[nsp-sec] Circle of trust [was: Vetting: Wang Hua]

[Chris Calvert]

William wrote:
> Yiming Gong wrote:
> > I should clarify things a little bit here, I knew Wanghua (used to have
> > work relationship with him for about 2 years).
> 
> That's a perfectly valid vouch.  Heck, that's a better vouch than many
> I've seen recently....
> 
> While I agree with Patrick (I'm afraid the /de facto/ standards have been
> slipping a bit), I'm also fearful that our /de jure/ standard may be
> escalating in the wrong direction.
> 
> There's a bit too much emphasis on job title or personal importance.
> That's not how we started.

I think what this all boils down to is this:

If someone KNOWs and TRUSTs Wanghua, then they should vouch for him. (Yiming, I'm unclear on whether you KNOW and TRUST Wanghua or if you just KNOW Wanghua)

If someone thinks this community NEEDS CT REPRESENTATION but they don't know and trust him, then they should not vouch.

I don't think there is any question that the Internet security community needs stronger working relationships in a variety of regions, China being one example. I've seen great responsiveness and willingness to help out of CNCERT/CC in the last few years, and that would be great to see out of other organizations in regions like China.

China's networks source a lot of malicious traffic.  People that are trusted and willing to at least try to help are needed, but we can't have only one half of that requirement pair.

So, my stance on this is:
I don't know Wanghua. I cannot vouch. I agree the community could benefit from trustworthy connections at China Telecom and other organizations. I'm not in favour of gambling on getting some benefit at the expense of welcoming anyone onto the list that is vetted properly.

Chris