Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 1 Apr 2011 19:42:09 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

----- Original Message -----
> 
> I'd prefer if any private replacement for vendor-sec were either:
> 
> 1. Strictly limited to vendor coordination of embargoed security issues
> (with membership reflecting this purpose), or
> 
> 2. Opened up to researchers who have contributed knowledge and findings
> in this area, and are deemed trustworthy by other list subscribers or
> some other community opinion.
> 
> In other words, it doesn't make sense to me to use "member of the old
> vendor-sec" as the only requirement for subscription, as some of the old
> members may not be eligible depending on the purpose of the new list. I
> understand that this is just a preliminary solution, but I think the
> question of membership should be sorted out sooner rather than later.
> 

I agree, the membership requirements are a bit vague. IIRC Chris Evans was
the only researcher on the list, the rest represented a vendor in some
manner. Sadly it was about the only thing I could think of that wasn't
going to piss someone off (which it probably does anyway ) ;)

Long term I'd like to see two lists, one for purpose #1, and another geared
toward #2. I think having a trusted venue for knowledge sharing would be
very useful, and we likely don't want the list clogged with coordination
details. This will of course rely heavily on what Openwall is willing to
take on. They're already taking on a lot of risk and responsibility, I
don't want to spoil the good will.

Now that I see all these requests coming in, I'm quite certain I was too
vague. All gpg keys should really live on a public server (I've not checked
to see if this is the case). If someone needs to mail you directly, your
key should be easy to find.

Should we require members use a mail address from their vendor? Letting
people use personal addresses creates an opportunity for people to remain
on a list when they are no longer a part of a given vendor (it also makes
it quite easy to know who represents a vendor).

Also, for those of you interested, I picked up a couple of OpenPGP cards
for myself (kernel concepts sells them for a reasonable price). Using gpg
on a regular basis with keys stored on disk creates an opportunity for key
theft. If you have a smartcard, this isn't an issue (it's certainly not
without its own set of potential problems though). As a warning, key
creation on the gemalto and omnikey usb sim sized readers has been
problematic. I hear full sized readers work (at least the folks I've
discussed this with say they do).

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.