OWASP - User contributions [en]

Category:OWASP OpenSign Server Project - Assessment Frame

2009-02-25T09:21:18Z

Philipp Potisk:

[[:Category:OWASP OpenSign Server Project|Click here to return to project's main page]].
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS - OWASP Summer of Code 2008
|-
| style="width:15%; background:#6C82B5" align="center"|'''Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' [[User:Philipp Potisk|'''Philipp Potisk''']] [mailto:techierebel@yahoo.co.uk Richard Conway]
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' [[:User:Pparrend|'''Pierre Parrend''']]
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' [[:User:Gary.m.burns|'''Gary Burns''']]
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' Non applicable
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|First Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|Second Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Beta Quality''' --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|Self-Evaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Beta Quality''' --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|First Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Beta Quality''' --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|Second Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|}

Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B

2009-02-25T09:19:17Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

At this point the core functionality of the OpenSign project has been developed and tested. This includes the issuing and verifying of certificates within a client server infrastructure. Users must be authenticated and approved by an issuer to use the issuing-service. The issuing is done easily by making use of the client application or online via a web-form. However, OpenSign is not an independent solution for code signing yet. It relies on java-keytool (or an application with the same intention) to generate the client side keys and the certificate sign requests. There is no graphical interface for the client in place. Also the support of .NET code signing was not taken into account yet.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

OpenSign Server: 80%

Client Tools – OSSJClient: 90%

Documentation: 80%

|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
none
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
* Be run through Fortify Software's open source review (if appropriate) and FindBugs
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Category:OWASP OpenSign Server Project

2009-02-25T09:15:27Z

Philipp Potisk: /* Code Signing and Verification */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=

This section describes the installation and usage of the server and client binaries, which can be downloaded above. As all applications are written in pure Java the following instructions are not bound to a specific platform.

==Requirements==
* Java runtime 1.6
* Optional: MySql DB

==Installation==

On default nothing besides the unpacking of the binary-packages has to be done for installing server and client application.
If one wants to enable specific settings it is recommended to follow the instructions of the readme.txt files, which are located in the root of each directory after unpacking. Note that the server will run in memory on default, which is only good for testing as the data is lost by shutting down the server. However, this behaviour can easily be changed by the use of a MySql DB (please refer to: readme.txt).

==Server Usage==

Open a console and brows into folder OpenSignServer-1.0. Following command will start the server application:

java -jar jar\OpenSignServer-1.0.jar

The web-based user interface is accessible at: http://localhost:8080/

[[Image:Open_sign_server_home.jpg|600px]]

Following links are accessible:

'''Home:''' Initial page

'''Certificate Authoriy:''' This link allows, on the one hand, unauthenticated users to brows the X.509 hierarchy, starting from the root node down to the leaves, and on the other hand authenticated users to issue certification requests. Once issued certificates are easily accessible and may be downloaded in PEM or binary format.

'''Registration:''' Form for registration of new users with the OpenSign server. New users have to enter some personal details and have to select an issuer (super-node), within the X.509 hierarchy, which needs to approve the registration request before the user will be able to use this service.

'''MySettings:''' This link is only accessible if a user is authenticated. Every user may maintain his profile her. Furthermore, if a user is dedicated as issuer, a list of all sub-nodes is shown. As the issuer is responsible for maintaining the sub-nodes, it is his choice to decide whether to approve a particular user to use the certification service or not. Once a user is approved, the issuer may also decide if he can act as an issuer himself or not.

'''Login:''' User Login

==Client Usage==

Open a console and brows into folder OSSJClient-1.0. To start the client enter following command:

java -jar OSSJClient-[version].jar [command]

Executing the client application without the command-parameter, will print a list of all possible commands to the console. All commands take mandatory and optional parameter, which are also depicted by calling a command without any parameter.

The possible commands are:

'''verifycert'''

This command takes a certificate file and verifies it. Additionally, the application downloads and verifies the certificate chain. A detailed transcript is printed to the console.

'''getcert'''

This command retrieves a certificate from a OpenSign resource (e.g. root/owasp/user1) and either prints it to the console or stores it in a file. Furthermore, the format of the certificate may be chosen (PEM or binary).

'''csr'''

This command processes a certificate sign request. The request is sent to the server, which takes the login credentials and checks if the user is approved to have a OpenSign certificate and if so a certificate is generated and sent to the user in return.

==Steps for setting up the X.509 Hierarchy==
'''1. Update the root-account'''

By starting the server the first time the root account is created and a private key plus corresponding certificate are generated. This account serves as admin-account for the server and as root-node of the X.509 Hierarchy.
It is necessary to reset the password, which can by done by loging in using the username: "root" and the password "123" and by navigating to "MySettings".

'''2. Creating an own issuer-account'''

As it is recommended not to use the root-account for all the issuing procedures it is necessary to set up an account which is a sub-node from the root-account. This account is further on used to maintain a set of end-users.
In the first step the person, responsible for the issuer-account, has to register. In the second step, the owner of the root-account will need to log in and approve this request and grant this user issuer privileges. Once these settings are stored, the OpenSign server will generate a certificate for the issuer, which is publicly available on the issuers profile.

Registering the issuer-account:
[[Image:Open_sign_server_reg.jpg]]

Enabling the issuer-account by the root user:
[[Image:Open_sign_server_approve_issuer.jpg]]

3. End user registration

Users may register and select the previously generated issuer-account (“owasp”) as their desired issuer. However, before they can use their account the issuer has to approve them first.

Registration of an end-user: [[Image:Open_sign_server_reg_user.jpg]]

4. Certificate issuance

It is possible to obtain a certificate by issuing a certificate sign request by use of the web-interface or by use of the client application. The form online can be found at: localhost:8080/csr. The processing of a certificate sign request with the client application is described above (command: csr).

