incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Neutral / shared security list ...
Date Tue, 25 Oct 2011 21:01:26 GMT
Umm, head-slap moment.

I happen to be the proud owner of worthiness.org.  

Truly.  

It is not hosted, but I have been sitting on the domain name for several years.  It was part
of my M.Sc in IT project on Open Systems Trustworthiness.  I won't go into that here.  There
is a reasonable capsule of where I got on the subject of trustworthiness here: <http://orcmid.com/blog/2008/05/trust-but-demonstrate.asp>.
 I stand by that.  For the current conversation, it is useful to leap to the end.

I have the domain so I could create an organization with regard to certification and assurance
processes. I fancy trust@worthiness.org as an identity with regard to digital signatures for
attestations and counter-signing of other attestations that had been audited successfully.

This can be made available for a security-community retargeting too. 

It is clearly INELIGIBLE for a *trustworthy* neutral HOSTING.  First, if I fail to renew the
domain-name lease (by disappearing from the mortal plane, or other disability), too bad. 
Secondly, if the hosting site I would lease anything on were to fail or be hacked, I would
have no recourse.  And then there is the matter of vigilance around the site, its backup,
and most of all, protection of the sensitivity of the conversations that are conducted on
its list. As an individual, I am not able to offer the care that is required, nor should I
be relied upon to do so.

So, that's how neutrality is not trustworthiness, OK?

On the other hand, worthiness.org might be useful.  I am rather attached to it though.  

 - Dennis

(It is difficult to find domain names with "trust" in them, which is why I have the peculiar
TROSTing.org domain too -- that and an inability to come up with a meaningful project title
that abbreviated to TRUST.)

-----Original Message-----
From: Dave Fisher [mailto:dave2wave@comcast.net] 
Sent: Tuesday, October 25, 2011 13:01
To: ooo-dev@incubator.apache.org
Subject: Re: Neutral / shared security list ...


On Oct 25, 2011, at 10:55 AM, Michael Meeks wrote:

> 
> On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote:
>> You are welcome! I'm looking for common ground and I am trying to listen to logic.
> 
> 	:-)
> 
>>> 	So where does that leave us ? one approach that hasn't been discussed
>>> (and is perhaps a good compromise) - is for me to go ahead and setup the
>>> list @freedesktop, and for you guys to advertise the @ooo alias on your
>>> pages, and us to advertise the freedesktop one on ours.
> ..
>>> 	What do you think ?
>> 
>> I think we are getting somewhere. The last detail is which is the real ML
>> and which is the forwarder. While the AOOo project might prefer to have
> 
> 	Fair point - for ultra-fairness we should perhaps publish two
> forwarding addresses - securityteam@oo.o and securityteam@tdf one each,
> both pointing at the neutrally hosted list.

This leads to an interesting approach that can be taken by any peer.

(1) There is a neutrally hosted Security ML for all Peers. Individuals are signed up representing
one or more peers. The individuals are private. The peers are public. LO, AOOo, ODF Toolkit,
RedOffice, Lotus Symphony, ...

(2) Each peer project can maintain their own private security list.

(3) Each peer project has an email forwarder that forwards email to (1) and optionally (2).

(4) Each peer project should have a security page with links to any private security list
and when to use the neutrally hosted / shared list. Having a public list of the peers on the
shared list is essential to properly informing the user where they are sending their security
report. If the peer list included links to each peer's security web page that would be helpful.

A neutral domain name like "office-security.org" would be registered. Perhaps Team OpenOffice
can help by buying the domain and setting up Mailing list hosting. I suspect that hosting
details can be discussed among the securityteam@oo.o members.

Regards,
Dave


Mime
View raw message