[Owasp-board] Vote Request - OWASP Participation at RSA (Update)

Michael Coates michael.coates at owasp.org
Tue Jan 7 18:33:55 UTC 2014


Board,

Here is the current status of the vote:

Michael - Yes
Tom - No vote cast or opinion stated
Tobias - Yes
Fabio - clarification needed
Josh - Yes
Jim - abstain
Eoin - abstain






--
Michael Coates
@_mwc



On Tue, Jan 7, 2014 at 8:32 AM, Michael Coates <michael.coates at owasp.org>wrote:

> Fabio,
>
> Thanks for your thoughts and reading through the thread of discussion.
>
> Can you clarify your position in regards to the proposed vote? In addition
> to whether or not OWASP provides the free training there is also the
> element of co-marketing with RSA. Sarah provided all the details here (
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012876.html)
>
> The proposed vote is to cancel the co-marketing contract and, if possible,
> still provide the free training. This specifically means OWASP would be at
> RSA; however, we would not be engaging in any promotion of the event per
> the contract outlined in Sarah's email.
>
> Here is the exact wording proposed:
>
>
> OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
> This may place our training at risk, but if permitted we will still
> provide the free training at RSA and the OWASP speaking slot.
>
>
>
> Thanks,
> Michael
>
>
>
>
>
>
> On Tue, Jan 7, 2014 at 6:23 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>
>> Hey guys
>>
>> Apologies for the silence in the last couple of days. It took me a while
>> to read the whole thread and reviewing external sources as well while on
>> the road.
>>
>> As Eoin's just stated below, we need to take an 'in or out' decision.
>>
>> Cancelling the contract but maybe delivering training is not an option.
>>
>> To his question "*Are we to support RSAC this year given the
>> allegations?"*
>>
>> I would personally vote YES. My reasoning is as follows:
>>
>> - There is no concrete evidence about the allegations of a payout.
>> - RSA is firmly refuting any accusations.
>> - i still believe in the premise: "Innocent until proven guilty"
>>
>> I'm also monitoring the poll created by Simon to get a feel of the
>> Community and there is no clear distinction between one opinion or the
>> other. If the Community strongly believes we should pull out, and as a
>> matter of principles, I might be inclined to change my decision and vote NO
>> instead. But for the time being, my decision stands to go ahead as planned.
>>
>> In any case, if we (OWASP) are dropping our support and making an
>> official statement about 'weaking crypto in products is bad' I would highly
>> recommend for this document to be reviewed by a solicitor or qualified
>> professional before making it public. I don't feel is OWASP position to
>> accuse companies of any wrongdoings based on news articles or blog posts.
>>
>> Regards
>> Fabio
>>
>>
>>
>>
>> El Tuesday, January 7, 2014, Eoin escribió:
>>
>>> I am not voting but the topic that is up for vote is wrong in my opinion.
>>>
>>> Some media, people in general will see OWASP participation in RSA as
>>> negative, hence the debate.
>>> Cancelling a contract does not really cut it. its "window dressing."
>>>
>>> Either we  (OWASP) are engaging with RSAC or not, its that simple.
>>>
>>> Delivering anything at RSAC shall be interpreted as a sign of support,
>>> this is the root cause of the debate: *Are we to support RSAC this year
>>> given the allegations?* (contract is circumstantial).
>>>
>>>
>>>
>>>
>>> On 7 January 2014 00:42, Tobias <tobias.gondrom at owasp.org> wrote:
>>>
>>>  My vote is: Yes. OWASP shall terminate the co-marketing agreement with
>>> RSA for RSA 2014.
>>>
>>> My reasons are:
>>>
>>>  1. community feedback and discussion (there seems to be a significant
>>> part of the community concerned about this) Note: I would have loved to see
>>> an OWASP community poll on this before making this decision to get a better
>>> feel for the wishes of our community, but acknowledge Michael's request
>>> that we need to decide this urgently.
>>>
>>>  2. we have an alternative (as outlined in Sarah's email, BSides) that
>>> can fulfil the goal equally.
>>>
>>>  3. I understand that there is a lot of uncertainty about RSA's level of
>>> involvement. And I don't feel in a position to make a final judgement about
>>> this. And as often with secrecy, we possibly never will be.
>>> But in this case we don't have to have final judgement. The co-marketing
>>> agreement is quite extensive and could be seen as active endorsement. To
>>> follow such an agreement we would need to have a very high level of
>>> confidence and trust in the other party. So already a reasonable shadow of
>>> doubt is sufficient grounds, to distance OWASP in this case from a very
>>> active co-marketing agreement with the company RSA, to avoid being
>>> interpreted as an active endorsement of a commercial entity currently under
>>> review. And we should abstain from actively endorsing RSA for the time
>>> being, until all facts of the case have been properly examined (note: not
>>> by us, as we are not an investigative body).
>>>
>>> In addition to that:
>>> I propose that OWASP should prepare and release a press release or
>>> public statement that OWASP thinks weakening or undermining crypto is a
>>> really bad idea. (I will be happy to assist with the preparation of the
>>> text.) This press release shall advocate our general OWASP principles and
>>> shall _not_ mention RSA, the RSA conference or any other company by name.
>>> (personal note: btw. RSA should have no problem with such a press release,
>>> as they officially deny any such activities...)
>>>
>>> All the best, Tobias
>>>
>>>
>>> Tobias Gondrom
>>> Owasp Global Board
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 06/01/14 23:51, Michael Coates wrote:
>>>
>>>   "OWASP will terminate the co-marketing agreement with RSA for RSA
>>> 2014.
>>> This may place our training at risk, but if permitted we will still
>>> provide the free training at RSA and the OWASP speaking slot."
>>>
>>>  Michael - Yes
>>> Tom -
>>> Tobias -
>>> Fabio -
>>> Josh - Yes
>>>  Jim - abstain
>>>  Eoin - abstain
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Michael Coates
>>>
>>>
>>>
>>>
>>> On Mon, Jan 6, 2014 at 3:47 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>
>>>  Same here, I can't vote, I believe as the class delivery and material
>>> is mine and it would be a conflict.
>>> I would be a "no" if I could.
>>>
>>>  Not sure why participation in an event requires a vote given other
>>> events did not require such....
>>>
>>>  My view is based on
>>>
>>>  1.
>>>
>>> --
>>> Eoin Keary
>>> OWASP Member
>>> https://twitter.com/EoinKeary
>>>
>>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140107/bed01144/attachment-0001.html>


More information about the Owasp-board mailing list