==Code Signing and Verification==

This section describes the steps required for code-signing and verification supported by the OpenSign infrastructure.

'''Signing'''

1. Local generation of the private code-signing key. The key should be stored in a password-protected keystore.

2. Generation of a certificate sign request (CSR)

3. Processing the CSR by making use of the web-interface or the client application. Either way a certificate is returned on success. Furthermore, a copy of the certificate is stored within the server-infrastructure.

4.Signing the code module by making use of the previously generated key.

'''Verification'''

1. Downloading the certificate by browsing the OpenSign X.509 hierarchy online or by use of the client application, which is the recommended option.

2. Importing the certificate as a trusted certificate in the local key-store.

3. Verifying the signed code module by use of the public key embedded in the downloaded certificate.

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-25T09:14:49Z

Philipp Potisk: /* Code Signing and Verification */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=

This section describes the installation and usage of the server and client binaries, which can be downloaded above. As all applications are written in pure Java the following instructions are not bound to a specific platform.

==Requirements==
* Java runtime 1.6
* Optional: MySql DB

==Installation==

On default nothing besides the unpacking of the binary-packages has to be done for installing server and client application.
If one wants to enable specific settings it is recommended to follow the instructions of the readme.txt files, which are located in the root of each directory after unpacking. Note that the server will run in memory on default, which is only good for testing as the data is lost by shutting down the server. However, this behaviour can easily be changed by the use of a MySql DB (please refer to: readme.txt).

==Server Usage==

Open a console and brows into folder OpenSignServer-1.0. Following command will start the server application:

java -jar jar\OpenSignServer-1.0.jar

The web-based user interface is accessible at: http://localhost:8080/

[[Image:Open_sign_server_home.jpg|600px]]

Following links are accessible:

'''Home:''' Initial page

'''Certificate Authoriy:''' This link allows, on the one hand, unauthenticated users to brows the X.509 hierarchy, starting from the root node down to the leaves, and on the other hand authenticated users to issue certification requests. Once issued certificates are easily accessible and may be downloaded in PEM or binary format.

'''Registration:''' Form for registration of new users with the OpenSign server. New users have to enter some personal details and have to select an issuer (super-node), within the X.509 hierarchy, which needs to approve the registration request before the user will be able to use this service.

'''MySettings:''' This link is only accessible if a user is authenticated. Every user may maintain his profile her. Furthermore, if a user is dedicated as issuer, a list of all sub-nodes is shown. As the issuer is responsible for maintaining the sub-nodes, it is his choice to decide whether to approve a particular user to use the certification service or not. Once a user is approved, the issuer may also decide if he can act as an issuer himself or not.

'''Login:''' User Login

==Client Usage==

Open a console and brows into folder OSSJClient-1.0. To start the client enter following command:

java -jar OSSJClient-[version].jar [command]

Executing the client application without the command-parameter, will print a list of all possible commands to the console. All commands take mandatory and optional parameter, which are also depicted by calling a command without any parameter.

The possible commands are:

'''verifycert'''

This command takes a certificate file and verifies it. Additionally, the application downloads and verifies the certificate chain. A detailed transcript is printed to the console.

'''getcert'''

This command retrieves a certificate from a OpenSign resource (e.g. root/owasp/user1) and either prints it to the console or stores it in a file. Furthermore, the format of the certificate may be chosen (PEM or binary).

'''csr'''

This command processes a certificate sign request. The request is sent to the server, which takes the login credentials and checks if the user is approved to have a OpenSign certificate and if so a certificate is generated and sent to the user in return.

==Steps for setting up the X.509 Hierarchy==
'''1. Update the root-account'''

By starting the server the first time the root account is created and a private key plus corresponding certificate are generated. This account serves as admin-account for the server and as root-node of the X.509 Hierarchy.
It is necessary to reset the password, which can by done by loging in using the username: "root" and the password "123" and by navigating to "MySettings".

'''2. Creating an own issuer-account'''

As it is recommended not to use the root-account for all the issuing procedures it is necessary to set up an account which is a sub-node from the root-account. This account is further on used to maintain a set of end-users.
In the first step the person, responsible for the issuer-account, has to register. In the second step, the owner of the root-account will need to log in and approve this request and grant this user issuer privileges. Once these settings are stored, the OpenSign server will generate a certificate for the issuer, which is publicly available on the issuers profile.

Registering the issuer-account:
[[Image:Open_sign_server_reg.jpg]]

Enabling the issuer-account by the root user:
[[Image:Open_sign_server_approve_issuer.jpg]]

3. End user registration

Users may register and select the previously generated issuer-account (“owasp”) as their desired issuer. However, before they can use their account the issuer has to approve them first.

Registration of an end-user: [[Image:Open_sign_server_reg_user.jpg]]

4. Certificate issuance

It is possible to obtain a certificate by issuing a certificate sign request by use of the web-interface or by use of the client application. The form online can be found at: localhost:8080/csr. The processing of a certificate sign request with the client application is described above (command: csr).

==Code Signing and Verification==

This section describes the steps required for code-signing and verification supported by the OpenSign infrastructure.

'''Signing'''

1. Local generation of the private code-signing key. The key should be stored in a password-protected keystore.

2. Generation of a certificate sign request (CSR)

3. Processing the (CSR) by making use of the web-interface or the client application. Either way a certificate is returned on success. Furthermore, a copy of the certificate is stored within the server-infrastructure.

4.Signing the code module by making use of the previously generated key.

'''Verification'''

1. Downloading the certificate by browsing the OpenSign X.509 hierarchy online or by use of the client application, which is the recommended option.

2. Importing the certificate as a trusted certificate in the local key-store.

3. Verifying the signed code module by use of the public key embedded in the downloaded certificate.

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-25T09:14:28Z

Philipp Potisk: /* Code Signing */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=

This section describes the installation and usage of the server and client binaries, which can be downloaded above. As all applications are written in pure Java the following instructions are not bound to a specific platform.

