[Owasp-leaders] OWASP vs. Convergence.io

Christian Heinrich christian.heinrich at owasp.org
Wed Oct 12 19:12:17 EDT 2011


On Wed, Oct 12, 2011 at 3:15 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> I *do not* recommend that the OWASP CA be used for anything outside the
> scope of OWASP itself.

> We currently have a code-signing certificate issued by GoDaddy (which is
> a problem for a lot of reasons, notably because they are an intermediate
> CA that no one intrinsically trusts). I would like to see us ready to
> move forward with the plan above before that certificate expires.
> I would like to open the topics above for debate for a short period of
> time, but would like to move on both of these items before the start of
> the new year. As I said, I would be more than happy to completely drive
> the Notary server - I am 100% bought in to the approach that Moxie has
> designed and think we as an organization can help ourselves and Moxie by
> embracing it. The CA itself, I have a limited amount of knowledge about
> the inner workings of a CA (I have self-signed certificates and brought
> up an *internal* CA before) so I really think that we need more than
> just myself driving that initiative - and in fact, I would even like to
> consider reaching out to Moxie for ideas and support on that one as I
> think he probably knows more about SSL/TLS and CAs than most of us put
> together.

The economics behind why the PKI model fails is that X.509
certificates are commodity and hence their marketplace is cut-throat.
Mozilla (and possibly other vendors) are attempting to raise the bar
i.e. http://www.mozilla.org/projects/security/certs/policy/

That stated, I believe OWASP should push for the ability for
developers to publish their own self signed certificate signed by
their CA for code signing but I am not sure if this is possible today
as I have not attempted this?

Also, this can be achieved today using GPG/PGP and has been
implemented by a number of other Open Source Projects and Foundations.
 Maybe we should push for this also?

OWASP as a brand would also be put a risk if you consider the
discussion related perceived lack of security related to the owasp.org
DNS records i.e.

Christian Heinrich

More information about the OWASP-Leaders mailing list