Date: Fri, 1 Apr 2011 19:42:09 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Closed list ----- Original Message ----- > > I'd prefer if any private replacement for vendor-sec were either: > > 1. Strictly limited to vendor coordination of embargoed security issues > (with membership reflecting this purpose), or > > 2. Opened up to researchers who have contributed knowledge and findings > in this area, and are deemed trustworthy by other list subscribers or > some other community opinion. > > In other words, it doesn't make sense to me to use "member of the old > vendor-sec" as the only requirement for subscription, as some of the old > members may not be eligible depending on the purpose of the new list. I > understand that this is just a preliminary solution, but I think the > question of membership should be sorted out sooner rather than later. > I agree, the membership requirements are a bit vague. IIRC Chris Evans was the only researcher on the list, the rest represented a vendor in some manner. Sadly it was about the only thing I could think of that wasn't going to piss someone off (which it probably does anyway ) ;) Long term I'd like to see two lists, one for purpose #1, and another geared toward #2. I think having a trusted venue for knowledge sharing would be very useful, and we likely don't want the list clogged with coordination details. This will of course rely heavily on what Openwall is willing to take on. They're already taking on a lot of risk and responsibility, I don't want to spoil the good will. Now that I see all these requests coming in, I'm quite certain I was too vague. All gpg keys should really live on a public server (I've not checked to see if this is the case). If someone needs to mail you directly, your key should be easy to find. Should we require members use a mail address from their vendor? Letting people use personal addresses creates an opportunity for people to remain on a list when they are no longer a part of a given vendor (it also makes it quite easy to know who represents a vendor). Also, for those of you interested, I picked up a couple of OpenPGP cards for myself (kernel concepts sells them for a reasonable price). Using gpg on a regular basis with keys stored on disk creates an opportunity for key theft. If you have a smartcard, this isn't an issue (it's certainly not without its own set of potential problems though). As a warning, key creation on the gemalto and omnikey usb sim sized readers has been problematic. I hear full sized readers work (at least the folks I've discussed this with say they do). Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.