[nsp-sec] Circle of trust [was: Vetting: Wang Hua]

[William Allen Simpson]

Yiming Gong wrote:
> I should clarify things a little bit here, I knew Wanghua (used to have 
> work relationship with him for about 2 years).

That's a perfectly valid vouch.  Heck, that's a better vouch than many
I've seen recently....

While I agree with Patrick (I'm afraid the /de facto/ standards have been
slipping a bit), I'm also fearful that our /de jure/ standard may be
escalating in the wrong direction.

There's a bit too much emphasis on job title or personal importance.
That's not how we started.

I've seen folks resign because they've changed companies or changed
position within companies.  IMHO, that's wrong.  We vet the person, not
the "corporate contact".


> "Wanghua can be a good person whom the security community can talk to 
> and hopefully baby-steps can be taken " is he is not a dedicated 
> security guy at CT (and CT does not have any) and I am not sure how much 
> efforts he can or will make,

When there were only a dozen of us, that was a fairly good description.
We had contacts with our peers and upstreams, and passed along problems.
There is/was no promise that the problems could/would be fixed.

Heck, we cannot promise things will be fixed by customers!

There's no need to be a "dedicated security guy" -- as in the full time
VP of network security.  There's much need for *dedicated* security folks --
as in seriously committed to improving security.


> He applied for nsp-sec, which to me sounds like he is interested in 
> doing something. With so many security incidents pointing to CT network, 
> having a representative on the list and letting CT realize how bad 
> things are probably is a good idea.
> 
Agreed.