[nsp-sec] Circle of trust [was: Vetting: Wang Hua]

Kevin Oberman oberman at es.net
Thu Jan 28 13:51:41 EST 2010 

> From: "Patrick W. Gilmore" <patrick at akamai.com>
> Date: Thu, 28 Jan 2010 13:03:31 -0500
> Sender: nsp-security-bounces at puck.nether.net
> 
> ----------- nsp-security Confidential --------
> 
> On Jan 28, 2010, at 12:37 PM, Yiming Gong wrote:
> 
> >> My understanding is that we already have a CT person here, and at least one CNCERT person.
> >> 
> >>  
> > Yes, we got another CT person here but I never saw her talking. I know she is not from CT headquarter and probably she cannot talk much. CNCERT has nothing to do with CT.
> >> But more importantly, vouches should be for the person, not for the company.  Especially when we the company in question is partially owned / controlled by a gov't which, if not directly at least indirectly, is in direct opposition to this list's primary goal.
> >> 
> >>  
> > Understand, but in this case, there is no perfect candidate at this point (I don't think CT has one), my though is that the right guy won't magically show up and isolating CT is not the right direction to go. As the vice director of CT NOC, Wanghua can be a good person whom the security community can talk to and hopefully baby-steps can be taken.
> >> If you vouch for _WANG_, fine with me (and hopefully the rest of the list).  If you are vouching for "a CT engineer", I would argue that is an invalid vouch.
> 
> I will take that as "I cannot vouch for the person Wang Hua, but would
> like another CT person here and Wang's position sounds right".
> 
> As such, I strenuously suggest to the admins that this vouch not be
> considered valid.  I am not interested in baby-steps that risk the
> security of this list.
> 
> If the admins disagree with me, especially if this type of thing has
> happened in the past and I just did not know it, I would appreciate it
> if the admins would let me know.
> 
> The circle of trust is a serious thing.  If it is violated, and I
> consider this a violation, it will ensure that I post nothing to
> NSP-SEC that I would not post to NANOG.  I'm sure many here already
> consider NSP-SEC no more secure than NANOG, but I was not quite to
> that point yet.  Perhaps I should be if this is how far the circle of
> trust has degraded.

I also must agree, While a good contact at CT is a desirable goal, it is
not grounds for vouching for someone that we don't feel really confident
deserves the trust.

Unless list members can vouch for the person being vetted from direct,
personal experience, the person should not be added.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the nsp-security mailing list