-
Notifications
You must be signed in to change notification settings - Fork 527
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Assessment for oqsprovider (Open Quantum Safe provider for OpenSSL 3.x) #1333
Comments
I am very keen to be part of this review. Being a newbie to this process I am going through various guides available at https://github.com/cncf/tag-security/tree/main/community/assessments/guide with furious pace, though I have done various similar security assessments for my work projects and hoping I'll move fast, and that I have no hard or soft conflict of interest whatsoever in this regard. |
as a reviewer, I have no hard or soft conflicts of interest |
I’m very much interested in contributing and a Cloud Sec, I’m going through the doc at https://github.com/cncf/tag-security/tree/main/community/assessments/guide |
Okay @SophiaUgo, please send your conflict statement when ready. |
I'd love to be an observer for this assessment if you all are open to having one! I have no soft or hard conflicts :) |
Dropping @SophiaUgo until she approves her conflict statement. @anvega , you're ready to go! |
How do I drop my conflict statement @justin Cappos
…On Sat, Aug 3, 2024 at 7:53 PM Justin Cappos ***@***.***> wrote:
Dropping @SophiaUgo <https://github.com/SophiaUgo> until she approves her
conflict statement.
@babysor <https://github.com/babysor> @anvega <https://github.com/anvega>
, you're ready to go!
—
Reply to this email directly, view it on GitHub
<#1333 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AY3KAZY6QHRZJIUWO7F7IGLZPURKHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGEYDANJRGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sorry for the broken link. Please read this: https://github.com/cncf/tag-security/blob/main/community/assessments/guide/security-reviewer.md#conflict-of-interest and post on this issue. |
Conflict of Interest Statement Hard Conflicts
Soft Conflicts
I have reviewed the conflict of interest guidelines and declare that I have no hard conflicts of interest that would prevent me from participating in this security assessment and or soft link conflict. However, I am interested in contributing to the project and I am committed to providing a balanced and fair assessment. I would also like to express my interest in shadowing experienced reviewers to learn more about the security assessment process. |
@anvega @JustinCappos I just finished reading https://github.com/cncf/tag-security/blob/main/community/assessments/Open_and_Secure.pdf. I had started reading it to work on tag-security-baseline survey/assessment, which I just completed, and I am sure it will come handy or rather more useful for this assessment. I think you'll see some progress on this one now. I am writing though to let you know that I enjoyed reading your analysis/comments in the above doc. My entire experience of threat modeling etc. come from on the job experience and I have certainly read a few things on-demand basis, understand the terminologies and the issues involved, however above doc is so lucid, easy flowing, simple and easily understood bank example you have given, the conversational styles you have used, and I loved it all :) . Thank you! |
I've completed the initial phase of asking my naive questions, which Michael has been graciously helping me with. The Markdown has been successfully converted to Google Docs, and you can find the document here. @dehatideep has also mentioned that he’s started reviewing the material independently. It might be a good idea to wrap up this initial round of "naive" questions and aim to convene with @baentsch and everyone else next week. Considering our locations—Michael in Switzerland, Deep, @hubbertsmith, and myself on the US West Coast, and @SophiaUgo in Nigeria—I suggest we meet at 10:00 AM PT (US West Coast) / 7:00 PM CET (Switzerland) / 6:00 PM WAT (Nigeria). If that doesn’t work, we could also consider 8:00 AM PT / 5:00 PM CET / 4:00 PM WAT as an alternative time. |
Confirmed -- Self-assessment received.
meetings, yes please, discussion is how we improve
generally, I am OK with those times. I can do earlier to make it more
convenient for others
do we know a day and cadence yet?
cheers
***@***.*** | 385 321 0757 | LinkedIN
<https://www.linkedin.com/in/hubbertsmith/>
*CEO, ***@***.*** Ops *
* ... i4 Zero Exfil accelerates data-driven innovation. Prevents data
breach in minutes not months. ... Even credentialed users and 3rd parties
cannot walk away with data. *
https://calendly.com/hubbert/60min
…On Tue, Aug 13, 2024 at 10:39 PM Andrés Vega ***@***.***> wrote:
I've completed the initial phase of asking my naive questions, which
Michael has been graciously helping me with. The Markdown has been
successfully converted to Google Docs, and you can find the document here
<https://docs.google.com/document/d/1ypFQW_qf5Po06ZDqoMbmJpH1k3L-nPtWZ5CBmLFkOmg/edit#heading=h.gjdgxs>
.
@dehatideep <https://github.com/dehatideep> has also mentioned that he’s
started reviewing the material independently. It might be a good idea to
wrap up this initial round of questions and aim to convene with @baentsch
<https://github.com/baentsch> and everyone else next week. Considering
our locations—Michael in Switzerland, Deep, @hubbertsmith
<https://github.com/hubbertsmith>, and myself on the US West Coast, and
@SophiaUgo <https://github.com/SophiaUgo> in Nigeria—I suggest we meet at
10:00 AM PT (US West Coast) / 7:00 PM CET (Switzerland) / 6:00 PM WAT
(Nigeria). If that doesn’t work, we could also consider 8:00 AM PT / 5:00
PM CET / 4:00 PM WAT as an alternative time.