==Requirements==
* Java runtime 1.6
* Optional: MySql DB

==Installation==

On default nothing besides the unpacking of the binary-packages has to be done for installing server and client application.
If one wants to enable specific settings it is recommended to follow the instructions of the readme.txt files, which are located in the root of each directory after unpacking. Note that the server will run in memory on default, which is only good for testing as the data is lost by shutting down the server. However, this behaviour can easily be changed by the use of a MySql DB (please refer to: readme.txt).

==Server Usage==

Open a console and brows into folder OpenSignServer-1.0. Following command will start the server application:

java -jar jar\OpenSignServer-1.0.jar

The web-based user interface is accessible at: http://localhost:8080/

[[Image:Open_sign_server_home.jpg|600px]]

Following links are accessible:

'''Home:''' Initial page

'''Certificate Authoriy:''' This link allows, on the one hand, unauthenticated users to brows the X.509 hierarchy, starting from the root node down to the leaves, and on the other hand authenticated users to issue certification requests. Once issued certificates are easily accessible and may be downloaded in PEM or binary format.

'''Registration:''' Form for registration of new users with the OpenSign server. New users have to enter some personal details and have to select an issuer (super-node), within the X.509 hierarchy, which needs to approve the registration request before the user will be able to use this service.

'''MySettings:''' This link is only accessible if a user is authenticated. Every user may maintain his profile her. Furthermore, if a user is dedicated as issuer, a list of all sub-nodes is shown. As the issuer is responsible for maintaining the sub-nodes, it is his choice to decide whether to approve a particular user to use the certification service or not. Once a user is approved, the issuer may also decide if he can act as an issuer himself or not.

'''Login:''' User Login

==Client Usage==

Open a console and brows into folder OSSJClient-1.0. To start the client enter following command:

java -jar OSSJClient-[version].jar [command]

Executing the client application without the command-parameter, will print a list of all possible commands to the console. All commands take mandatory and optional parameter, which are also depicted by calling a command without any parameter.

The possible commands are:

'''verifycert'''

This command takes a certificate file and verifies it. Additionally, the application downloads and verifies the certificate chain. A detailed transcript is printed to the console.

'''getcert'''

This command retrieves a certificate from a OpenSign resource (e.g. root/owasp/user1) and either prints it to the console or stores it in a file. Furthermore, the format of the certificate may be chosen (PEM or binary).

'''csr'''

This command processes a certificate sign request. The request is sent to the server, which takes the login credentials and checks if the user is approved to have a OpenSign certificate and if so a certificate is generated and sent to the user in return.

==Steps for setting up the X.509 Hierarchy==
'''1. Update the root-account'''

By starting the server the first time the root account is created and a private key plus corresponding certificate are generated. This account serves as admin-account for the server and as root-node of the X.509 Hierarchy.
It is necessary to reset the password, which can by done by loging in using the username: "root" and the password "123" and by navigating to "MySettings".

'''2. Creating an own issuer-account'''

As it is recommended not to use the root-account for all the issuing procedures it is necessary to set up an account which is a sub-node from the root-account. This account is further on used to maintain a set of end-users.
In the first step the person, responsible for the issuer-account, has to register. In the second step, the owner of the root-account will need to log in and approve this request and grant this user issuer privileges. Once these settings are stored, the OpenSign server will generate a certificate for the issuer, which is publicly available on the issuers profile.

Registering the issuer-account:
[[Image:Open_sign_server_reg.jpg]]

Enabling the issuer-account by the root user:
[[Image:Open_sign_server_approve_issuer.jpg]]

3. End user registration

Users may register and select the previously generated issuer-account (“owasp”) as their desired issuer. However, before they can use their account the issuer has to approve them first.

Registration of an end-user: [[Image:Open_sign_server_reg_user.jpg]]

4. Certificate issuance

It is possible to obtain a certificate by issuing a certificate sign request by use of the web-interface or by use of the client application. The form online can be found at: localhost:8080/csr. The processing of a certificate sign request with the client application is described above (command: csr).

==Code Signing and Verification==

This section describes the steps required for code-signing and verification support by the OpenSign infrastructure.

'''Signing'''

1. Local generation of the private code-signing key. The key should be stored in a password-protected keystore.

2. Generation of a certificate sign request (CSR)

3. Processing the (CSR) by making use of the web-interface or the client application. Either way a certificate is returned on success. Furthermore, a copy of the certificate is stored within the server-infrastructure.

4.Signing the code module by making use of the previously generated key.

'''Verification'''

1. Downloading the certificate by browsing the OpenSign X.509 hierarchy online or by use of the client application, which is the recommended option.

2. Importing the certificate as a trusted certificate in the local key-store.

3. Verifying the signed code module by use of the public key embedded in the downloaded certificate.

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-25T09:00:06Z

Philipp Potisk: /* User Documentation */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=

This section describes the installation and usage of the server and client binaries, which can be downloaded above. As all applications are written in pure Java the following instructions are not bound to a specific platform.

==Requirements==
* Java runtime 1.6
* Optional: MySql DB

==Installation==

On default nothing besides the unpacking of the binary-packages has to be done for installing server and client application.
If one wants to enable specific settings it is recommended to follow the instructions of the readme.txt files, which are located in the root of each directory after unpacking. Note that the server will run in memory on default, which is only good for testing as the data is lost by shutting down the server. However, this behaviour can easily be changed by the use of a MySql DB (please refer to: readme.txt).

