GPG Infrastructure for OWASP
Please see google docs
OWASP generates, delivers, and hosts a range of documents and tools that are widely accepted for their high quality; however, there is no mechanism to make these projects tamper-proof.
OWASP needs an organisational and technical infrastructure to sign documents and code. This Working Session aims to create a GPG infrastructure for OWASP.
- Organisational infrastructure: e-mail addresses, people who “own” the keys, trust chain
- Technical infrastructure: e-mail addresses, owasp.org/GPG
- Leaders should have a GPG key signed by OWASP’s “master key” at end of the Summit
- TBD …
- GPG infrastructure for OWASP
- GPG key signed by OWASP’s “master key” at end of the Summit
The target audience for this Working Session is:
- Board members
- Technical staff
Will be done during the session, see “Content” below.
- Draft GPG infrastructure for OWASP will be created during session (docs.google ?)
- OWASP’s “master key”: which e-mail address? email@example.com, firstname.lastname@example.org, email@example.com
- OWASP’s “master key”: where to store? who (human) has access?
- Which “sub keys”: technical for each project, documents?
- Key validity 3-6 months, avoids revocation keys/lists/infrastructure.
- Key’s validity can be updated with “expire” options.
- Key for each board member, each leader, each project owner. Must be generated by key owner and signed with “master key”.
- Draft of process for generating and updating “master key” and trusted/signed keys will be created during session (docs.google ?)
Back to list of all Working Sessions and Tracks
Edit this page here