—
Reply to this email directly, view it on GitHub
<#1333 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMQIVRYWMVP2XAJ526KHCU3ZRLNPHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBXHA2DAMRRGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@baentsch I have added my Qs in the google doc assessment. Please see and clarify. Sorry for the delay. |
@anvega Will you send an invite for the slot above? Which day? Hope I will still be awake enough to give reasonable answers (am an "early bird"). Any questions ahead (via the Google doc) thus would be welcome. I answered all by @anvega and @dehatideep so far. |
@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday? |
I'm Ok with friday (anytime other than 9am MDT) |
@baentsch @anvega Funny that Fri 9 am PDT is the only day when I am not available. Please choose any day except this Fri. Thank you. |
Hmm, 9 AM PST would be 6 PM CET, no? Assuming the PST time is right, Fri 1800 would be good for me, Tue 1800 would not be (OQS team call at 1830). |
@baentsch @anvega Unfortunately I've work related event on Fri, morning (PT) to afternoon, so can not manage at all. Tue I can manage in the morning except 7:50 am PT- 8:30 am PT. 8:30 am PT would be 17:30 am CET. |
This then seems to suggest 1h max @ next Tue, 8:30am PST/1730 CET/1530 UTC. |
That works for me @baentsch |
Yes, next Tue, 8:30 AM PT works for me. @baentsch |
@anvega For the avoidance of doubt: I don't have a Zoom link available, so could you please send/post an invite as per the above with suitable login data? Thanks in advance! |
@anvega Are you out there? OK with you making available meeting details for the slot above tomorrow? |
works for me |
I'm returning from a trip that ended up being extended beyond the original plan. Instead of meeting tomorrow, let's reschedule for Thursday. I'll send a Zoom link that requires only password authentication, without the need for an account. If you prefer Google Meet, we can easily switch to that. I'll schedule it for an hour but plan for 45 min. |
Sorry, that doesn't work for me: I'm on the road Thu-Sat. Afterwards OK again, but then with rather mercurial Internet connectivity in our holiday home: I have a hunch there's still a microwave radio link involved connecting the island: Video often drops out, but speech is OK except in strong gales. Yes, I know, sad for the 21st century but it is how it is. Pick any day at 1530 UTC from Sep 1 onwards. |
I am on zoom in the waiting in lobby :o(
***@***.*** | 385 321 0757 | LinkedIN
<https://www.linkedin.com/in/hubbertsmith/>
*CEO, ***@***.*** Ops *
*Data-driven innovation thrives when the risk of data breach is
mitigated.Protect data from walking away in minutes, not months. Including
valid users & 3rd parties. i4 Zero Exfil keeps data IN*
https://calendly.com/hubbert/60min
…On Mon, Aug 26, 2024 at 3:42 PM Andrés Vega ***@***.***> wrote:
Topic: OQS Security Assessment
Time: Aug 29, 2024 08:30 AM Pacific Time (US and Canada)
Join Zoom Meeting
https://us04web.zoom.us/j/71432666369?pwd=klhOaaVA6bNF2JuKy9Jv4SA8y2qMJN.1
Meeting ID: 714 3266 6369
Passcode: FZPrx1
—
Reply to this email directly, view it on GitHub
<#1333 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMQIVR4VDAXV7V3JQJPAEC3ZTOOLHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJRGE2TANZQGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
my bad, its thursday... see you then
***@***.*** | 385 321 0757 | LinkedIN
<https://www.linkedin.com/in/hubbertsmith/>
*CEO, ***@***.*** Ops *
*Data-driven innovation thrives when the risk of data breach is
mitigated.Protect data from walking away in minutes, not months. Including
valid users & 3rd parties. i4 Zero Exfil keeps data IN*
https://calendly.com/hubbert/60min
…On Mon, Aug 26, 2024 at 3:42 PM Andrés Vega ***@***.***> wrote:
Topic: OQS Security Assessment
Time: Aug 29, 2024 08:30 AM Pacific Time (US and Canada)
Join Zoom Meeting
https://us04web.zoom.us/j/71432666369?pwd=klhOaaVA6bNF2JuKy9Jv4SA8y2qMJN.1
Meeting ID: 714 3266 6369
Passcode: FZPrx1
—
Reply to this email directly, view it on GitHub
<#1333 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMQIVR4VDAXV7V3JQJPAEC3ZTOOLHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJRGE2TANZQGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@hubbertsmith FWIW, I also won't be there on Thu, either (see comment above). Besides, it originally had been scheduled for 1530 UTC, i.e., only in 30mins. |
Tagging @anvega to reschedule as per the above, if you'd like me to participate. |
Could we aim for 1530 UTC next Tuesday? Let me know if that works for you, or if there's a better day next week |
works for me too
***@***.*** | 385 321 0757 | LinkedIN
<https://www.linkedin.com/in/hubbertsmith/>
*CEO, ***@***.*** Ops *
*Data-driven innovation thrives when the risk of data breach is
mitigated.Protect data from walking away in minutes, not months. Including
valid users & 3rd parties. i4 Zero Exfil keeps data IN*
https://calendly.com/hubbert/60min
…On Wed, Aug 28, 2024 at 10:35 PM Deep Patel ***@***.***> wrote:
@anvega <https://github.com/anvega> @baentsch
<https://github.com/baentsch> 1530 UTC (08:30 AM Pacific Time) on Tue,
Sep 3 works for me. Thank you.
