GPG Infrastructure for OWASP


Current document

Please see google docs

Why

OWASP generates, delivers, and hosts a range of documents and tools that are widely accepted for their high quality; however, there is no mechanism to make these projects tamper-proof.

OWASP needs an organisational and technical infrastructure to sign documents and code. This Working Session aims to create a GPG infrastructure for OWASP.

What

  • Organisational infrastructure: e-mail addresses, people who “own” the keys, trust chain
  • Technical infrastructure: e-mail addresses, owasp.org/GPG
  • Leaders should have a GPG key signed by OWASP’s “master key” at end of the Summit
  • TBD …

Outcomes

  • GPG infrastructure for OWASP
  • GPG key signed by OWASP’s “master key” at end of the Summit

Who

The target audience for this Working Session is:

  • Board members
  • Technical staff

Working materials

Will be done during the session, see “Content” below.

Content

  • Draft GPG infrastructure for OWASP will be created during session (docs.google ?)
  • OWASP’s “master key”: which e-mail address? owasp@owasp.org, ca@owasp.org, root@owasp.org
  • OWASP’s “master key”: where to store? who (human) has access?
  • Which “sub keys”: technical for each project, documents?
  • Key validity 3-6 months, avoids revocation keys/lists/infrastructure.
  • Key’s validity can be updated with “expire” options.
  • Key for each board member, each leader, each project owner. Must be generated by key owner and signed with “master key”.
  • Draft of process for generating and updating “master key” and trusted/signed keys will be created during session (docs.google ?)


Back to list of all Working Sessions and Tracks

Edit this page here