GPG Infrastructure for OWASP

Current document

Please see google docs


OWASP generates, delivers, and hosts a range of documents and tools that are widely accepted for their high quality; however, there is no mechanism to make these projects tamper-proof.

OWASP needs an organisational and technical infrastructure to sign documents and code. This Working Session aims to create a GPG infrastructure for OWASP.


  • Organisational infrastructure: e-mail addresses, people who “own” the keys, trust chain
  • Technical infrastructure: e-mail addresses,
  • Leaders should have a GPG key signed by OWASP’s “master key” at end of the Summit
  • TBD …


  • GPG infrastructure for OWASP
  • GPG key signed by OWASP’s “master key” at end of the Summit


The target audience for this Working Session is:

  • Board members
  • Technical staff

Working materials

Will be done during the session, see “Content” below.


  • Draft GPG infrastructure for OWASP will be created during session ( ?)
  • OWASP’s “master key”: which e-mail address?,,
  • OWASP’s “master key”: where to store? who (human) has access?
  • Which “sub keys”: technical for each project, documents?
  • Key validity 3-6 months, avoids revocation keys/lists/infrastructure.
  • Key’s validity can be updated with “expire” options.
  • Key for each board member, each leader, each project owner. Must be generated by key owner and signed with “master key”.
  • Draft of process for generating and updating “master key” and trusted/signed keys will be created during session ( ?)

Back to list of all Working Sessions and Tracks

Edit this page here