4. of July, 2008
Pierre Parrend
Review for the project: 'OpenSign Server'
First of all, I would like to tell I am very interested in the work you performed so far. No doubt it will be of great interest for the owasp community, and beyond.
Please find my remarks on the project code and document, and they are available on the googlecode SVN ( the 2008/07/04.
1 Comments to the documentation
So far, the documents provide an efficient overview of the project.
They could be completed to serve as actual reference for it, more than mere introduction.
1.1 'OpenSign Concept' document
1.1.1 Section 1
The first figure provides a nice overview of the OpenSign project.
It could be enhanced by some additional informations:
you mention SPC. Can you please give the full acronym signification, and definition if required ?
Verifiers verify code. To what extend ? Actually, you do not mention this rôle again in the document. Is it realy implemented (or will be) ?
1.1.2 Section 2
- Your 'Use Case' section mixes use cases and specifications of the OpenSign project. Two sections should be made out of it. The 'Specification' section should contain more schema. The reader should be able to answer the question: 'is the proposed signature scheme sound, or it is possible to by-pass it'. As for now, this is not possible.
The specification section could of course be put in the 'Design' document, rather than in the 'Concept' one.
1.1.3 Section 2.2
- In the scenario you describe, the user selects itself its reviewer. Can this not imply conflict of interest, or overwhelming better known reviewers ? Would it not be possible to perform approver selection through a 'master approver' or administrator ? In any case, please give the motivation for your choice.
- What it the definition of goal of PKCS 10 ? please mention it.
1.1.4 Section 2.3
A reference schema is missing here.
1.1.5 Section 2.4
'my usage' -> by usage ??
'if it has not been revoked' -> 'whether it has not been revoked'
- 'First, the .. signature is verified. [Next], the certificate is validated': I would do the other way round, to prevent performing signature verification if the certificate is unvalid. Can you please motivate your choice ?
- 'Additional information ... are loaded': could you be more precise. How ? In which cases ?
1.1.6 Section 3
A reference schema is missing here.
'summery -> 'summery''
'Project involved' -> 'Projects involved', you seem to speek of several projects
1.2 'OpenSign Design' document
Some remarks from previous document, such as adding reference schema, could be added in this document.
2 Comments to the code
Code has begun for several sub-projects: the OpenSign server iself, and user applications.
The use of the Maven utility makes building and code understanding very easy.
2.1 The OpenSign Server
The web server is currently build as a demo server, which goes up and is tested through the Maven tools.
The code is well commented.
A line in the readme file to tell how to configure the log4j appender would be welcome.
2.2 The user applications
Development has begun for the code signer tool.
Code in commented in a no-verbose mode, which can be sufficient unless the author thinks more effort is useful.
A readme file would be appreciated.
Question: Do you intend to develop a 'mirror' tool in Java ?
If yes, how do you plan to organize the related development effort ?
Of course, the availability of portable code would be of great interest for all developers.
However, I do not see if this is compatible with the time that the development of clean prototypes in C# require.
A possibility would be to build these prototypes first, and to plan the development of similar user tools in Java for the Beta -> Release step.
All the more as administration tools still have to be developed, as far as I know.
3 Further Developments
These questions are not meant to be addressed in the project itself. However, it would be interesting to see how you intend to continue the work on it.
Do you plan just to release the code of your project, or is there some plan that you discussion during the selection process so as to provide 'Owasp-certified' software ? Do you plan to support it yourself ?
How can I integrate the tool with my favorite tools (maven repository, Eclipse update, OSGi/Open Bundle Repository) ? What is the necessary amount of work ?