==Server Usage==

Open a console and brows into folder OpenSignServer-1.0. Following command will start the server application:

java -jar jar\OpenSignServer-1.0.jar

The web-based user interface is accessible at: http://localhost:8080/

[[Image:Open_sign_server_home.jpg|600px]]

Following links are accessible:

'''Home:''' Initial page

'''Certificate Authoriy:''' This link allows, on the one hand, unauthenticated users to brows the X.509 hierarchy, starting from the root node down to the leaves, and on the other hand authenticated users to issue certification requests. Once issued certificates are easily accessible and may be downloaded in PEM or binary format.

'''Registration:''' Form for registration of new users with the OpenSign server. New users have to enter some personal details and have to select an issuer (super-node), within the X.509 hierarchy, which needs to approve the registration request before the user will be able to use this service.

'''MySettings:''' This link is only accessible if a user is authenticated. Every user may maintain his profile her. Furthermore, if a user is dedicated as issuer, a list of all sub-nodes is shown. As the issuer is responsible for maintaining the sub-nodes, it is his choice to decide whether to approve a particular user to use the certification service or not. Once a user is approved, the issuer may also decide if he can act as an issuer himself or not.

'''Login:''' User Login

==Client Usage==

Open a console and brows into folder OSSJClient-1.0. To start the client enter following command:

java -jar OSSJClient-[version].jar [command]

Executing the client application without the command-parameter, will print a list of all possible commands to the console. All commands take mandatory and optional parameter, which are also depicted by calling a command without any parameter.

The possible commands are:

'''verifycert'''

This command takes a certificate file and verifies it. Additionally, the application downloads and verifies the certificate chain. A detailed transcript is printed to the console.

'''getcert'''

This command retrieves a certificate from a OpenSign resource (e.g. root/owasp/user1) and either prints it to the console or stores it in a file. Furthermore, the format of the certificate may be chosen (PEM or binary).

'''csr'''

This command processes a certificate sign request. The request is sent to the server, which takes the login credentials and checks if the user is approved to have a OpenSign certificate and if so a certificate is generated and sent to the user in return.

==Steps for setting up the X.509 Hierarchy==
'''1. Update the root-account'''

By starting the server the first time the root account is created and a private key plus corresponding certificate are generated. This account serves as admin-account for the server and as root-node of the X.509 Hierarchy.
It is necessary to reset the password, which can by done by loging in using the username: "root" and the password "123" and by navigating to "MySettings".

'''2. Creating an own issuer-account'''

As it is recommended not to use the root-account for all the issuing procedures it is necessary to set up an account which is a sub-node from the root-account. This account is further on used to maintain a set of end-users.
In the first step the person, responsible for the issuer-account, has to register. In the second step, the owner of the root-account will need to log in and approve this request and grant this user issuer privileges. Once these settings are stored, the OpenSign server will generate a certificate for the issuer, which is publicly available on the issuers profile.

Registering the issuer-account:
[[Image:Open_sign_server_reg.jpg]]

Enabling the issuer-account by the root user:
[[Image:Open_sign_server_approve_issuer.jpg]]

3. End user registration

Users may register and select the previously generated issuer-account (“owasp”) as their desired issuer. However, before they can use their account the issuer has to approve them first.

Registration of an end-user: [[Image:Open_sign_server_reg_user.jpg]]

4. Certificate issuance

It is possible to obtain a certificate by issuing a certificate sign request by use of the web-interface or by use of the client application. The form online can be found at: localhost:8080/csr. The processing of a certificate sign request with the client application is described above (command: csr).

==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

File:Open sign server reg.jpg

2009-02-25T08:58:30Z

Philipp Potisk:

File:Open sign server approve issuer.jpg

2009-02-25T08:54:13Z

Philipp Potisk:

File:Open sign server reg user.jpg

2009-02-25T08:53:38Z

Philipp Potisk:

Category:OWASP OpenSign Server Project

2009-02-25T08:42:30Z

Philipp Potisk: /* Client Usage */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=

This section describes the installation and usage of the server and client binaries, which can be downloaded above. As all applications are written in pure Java the following instructions are not bound to a specific platform.

==Requirements==
* Java runtime 1.6
* Optional: MySql DB

==Installation==

On default nothing besides the unpacking of the binary-packages has to be done for installing server and client application.
If one wants to enable specific settings it is recommended to follow the instructions of the readme.txt files, which are located in the root of each directory after unpacking. Note that the server will run in memory on default, which is only good for testing as the data is lost by shutting down the server. However, this behaviour can easily be changed by the use of a MySql DB (please refer to: readme.txt).

==Server Usage==

Open a console and brows into folder OpenSignServer-1.0. Following command will start the server application:

java -jar jar\OpenSignServer-1.0.jar

The web-based user interface is accessible at: http://localhost:8080/

[[Image:Open_sign_server_home.jpg|600px]]

Following links are accessible:

'''Home:''' Initial page

'''Certificate Authoriy:''' This link allows, on the one hand, unauthenticated users to brows the X.509 hierarchy, starting from the root node down to the leaves, and on the other hand authenticated users to issue certification requests. Once issued certificates are easily accessible and may be downloaded in PEM or binary format.

'''Registration:''' Form for registration of new users with the OpenSign server. New users have to enter some personal details and have to select an issuer (super-node), within the X.509 hierarchy, which needs to approve the registration request before the user will be able to use this service.

'''MySettings:''' This link is only accessible if a user is authenticated. Every user may maintain his profile her. Furthermore, if a user is dedicated as issuer, a list of all sub-nodes is shown. As the issuer is responsible for maintaining the sub-nodes, it is his choice to decide whether to approve a particular user to use the certification service or not. Once a user is approved, the issuer may also decide if he can act as an issuer himself or not.

'''Login:''' User Login

==Client Usage==

Open a console and brows into folder OSSJClient-1.0. To start the client enter following command:

java -jar OSSJClient-[version].jar [command]

Executing the client application without the command-parameter, will print a list of all possible commands to the console. All commands take mandatory and optional parameter, which are also depicted by calling a command without any parameter.