—
Reply to this email directly, view it on GitHub
<#1333 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMQIVRZ7UVDNWVFVHRRFSTLZT2QHHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJWGY4TMNRZGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@anvega I do not see any zoom meeting info for today's (Sep 03) meeting. can you please share if this meeting is still on. |
I am waiting in the Zoom link for Aug 29 (assuming that is still valid -- "waiting for the host to open"....) |
@baentsch Zoom doesn't allow me to use Aug 29 meeting link. I tried using just the meeting id but it gets stuck saying meeting was on Aug 29. |
@dehatideep Nope -- the link works OK (I'm using the brower access, not the app) -- it does state "Aug 29", but it opened OK -- just waiting for the host... @anvega : Any other link to use?? |
Maybe a calendar invite would have been better (sync'd with the alarm clocks for folks on the Pacific rim :-) |
Yes :) , I am at the west coast too! |
@anvega I'll stay on until 1545 UTC and then call it a day (for me it's about dinner time :). Please reschedule (maybe indeed with calendar reminder) for the same time another day that suits everyone. I'm available all (next) days except Friday. |
@baentsch I am not able to join Aug 29 meeting at all, it bails out every time saying Aug 29 meeting. I am hanging here till you are around, just in case Andres joins. If he does, probably we'll need a new meeting. |
OK -- I'm indeed leaving now ... Thanks @dehatideep for "having been (t)here" -- hope to meet you another day! CU |
Apologies—I had a minor accident over the holiday here in the US that required a checkup, but I'm finally back online after being discharged. I have emails for Michael and Deep, and I'll move the coordination to email to ensure everyone gets the calendar invite. |
Thanks and take care! |
Take your time: First get well, @anvega ! |
@baentsch I have SonarQube static analysis with me. There are a few issues and I assume it could all very well be captured under open-quantum-safe/oqs-provider#514, though issue#514 is a coverity scan. Majority of issues are for test code, do you care about it or only oqsprov and oqs-template code? My scan result URL is not public, so I can put it in a word file pointing to issue, code snippet, and probable fix. Do you want me to create one and attach it in the issue#514? Below are the findings but some careful looking suggests real issues are less than 10%. |
Thanks for sharing the report @dehatideep .
Fascinating observation: Indeed, I took less care when doing the test code as opposed to the actually running oqsprov code, but I wouldn't have imagined it becomes so clearly visible :-/ To answer the question: oqsprov takes precedence, but the rest should also be clean as wrong testing might also hide "real code" problems.
I wouldn't do that: These are different tools, so different issues should be used to report/fix them (unless you'd say that open-quantum-safe/oqs-provider#514 pretty much covers everything that your tool detects (?)). Finally, while I'm happy that several people look at the problem with different tools, this is not creating a long-term, continuous guard for oqsprovider: The code will continue to evolve and it cannot be a solution that you regularly manually run a tool to fix problems someone else introduced in a PR: CI should flag such problems and the original author should also fix them. |
@baentsch Thank you for your response and clarifications. I'll create an issue and will attach issues which are indeed issues. |
@baentsch @anvega |
This assessment is complete and following findings were shared with oqsprovider team:
Given these feedback were enough to get the general feedback, this issue is closed from assessment perspective. |
Project Name: oqsprovider - (Open Quantum Safe provider for OpenSSL3.x )
Github URL: https://github.com/open-quantum-safe/oqs-provider
Issue tracker: open-quantum-safe/oqs-provider#451
The oqsprovider project offers standards-track post-quantum key exchange, authentication, and ciphersuites in the TLS protocol without requiring code changes to any installation running OpenSSLv3.
The project is now part of the Linux Foundation PQCA. This will be the first time an assessment is done for a project not seeking to progress stages in the CNCF, but solely for sensibly "scrutinizing" it.
As @baentsch expressed:
"Most things are pretty obvious but I'm feeling an ethical obligation to first witness more committed contributors before implementing/declaring as "good" things this self-assessment suggests. Otherwise, I'd be afraid this would create a false sense of reliability to users ("badges", "alliance endorsement", etc marketing fluff) -- all the while the code is [maintained thanklessly by the proverbial random guy in Nebraska](https://www.theregister.com/2021/05/10/untangling_open_sources_sustainability_problem/) (err, Switzerland :)."
The project lead has completed a self-assessment, and I volunteer to be the lead reviewer. I declare a soft conflict of interest, having made a cosmetic contribution by fixing the CI build badges of another Open Quantum Safe project and starting to use it in my work.
Maybe I can interest @mnm678, @JustinCappos, and @hlandau to participate as reviewers.
The text was updated successfully, but these errors were encountered: