[Gpg4win-devel] Informsec Small technology Grant Round 2
Bernhard Reiter
bernhard at intevation.de
Tue Feb 5 17:42:15 CET 2013
Intevation and g10 Code have meanwhile applied for the:
Am Montag, 14. Januar 2013 15:32:09 schrieb Bernhard Reiter:
> Am Montag, 14. Januar 2013 12:38:46 schrieb Bernhard Reiter:
> > > https://www.informsec.net/techgrants2/
> > > as a "Small Technology Grant" Round 2
the grant will be awarded on the 15th of February, so wish us luck! :)
Below I'm attaching some details from our application.
I'm posting it here for the record. (Would have used the wiki, if we had
one. ;)
Best Regards,
Bernhard
The German companies Intevation GmbH and g10 Code GmbH apply for this
grant as partners. They are both located in the north-western part
of Germany about 2 hours away from each other by train.
Both companies are owner run, vendor independent software companies,
that only create and deliver services for Free Software (Open Source) .
They are working together on the topic of email cryptography since 2001,
when they started to work on porting GnuPG to the Windows platform.
Intevation's and g10 Code's second project together was a contract for the
German Federal Agency of IT-Security (www.bsi.bund.de) to integrate S/MIME
crypto mail based on GnuPG into the Free Software email applications KMail and
Mutt.
Project Description
-------------------
In order to communicate files and emails safely, people and organizations
depend on the availability of strong cryptography in software. Public key
cryptography is especially useful as it does not depend on secure channels to
transfer an encryption key. The existing Free Software (Open Source) product
Gpg4win provides such a solution for users of the popular Windows operating
systems by Microsoft. (See www.gpg4win.org) Gpg4win is based on GnuPG and
supports both OpenPGP and S/MIME as widely known email and file encryption
standards. GnuPG is fully compatible to other software solutions implementing
these standards.
Aim of this project is to make this crypto functionality available to
more users worldwide. The currently available versions of Gpg4win are 2.1.0
and 2.1.1-beta117. They have not kept up with a number of technical
developments since the release of the last major version Gpg4win 2.0.0 in
2009. Many users now run 64bit versions of Windows or newer versions of
Windows itself like Windows 7 and 8 while Gpg4win is still a 32bit
application tested and developed for Windows XP and Vista. It still runs
partly on Windows 7 64bit, but one important problem is that there is no
32bit Explorer anymore on those systems. This causes the Explorer extension
of Gpg4win called GpgEX not to work on 64bit Windows. In addition some of the
components of Gpg4win need to be upgraded to newer revisions, closing
potential security holes.
Users all over the world have tried Gpg4win in recent years and some
have reported problems with non-latin character encodings or other missing
parts of the software. They have reported a couple of hundred reports in
issue tracker like bugs.kde.org (for the certificate management application
called Kleopatra) or bugs.gnupg.org (for the crypto backend). While it is
perfectly normal for software applications to have a number of open reports,
the lack of some features effectively prevents a more widespread usage of
Gpg4win.
The goal of the project is to improve Gpg4win and release new versions
of it. The new versions will be more secure and run on more variants of
Windows that are out there. Furthermore some wanted features, customization
possibilities and missing documentation bits are added. The result is that
more users can use crypto to be sure from whom the message came and that the
transfer was not not eavesdropped on. Part of the funding will also enable
more interaction with the user community to gain feedback from their "field"
experience.
Describe how you plan to address the above problem with this grant funding
----------------------
The grant will be used to pay salaries and additional costs for improving
Gpg4win. This means improving the software, documentation, website and its
user community. The companies applying for the grant employ people that have
created Gpg4win and helped to maintain it in recent years. These people have
professional experience in improving Gpg4win and they will coordinate by
technical means and a few physical meetings.
The source code of Gpg4win and its components like GnuPG and Kleopatra
is already available to the public. Development of this Free Software happens
in the open, with English as the primary language. Delivery of the project
results will be in the source code repository, by downloadable installers and
documentation updates on the website. The communication with the development
and user communities may also happen via other public channels as well, such
as issue trackers or mailinglists.
Technically Gpg4win consists out of several software components that
are integrated and build into an installer for several variants of the
Windows operating system. The components itself and the installer are
internationalized, with the translations of German and English being most
complete, but others available as well. All Free Software components will be
checked and adapted for new revisions that have meanwhile be published, so
they can be integrated. Improvements will be done to the standard GUI
called "Kleopatra", the "pinentry", the explorer plug-in "GpgEX", the Outlook
plug-in "GpgOL " and the part of the backend. As an additional test, we will
see how good Gpg4win already runs on Windows 8. The documentation and website
will be improved to reflect the progress of the new Gpg4win releases.
Provide step-by-step description of the tasks and specific timeline
------------------------
(In order to keep this application readable, this section has been kept
deliberately brief and assumes knowledge of software engineering and some
technical security terminology. The applicants are happy to provide further
explanations on request.)
Timeline: The goals of the project shall be reached within five months
after starting it. Another month should be reserved as buffer to cope with
unexpected events. In an optimistic scenario, the project can be concluded
within four months. So the overall timeline is between four and six months.
The first milestone coming after about one month, the second being realized
within further 2-3 months, needing another month for the third and concluding
milestone. See the list of milestones below.
At first new test systems for Windows 7 and Windows 8 64bit are set
up, using virtual machines to provide reproducible results. Some of the
existing development computer setups can be reused, while others have to be
rebuild. At least g10 Code will have to purchase and set up one new modern
computer for this project.
To reach the first milestone, all components are evaluated to see if
new revisions of libraries have come out and if they can and should be
integrated. E.g. the libpng library and similar technical libraries used. For
Kleopatra this means updating its GUI library Qt to the stable version 4.8.4
and using the KDE Platform and PIMlibs version 4.9.x. This will enable
non-latin locales and removes several other GUI defects of Kleopatra on
Windows. While doing so, we will visit and react to all 'problem' reports for
Kleopatra (93 at time of writing 2013-01-24) on bugs.kde.org and the tracker
of the Gpg4win website.
The release process (which will be done at three times) of the Gpg4win
installer means the following steps: An installer is done and used to test
the functions and the installation procedure of the software. The website and
documentation will be updated and the release announced via several public
channels.
To reach the first milestone, all components are evaluated to see if new
revisions of libraries have come out and if they can and should be
integrated. E.g. the libpng library and similar technical libraries used. For
Kleopatra this means updating its GUI library Qt to the stable version 4.8.4
and using the KDE Platform and PIMlibs version 4.9.x. This will enable
non-latin locales and removes several other GUI defects of Kleopatra on
Windows. While doing so, we will visit and react to all 'problem' reports for
Kleopatra (93 at time of writing 2013-01-24) on bugs.kde.org and the tracker
of the Gpg4win website.
The release process (which will be done at three times) of the Gpg4win
installer means the following steps: An installer is done and used to test
the functions and the installation procedure of the software. The website and
documentation will be updated and the release announced via several public
channels.
After the first milestone setting a solid basis, there is a slightly
longer project phase where the new functions improving the current Gpg4win
will be developed. We will add the ability to paste passwords in the
component that accepts them, called "pinentry". This improves the security by
enabling to use longer passwords for rarely used keys that many users keep in
a separate password store
(The ability to paste something into the "pinentry" application has been
requested often, because people just use a separate password store. While
the security of having such a password store is doubtful in a number of
circumstances, feedback has shown that if the paste-feature is missing from
Gpg4win's pinentry, there is a lowered chance that people will accept and
use Gpg4win. Then they often fall back on using something which is a lot less
secure than keeping the password store and using Gpg4win.)
GpgEx, the explorer plug-in will be ported to the 64bit Windows Explorer
architecture. This means to change internal data structures and build options
used by GpgEx and the libraries necessary for GpgEx.
For GpgOL we will develop a simple new version that will be able to
run in Microsoft Outlook 2010. This simple version will only be able to do
context menu operations on texts and attachments, but will _not_ offer the
full OpenPGP/MIME handling capabilities of GpgOL for Outlook versions 2003
and 2007. In contrast to the full OpenPGP/MIME capabilities this simple
version of GpgOL can be developed with far less resources.
