and Moxie by
> embracing it. The CA itself, I have a limited amount of knowledge about
> the inner workings of a CA (I have self-signed certificates and brought
> up an *internal* CA before) so I really think that we need more than
> just myself driving that initiative - and in fact, I would even like to
> consider reaching out to Moxie for ideas and support on that one as I
> think he probably knows more about SSL/TLS and CAs than most of us put
> together.
> So, thoughts?
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111012/5c940879/attachment.html 

More information about the OWASP-Leaders mailing list