oss-sec mailing list archives
Re: Closed list
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Fri, 1 Apr 2011 22:13:05 -0400
:> Should we require members use a mail address from their vendor? Letting :> people use personal addresses creates an opportunity for people to remain :> on a list when they are no longer a part of a given vendor (it also makes :> it quite easy to know who represents a vendor). :> : :Yes, I think this should be a requirement for a closed coordination :list (as opposed to the more relaxed option #2). In fact, I think I use my personal address rather than my work address for handling vendor security matters because: a) My personal address is more secure and auditable by me. I control my encrypted filesystems, the SMTP and primary DNS servers, Internet connectivity up to an IXP, AS route announcements of IP space I control, etc. When there were leaks with vendor-sec, I could readily validate that I wasn't leaking. I'd be far less able to do so if mails were routed through my employer's infrastructure. -and- b) My personal address has infrastructure that doesn't suck. It's much better able to cope with virus and spam outbreaks, without silently stripping out emails because some attachment contain the wrong file extension for the spam firewall that day. Being behind some god-awful Exchange server, because it's how the IT folks tie corporate-issue email to corporate-issue smart phones... BARF! Also, the "no longer part of a given vendor" threat assumes that the vendor won't keep the email address active after the person associated with it has left. I know of one case where that wasn't true, where the address was tied to "outside world" security stuff since the employee wouldn't/couldn't/didn't use a "role account" consistently. (And yeah, I was given his PGP pass phrase for his work email, too... <groan>) The vetting should be about more than email domains. There should be periodic maintenance of who's on the list to cull out those who aren't involved. Marcus did that to some degree with the vendor-sec of old. I think the biggest problems there were the exploders and the lack of encryption, and both of those are being addressed with this new list as I understand things. :In a nutshell, I think this list needs to decide what its purpose is. :If it's for coordination for vulnerability disclosure, then its :membership should be kept to those who actually need to do the :coordination. If it's for private (or semi-private) discussion of :potentially sensitive research, knowledge sharing, etc., then its :membership should be expanded to include representation from software :vendors and researchers. I think that having a couple lists, one for "tactical" issues (e.g. embargoes and CVE assignment) and another for "strategic" discussions (e.g. "how to deal with vagaries in gcc vs. C standards with general security impact") may be appropriate. I'm part of another security community which has such a notion, and it seems to help in keeping things focused, FWIW. Thanks, -Mike -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "A bachelor's life is no life for a single man." -Samuel Goldwyn
Attachment:
_bin
Description:
Current thread:
- Re: Closed list, (continued)
- Re: Closed list Patrick J. Volkerding (Apr 01)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Patrick J. Volkerding (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Marc Deslauriers (Apr 01)
- Re: Closed list Charles Blas (Apr 01)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Charles Blas (Apr 01)
- Re: Closed list Dan Rosenberg (Apr 01)
- Re: Closed list Josh Bressers (Apr 01)
- Re: Closed list Dan Rosenberg (Apr 01)
- Re: Closed list Mike O'Connor (Apr 02)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Yves-Alexis Perez (Apr 04)
- Re: Closed list Solar Designer (Apr 04)
- Re: Closed list Josh Bressers (Apr 01)
- Re: Closed list Patrick J. Volkerding (Apr 01)
- Re: Closed list Matthias Andree (Apr 05)
- Re: Closed list Tim Zingelman (Apr 05)
- Re: Closed list Solar Designer (Apr 05)
- Re: Closed list Solar Designer (Apr 03)