The Gpg-Agent will be extended to be able to act as the private key
agent for PuTTY (which is a widely used software for secure remote access
based on the SSH protocol). This way, users can manage their SSH-key with
GnuPG, attaching them as subkeys. And they can use all possibilities of
Gpg-Agent, e.g. to keep the secret keys on smart cards, which protects the
private ssh key against any attacker without direct physical access.
In the third phase of the project, leading to milestone three,
feedback from the beta release will be incorporated. And a portable version
of Gpg4win will be produced. The portable Version of Gpg4Win will be able to
run the components of Gpg4Win (excluding GPA, Claws, GpgEx and GpgOl) without
installation directly from some media, e.g. a USB stick. (This is often done
by using a usb stick and then starting the software from it. This practice is
doubtful in many circumstances as a simple keylogger or a tampered host
computer will still be able to attack the users secret key. Thus it is
important to secure the computer, even if you use a portable version. However
having the portable version available raises the chances for people being
able to use Gpg4win more often and thus for being able to protect their
communications by strong cryptography.) Technically some file names and
configurations are tweaked, including the necessary test and documentation
improvements.
Project Personnel
-----------------
Werner Koch
Andre Heinecke
Emanuel Schütze
Bernhard Reiter
Proposed Milestone #1:
This is a new Gpg4win release which mainly updates all components to
their newest variants. This includes the GUI manager Kleopatra, which will
then run on Window versions with non-latin encodings.
Proposed Milestone #2:
For the second milestone all new features will be completed and
released leading to a Gpg4win beta release, so that feedback can gathered for
the improvement. This includes the enhanced components: GpgEx, GpgOL,
pinentry and gpg-agent.
Proposed Milestone #3:
A stable Gpg4win installer has been released. The version is tested
and usable. Feedback since the Milestone #2 release has been incorporated.
The project is fully completed.
Project Finances
----------------
Do you have additional funding to accomplish the described project?
No additional funding for this particular project. A few years ago
there have been a number of contracts to improve Gpg4win. We also accept
donations for the maintenance of Gpg4win which sometimes can fund a minor
update release of Gpg4win.
What is the specific source of this additional funding?
Donations usually by single persons.
What is the amount of this additional funding?
Projected about 1250 USD per 6 month from 30 donors, see
http://lists.wald.intevation.org/pipermail/gpg4win-devel/2013-January/001190.html
Calculation of Rates
While Intevation and g10 Code both are for profit companies, we are applying
for this grant based on our internal costs. (A usual market rate in the
security software business would be between 100 - 180 EUR per hour.)
To give you a comparison, here are the costs Germany's Federal Administration
has officially published for federal employees in the public sector as
compiled from 2010/2011. The calculation is described in the German
document "Personalkostensätze, Sachkostenpauschale und Kalkulationszinssätze
für Kostenberechnungen und Wirtschaftlichkeitsuntersuchungen 2011" [1]
Their costs are calculated in the following way:
- The average number of working days per year in Germany is close to 200
(considering vacation, public holidays and times for sickness) (See [1] page
6) or 16.5 days/month.
- The direct salaries and social benefits cost for the employee, see the
tables in [1].
- "Personalgemeinkosten" for indirect costs of an employee which came up to be
30% at an average. This includes support office staff like system
administration, controlling, team leadership. (page 4)
- Material costs and rent, summing up to an average of 12,217 EUR per year for
the workplace. It is called "Sachkostenpauschale" an includes all materials,
office space, IT equipment, supplies). (pages 14 ff). Resulting into an
average of 1005 EUR/month.
Within this project the work must be done by skilled software engineers, a
comparable rate would by the lowest salary level applicable for college
graduates in the German public service which is "E09". The "direct"
employers costs according to [1] would be 51,106 EUR/year or 4258/month. Now
indirect costs ("Personalgemeinkosten" and "Sachkosten") would be added as
shown above.
[1]:
http://www.bundesfinanzministerium.de/Content/DE/Standardartikel/Themen/Oeffentliche_Finanzen/Bundeshaushalt/personalkostensaetze-2011-anl.pdf?__blob=publicationFile&v=6
--
www.intevation.de/~bernhard (CEO) www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20130205/13de8ef1/attachment.sig>
More information about the Gpg4win-devel
mailing list