The possible commands are:

'''verifycert'''

This command takes a certificate file and verifies it. Additionally, the application downloads and verifies the certificate chain. A detailed transcript is printed to the console.

'''getcert'''

This command retrieves a certificate from a OpenSign resource (e.g. root/owasp/user1) and either prints it to the console or stores it in a file. Furthermore, the format of the certificate may be chosen (PEM or binary).

'''csr'''

This command processes a certificate sign request. The request is sent to the server, which takes the login credentials and checks if the user is approved to have a OpenSign certificate and if so a certificate is generated and sent to the user in return.

==Setting up the X.509 Hierarchy==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-25T08:38:03Z

Philipp Potisk: /* Client Usage */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=

This section describes the installation and usage of the server and client binaries, which can be downloaded above. As all applications are written in pure Java the following instructions are not bound to a specific platform.

==Requirements==
* Java runtime 1.6
* Optional: MySql DB

==Installation==

On default nothing besides the unpacking of the binary-packages has to be done for installing server and client application.
If one wants to enable specific settings it is recommended to follow the instructions of the readme.txt files, which are located in the root of each directory after unpacking. Note that the server will run in memory on default, which is only good for testing as the data is lost by shutting down the server. However, this behaviour can easily be changed by the use of a MySql DB (please refer to: readme.txt).

==Server Usage==

Open a console and brows into folder OpenSignServer-1.0. Following command will start the server application:

java -jar jar\OpenSignServer-1.0.jar

The web-based user interface is accessible at: http://localhost:8080/

[[Image:Open_sign_server_home.jpg|600px]]

Following links are accessible:

'''Home:''' Initial page

'''Certificate Authoriy:''' This link allows, on the one hand, unauthenticated users to brows the X.509 hierarchy, starting from the root node down to the leaves, and on the other hand authenticated users to issue certification requests. Once issued certificates are easily accessible and may be downloaded in PEM or binary format.

'''Registration:''' Form for registration of new users with the OpenSign server. New users have to enter some personal details and have to select an issuer (super-node), within the X.509 hierarchy, which needs to approve the registration request before the user will be able to use this service.

'''MySettings:''' This link is only accessible if a user is authenticated. Every user may maintain his profile her. Furthermore, if a user is dedicated as issuer, a list of all sub-nodes is shown. As the issuer is responsible for maintaining the sub-nodes, it is his choice to decide whether to approve a particular user to use the certification service or not. Once a user is approved, the issuer may also decide if he can act as an issuer himself or not.

'''Login:''' User Login

==Client Usage==

Open a console and brows into folder OSSJClient-1.0. To start the client enter following command:

java -jar OSSJClient-[version].jar [command]

Executing the client application without the command-parameter, will print a list of all possible commands to the console. All commands take mandatory and optional parameter, which are also depicted by entering a command without any parameter.

The possible commands are:

'''verifycert'''

This command takes a certificate and verifies it by downloading the certificate chain from the server and verifying all certificates. A detailed transcript is printed to the console.

'''getcert'''

This command retrieves a certificate from a OpenSign resource (e.g. root/owasp/user1) and either prints it to the console or stores it in a file. Furthermore, the format of the certificate may be chosen (PEM or binary).

'''csr'''

This command processes a certificate sign request. The request is sent to the server, which takes the login credentials and checks if the user is approved to have a OpenSign certificate and if so a certificate is generated and sent to the user in return.

==Setting up the X.509 Hierarchy==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-25T08:37:04Z

Philipp Potisk: /* Client Usage */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=

This section describes the installation and usage of the server and client binaries, which can be downloaded above. As all applications are written in pure Java the following instructions are not bound to a specific platform.

==Requirements==
* Java runtime 1.6
* Optional: MySql DB

==Installation==

On default nothing besides the unpacking of the binary-packages has to be done for installing server and client application.
If one wants to enable specific settings it is recommended to follow the instructions of the readme.txt files, which are located in the root of each directory after unpacking. Note that the server will run in memory on default, which is only good for testing as the data is lost by shutting down the server. However, this behaviour can easily be changed by the use of a MySql DB (please refer to: readme.txt).

==Server Usage==

Open a console and brows into folder OpenSignServer-1.0. Following command will start the server application:

java -jar jar\OpenSignServer-1.0.jar

The web-based user interface is accessible at: http://localhost:8080/

[[Image:Open_sign_server_home.jpg|600px]]

Following links are accessible:

'''Home:''' Initial page

'''Certificate Authoriy:''' This link allows, on the one hand, unauthenticated users to brows the X.509 hierarchy, starting from the root node down to the leaves, and on the other hand authenticated users to issue certification requests. Once issued certificates are easily accessible and may be downloaded in PEM or binary format.

'''Registration:''' Form for registration of new users with the OpenSign server. New users have to enter some personal details and have to select an issuer (super-node), within the X.509 hierarchy, which needs to approve the registration request before the user will be able to use this service.

'''MySettings:''' This link is only accessible if a user is authenticated. Every user may maintain his profile her. Furthermore, if a user is dedicated as issuer, a list of all sub-nodes is shown. As the issuer is responsible for maintaining the sub-nodes, it is his choice to decide whether to approve a particular user to use the certification service or not. Once a user is approved, the issuer may also decide if he can act as an issuer himself or not.

'''Login:''' User Login

==Client Usage==

Open a console and brows into folder OSSJClient-1.0. The usage of the command line client is as follows.

java -jar OSSJClient-[version].jar [command]

Executing the client application without the command-parameter, will print a list of all possible commands to the console. All commands take mandatory and optional parameter, which are also depicted by entering a command without any parameter.

The possible commands are:

'''verifycert'''

This command takes a certificate and verifies it by downloading the certificate chain from the server and verifying all certificates. A detailed transcript is printed to the console.

'''getcert'''

This command retrieves a certificate from a OpenSign resource (e.g. root/owasp/user1) and either prints it to the console or stores it in a file. Furthermore, the format of the certificate may be chosen (PEM or binary).

'''csr'''

This command processes a certificate sign request. The request is sent to the server, which takes the login credentials and checks if the user is approved to have a OpenSign certificate and if so a certificate is generated and sent to the user in return.

==Setting up the X.509 Hierarchy==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-25T08:23:12Z

Philipp Potisk: /* Server Usage */

File:Open sign server home.jpg

2009-02-25T08:11:30Z

Philipp Potisk: uploaded a new version of "Image:Open sign server home.jpg"

Category:OWASP OpenSign Server Project

2009-02-25T08:09:16Z

Philipp Potisk: /* Server Usage */

Category:OWASP OpenSign Server Project

2009-02-25T08:05:51Z

Philipp Potisk: /* User Documentation */

Category:OWASP OpenSign Server Project

2009-02-25T08:01:09Z

Philipp Potisk: /* User Documentation */

Category:OWASP OpenSign Server Project

2009-02-24T12:49:30Z

Philipp Potisk: /* Server Usage */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=
==Installation==
==Server Usage==
[[Image:Open_sign_server_home.jpg|600px]]

==Client Usage==
==Setting up the X.509 Hierarchy==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

File:Open sign server home.jpg

2009-02-24T12:45:54Z

Philipp Potisk:

Category:OWASP OpenSign Server Project

2009-02-24T10:20:45Z

Philipp Potisk: /* User Documentation */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=
==Installation==
==Server Usage==
==Client Usage==
==Setting up the X.509 Hierarchy==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-24T10:19:39Z

Philipp Potisk: /* Java Client */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=
==Installation==
==Setting up the X.509 Hierarchy==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

=Future development=

Category:OWASP OpenSign Server Project

2009-02-24T10:19:07Z

Philipp Potisk: /* User Documentation */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=
==Installation==
==Setting up the X.509 Hierarchy==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

Category:OWASP OpenSign Server Project

2009-02-24T10:01:31Z

Philipp Potisk: /* Releases */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=User Documentation=
==Installation==
==Code Signing==

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

Category:OWASP OpenSign Server Project

2009-02-24T09:56:19Z

Philipp Potisk: /* .NET Client */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

Category:OWASP OpenSign Server Project

2009-02-24T09:55:25Z

Philipp Potisk: /* OpenSign Server */

{{:Project Information:template OpenSign Server Project}}
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Alpha Quality Tool]]

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
==OpenSign Server==

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B

2008-10-27T07:42:18Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

At this point the core functionality of the OpenSign project has been developed and tested. This includes the issuing and verifying of certificates within a client server infrastructure. Users must be authenticated and approved by an issuer to use the issuing-service. The issuing is done easily by making use of the client application or online via a web-form. However, OpenSign is not an independent solution for code signing yet. It relies on java-keytool (or an application with the same intention) to generate the client side keys and the certificate sign requests. There is no graphical interface for the client in place. Also the support of .NET code signing was not taken into account yet.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

OpenSign Server: 80%

Client Tools – OSSJClient: 90%

Documentation: 30%

|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
none
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
* Include user documentation in Project's OWASP Wiki page(s)
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
* Include online documention built into tool (based on required user documentation)
* Be run through Fortify Software's open source review (if appropriate) and FindBugs
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B

2008-10-27T07:40:05Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

At this point the core functionality of the OpenSign project has been developed and tested. This includes the issuing and verifying of certificates within a client server infrastructure. Users must be authenticated and approved by an issuer to use the issuing-service. The issuing is done easily by making use of the client application or online via a web-form. However, OpenSign is not an independent solution for code signing yet. It relies on java-keytool (or an application with the same intention) to generate the client side keys and the Certificate Sign Requests. There is no graphical interface for the client in place. Also the support of .NET code signing was not taken into account yet.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

OpenSign Server: 80%

Client Tools – OSSJClient: 90%

Documentation: 30%

|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
none
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
* Include user documentation in Project's OWASP Wiki page(s)
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
* Include online documention built into tool (based on required user documentation)
* Be run through Fortify Software's open source review (if appropriate) and FindBugs
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B

2008-10-27T07:37:49Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

At this point the core functionality of the OpenSign project has been developed and tested. This includes the issuing and verifying of certificates within a client server infrastructure. Users must be authenticated and approved by an issuer to use the issuing-service. The issuing is done easily by making use of the client application or online via a web-form. However, OpenSign is not an independent solution for code signing yet. It relies on java-keytool (or an application with the same intention) to generate the client side keys and the Certificate Sign Requests. There is no graphical interface for the client in place. Also the support of .NET code signing was not taken into account yet.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

OpenSign Server: 80%

Client Tools – OSSJClient: 90%

Documentation: 30%

|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
none
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
* Include online documention built into tool (based on required user documentation)
* Be run through Fortify Software's open source review (if appropriate) and FindBugs
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B

2008-10-27T07:34:31Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

At this point the core functionality of the OpenSign project has been developed and tested. This includes the issuing and verifying of certificates within a client server infrastructure. Users must be authenticated and approved by an issuer to use the issuing-service. The issuing is done easily by making use of the client application or online via a web-form. However, OpenSign is not an independent solution for code signing yet. It relies on java-keytool (or an application with the same intention) to generate the client side keys and the Certificate Sign Requests. There is no graphical interface for the client in place. Also the support of .NET code signing was not taken into account yet.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

OpenSign Server: 80%

Client Tools – OSSJClient: 90%

Documentation: 30%

|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
none
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template OpenSign Server Project - Final Review - First Reviewer - D

2008-10-27T07:33:56Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
'''First comments''':

* it would be nice it it would be possible to simply download and run the code
for the server and the client (I have made some tests under linux, this seems not to be the case for the latter releases available on the project web page)
* available scripts for starting both under MS win & linux, with default config
* available user documentation: what can I do with each tool, how (for instance under the form of a '5 minutes introduction' and reference list of available functions) ?
* is the C# code available for download and execution ?
* it would be nice if the 'trunk' would be documented in a way that let the user know:
- how to compile everything (without needing to install libraries from the web) ?

- how to run the server and clients (a global 'readme' file is missing).

* Moreover, the 'opensign-design' document could be completed.

|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B

2008-10-27T07:33:39Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

At this point the core functionality of the OpenSign project has been developed and tested. This includes the issuing and verifying of certificates within a client server infrastructure. Users must be authenticated and approved by an issuer to use the issuing-service. The issuing is done easily by making use of the client application or online via a web-form. However, OpenSign is not an independent solution for code signing yet. It relies on java-keytool (or an application with the same intention) to generate the client side keys and the Certificate Sign Requests. There is no graphical interface for the client in place. Also the support of .NET code signing was not taken into account yet.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|

OpenSign Server: 80%

Client Tools – OSSJClient: 90%

Documentation: 30%

|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template OpenSign Server Project - Final Review - First Reviewer - D

2008-10-27T07:32:32Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

At this point the core functionality of the OpenSign project has been developed and tested. This includes the issuing and verifying of certificates within a client server infrastructure. Users must be authenticated and approved by an issuer to use the issuing-service. The issuing is done easily by making use of the client application or online via a web-form. However, OpenSign is not an independent solution for code signing yet. It relies on java-keytool (or an application with the same intention) to generate the client side keys and the Certificate Sign Requests. There is no graphical interface for the client in place. Also the support of .NET code signing was not taken into account yet.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|

OpenSign Server: 80%

Client Tools – OSSJClient: 90%

Documentation: 30%

|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
'''First comments''':

* it would be nice it it would be possible to simply download and run the code
for the server and the client (I have made some tests under linux, this seems not to be the case for the latter releases available on the project web page)
* available scripts for starting both under MS win & linux, with default config
* available user documentation: what can I do with each tool, how (for instance under the form of a '5 minutes introduction' and reference list of available functions) ?
* is the C# code available for download and execution ?
* it would be nice if the 'trunk' would be documented in a way that let the user know:
- how to compile everything (without needing to install libraries from the web) ?

- how to run the server and clients (a global 'readme' file is missing).

* Moreover, the 'opensign-design' document could be completed.

|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template OpenSign Server Project

2008-10-27T07:06:55Z

Philipp Potisk: /* OpenSign Client */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:gary.m.burns@gmail.com '''Gary Burns'''] [http://www.linkedin.com/in/garymburns Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project - code.google.com]
* [[:Image:OpenSign Server Demo oss 0 4 ossjclient 0 9.ppt|OpenSign Server Demo/ppt]]
* server: [http://opensign-project.googlecode.com/files/OpenSignServer-1.0-bin.tar.gz OpenSignServer-1.0-bin.tar.gz ]
* client: [http://opensign-project.googlecode.com/files/OSSJClient-1.0-bin.tar.gz OSSJClient-1.0-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==

===Version 1.0 (26st of October 08)===

* This version has been modified to work with the server version 1.0

===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-10-27T07:06:04Z

Philipp Potisk: /* OpenSign Server */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:gary.m.burns@gmail.com '''Gary Burns'''] [http://www.linkedin.com/in/garymburns Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project - code.google.com]
* [[:Image:OpenSign Server Demo oss 0 4 ossjclient 0 9.ppt|OpenSign Server Demo/ppt]]
* server: [http://opensign-project.googlecode.com/files/OpenSignServer-1.0-bin.tar.gz OpenSignServer-1.0-bin.tar.gz ]
* client: [http://opensign-project.googlecode.com/files/OSSJClient-1.0-bin.tar.gz OSSJClient-1.0-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 1.0 (26st of October 08)===

* This version is working with the Java client version 1.0
* An "About" button has been added

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-10-27T06:48:10Z

Philipp Potisk:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:gary.m.burns@gmail.com '''Gary Burns'''] [http://www.linkedin.com/in/garymburns Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project - code.google.com]
* [[:Image:OpenSign Server Demo oss 0 4 ossjclient 0 9.ppt|OpenSign Server Demo/ppt]]
* server: [http://opensign-project.googlecode.com/files/OpenSignServer-1.0-bin.tar.gz OpenSignServer-1.0-bin.tar.gz ]
* client: [http://opensign-project.googlecode.com/files/OSSJClient-1.0-bin.tar.gz OSSJClient-1.0-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-10-14T08:05:43Z

Philipp Potisk: /* OpenSign Server */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:gary.m.burns@gmail.com '''Gary Burns'''] 
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project - code.google.com]
* [[:Image:OpenSign Server Demo oss 0 4 ossjclient 0 9.ppt|OpenSign Server Demo/ppt]]
* server: [http://opensign-project.googlecode.com/files/OpenSignServer-0.5-bin.tar.gz OpenSignServer-0.5-bin.tar.gz ]
* client: [http://opensign-project.googlecode.com/files/OSSJClient-0.9-bin.tar.gz OSSJClient-0.9-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.5 (14th of October 08)===

* Users must now be enabled to use the certification service by the the issuer above in order to build up chains of trust
* The settins page for issuers got extended for maintaining the subordinate entities
* Several server pages got enhanced in terms of functionality and design

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21st of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-10-14T07:52:33Z

Philipp Potisk:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:gary.m.burns@gmail.com '''Gary Burns'''] 
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project - code.google.com]
* [[:Image:OpenSign Server Demo oss 0 4 ossjclient 0 9.ppt|OpenSign Server Demo/ppt]]
* server: [http://opensign-project.googlecode.com/files/OpenSignServer-0.5-bin.tar.gz OpenSignServer-0.5-bin.tar.gz ]
* client: [http://opensign-project.googlecode.com/files/OSSJClient-0.9-bin.tar.gz OSSJClient-0.9-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A

2008-09-11T13:53:34Z

Philipp Potisk:

[[Project Information:template OpenSign Server Project|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|OWASP OpenSign Server Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The Certification Authority functionality including a web interface as well as a web-service one has been realised. It is possible to generate X.509 hierarchies whereas each public key is easily accessible to anyone who intends to use it. Furthermore, a Java client application allows the certificate download, the posting of a PKCS10 certificate signing request in order to obtain a new certificate and the certificate chain verification.

Initial objectives, which have not been met so far, are the upload of code modules - having the server sign the modules, the use of cryptography hardware and the support for .NET signing. Furthermore, educational documentation of code signing/verifying is not written yet.
We consider that the upload of code modules as well as the usage of cryptographic hardware should not be an objective for the scope of SOC 2008. We think it is better to focus on a light weight version of the server, which would attract a broader range of users instead of only those having sophisticated/expensive infrastructures in place.

|-
| style="width:25%; background:#7B8ABD" align="center"|

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
OpenSign Server: 70%

Client Tools – OSSJClient: 80%

Documentation: 20%
|-
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
No additional help is required at the moment.
|}

Project Information:template OpenSign Server Project

2008-08-27T23:31:55Z

Philipp Potisk: /* OpenSign Client */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* server: [http://opensign-project.googlecode.com/files/OpenSignServer-0.4-bin.tar.gz OpenSignServer-0.4-bin.tar.gz ]
* client: [http://opensign-project.googlecode.com/files/OSSJClient-0.9-bin.tar.gz OSSJClient-0.9-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
===Version 0.9 (28th of August 08)===

* Commands supported: "getcert", "verifycert" and "csr"
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-08-27T23:30:25Z

Philipp Potisk:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* server: [http://opensign-project.googlecode.com/files/OpenSignServer-0.4-bin.tar.gz OpenSignServer-0.4-bin.tar.gz ]
* client: [http://opensign-project.googlecode.com/files/OSSJClient-0.9-bin.tar.gz OSSJClient-0.9-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-08-27T23:28:52Z

Philipp Potisk: /* OpenSign Server */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.3-bin.tar.gz OpenSignServer-0.3-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.4 (28th of August 08)===

* Certificate chains are now set up properly. This includes the right values in the certificate as well as appropriate key-handling of the key store. Dummy code got removed broadly.
* This version supports the use of OSSJClient version 0.9 for commands "getcert", "verifycert" and "csr"

===Version 0.3 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-08-05T10:05:14Z

Philipp Potisk: /* OpenSign Server */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.3-bin.tar.gz OpenSignServer-0.3-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.3 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-07-22T12:58:32Z

Philipp Potisk:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.3-bin.tar.gz OpenSignServer-0.3-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.2 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-07-22T12:55:53Z

Philipp Potisk:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.3-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.2 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-07-21T17:19:14Z

Philipp Potisk: /* OpenSign Server */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.2-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==

===Version 0.2 (21th of July 08)===

* Easy extendable persistence layer, which is set up using Hibernate – Annotations.
* Possibility to run server in memory, whereas data is lost when the server process is terminated, or to run the server on top of a MYSQL database.
* Logging mechanism got enhanced which involves means to pipe the log information from OpenSign server as well as from Jetty and Hibernate to a log file.
* Same functionality as version 0.2 from a user point of view.

===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-07-16T21:59:06Z

Philipp Potisk: /* Version 0.2 (1st of July 08) */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.2-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==
===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.1 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-07-16T19:42:06Z

Philipp Potisk:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.2-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==
===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.2 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

TBC

Project Information:template OpenSign Server Project

2008-07-16T19:40:56Z

Philipp Potisk: /* Java Client */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.2-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==
===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.2 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

===.NET Client===

Project Information:template OpenSign Server Project

2008-07-16T19:40:21Z

Philipp Potisk: /* Java Client */

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.2-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==
===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.2 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure to sign and verify Jar archives.

Project Information:template OpenSign Server Project

2008-07-16T19:39:33Z

Philipp Potisk:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:philipp_p(at)gmx.at '''Phil Potisk'''] [mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe'''] [mailto:Owasp-OpenSign-Server-Project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend'''] [http://www.rzo.free.fr/ Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry'''] [http://www.linkedin.com/in/roxberry Profile]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/opensign-project/ OpenSign Project]
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.2-bin.tar.gz ]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

----

=Releases=
==OpenSign Server==
===Version 0.2 (14th of July 08)===

* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.
* End-users may issue a certificate sign request and obtain the certificate in return.
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".
* Possibility for registering new end-users and issuers.
* Session handling - login, logout of users
* Storage of issuer key-pair's and all certificates in server side key store.
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
*: - in binary format (default): http://localhost:8080/root?property=cert
*: - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1

===Version 0.2 (1st of July 08)===

* Access of root certificate via HTTP-GET http://localhost:8080/ca
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr

==OpenSign Client==
----

=Roadmap=
=OpenSign Server=

'''Goal'''

The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:

'''Version 0.1'''

This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.

'''Version 0.2'''

The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.

'''Version 0.3'''

User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.

'''Version 0.4'''

The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.

'''Version 0.5'''

The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.

'''Version 1.0'''

Well tested and documented PKI for code signing which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''

'''Version 2.0'''

The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.

==OpenSign Client==
===Java Client===

'''Version 1.0'''

Command line application, extending Java keytools functionality to make use of the OpenSign infrastructure. Only Jar archive signing is supported.