[Owasp-board] Vote Request - OWASP Participation at RSA (Update)

Tom Brennan tomb at owasp.org
Wed Jan 8 13:57:27 UTC 2014


Simon,

When does this public community vote close?

https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AmN7t2D5ENBddFhrNGw2d29wdDhJeUo2VWR5OEtINkE#gid=0





On Tue, Jan 7, 2014 at 5:16 PM, Michael Coates <michael.coates at owasp.org> wrote:
> Tobias & Board,
>
> Here are the updated votes.
> We have 3 YES votes, 1 NO vote, 2 abstain and Fabio's vote is unclear.
>
> This vote has quorum 6 of 7 board members vote recorded (Fabio's vote
> pending) and a majority of the votes (3 of 5) voted in favor of the measure.
> Unless there are any other comments we should move forward with this
> finalized vote. Tobias, as Secretary any further comments on this vote? Can
> you record the results?
>
>
> Vote Proposal:
>
> OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
> This may place our training at risk, but if permitted we will still provide
> the free training at RSA and the OWASP speaking slot.
>
> Vote Results:
>
> Michael - Yes
> Tom - No
> Tobias - Yes
> Fabio - clarification needed*
>
> Josh - Yes
> Jim - abstain
> Eoin - abstain
>
>
> From Fabio's email:
> "But for the time being, my decision stands to go ahead as planned." I'd
> interpret this as a NO to the proposal, but no vote has been recorded until
> Fabio clarifies.
>
>
> --
> Michael Coates
> @_mwc
>
>
>
> On Tue, Jan 7, 2014 at 10:33 AM, Michael Coates <michael.coates at owasp.org>
> wrote:
>>
>> Board,
>>
>> Here is the current status of the vote:
>>
>> Michael - Yes
>> Tom - No vote cast or opinion stated
>> Tobias - Yes
>> Fabio - clarification needed
>> Josh - Yes
>> Jim - abstain
>> Eoin - abstain
>>
>>
>>
>>
>>
>>
>> --
>> Michael Coates
>> @_mwc
>>
>>
>>
>> On Tue, Jan 7, 2014 at 8:32 AM, Michael Coates <michael.coates at owasp.org>
>> wrote:
>>>
>>> Fabio,
>>>
>>> Thanks for your thoughts and reading through the thread of discussion.
>>>
>>> Can you clarify your position in regards to the proposed vote? In
>>> addition to whether or not OWASP provides the free training there is also
>>> the element of co-marketing with RSA. Sarah provided all the details here
>>> (http://lists.owasp.org/pipermail/owasp-board/2014-January/012876.html)
>>>
>>> The proposed vote is to cancel the co-marketing contract and, if
>>> possible, still provide the free training. This specifically means OWASP
>>> would be at RSA; however, we would not be engaging in any promotion of the
>>> event per the contract outlined in Sarah's email.
>>>
>>> Here is the exact wording proposed:
>>>
>>>
>>> OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
>>> This may place our training at risk, but if permitted we will still
>>> provide the free training at RSA and the OWASP speaking slot.
>>>
>>>
>>>
>>> Thanks,
>>> Michael
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jan 7, 2014 at 6:23 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>>>>
>>>> Hey guys
>>>>
>>>> Apologies for the silence in the last couple of days. It took me a while
>>>> to read the whole thread and reviewing external sources as well while on the
>>>> road.
>>>>
>>>> As Eoin's just stated below, we need to take an 'in or out' decision.
>>>>
>>>> Cancelling the contract but maybe delivering training is not an option.
>>>>
>>>> To his question "Are we to support RSAC this year given the
>>>> allegations?"
>>>>
>>>> I would personally vote YES. My reasoning is as follows:
>>>>
>>>> - There is no concrete evidence about the allegations of a payout.
>>>> - RSA is firmly refuting any accusations.
>>>> - i still believe in the premise: "Innocent until proven guilty"
>>>>
>>>> I'm also monitoring the poll created by Simon to get a feel of the
>>>> Community and there is no clear distinction between one opinion or the
>>>> other. If the Community strongly believes we should pull out, and as a
>>>> matter of principles, I might be inclined to change my decision and vote NO
>>>> instead. But for the time being, my decision stands to go ahead as planned.
>>>>
>>>> In any case, if we (OWASP) are dropping our support and making an
>>>> official statement about 'weaking crypto in products is bad' I would highly
>>>> recommend for this document to be reviewed by a solicitor or qualified
>>>> professional before making it public. I don't feel is OWASP position to
>>>> accuse companies of any wrongdoings based on news articles or blog posts.
>>>>
>>>> Regards
>>>> Fabio
>>>>
>>>>
>>>>
>>>>
>>>> El Tuesday, January 7, 2014, Eoin escribió:
>>>>>
>>>>> I am not voting but the topic that is up for vote is wrong in my
>>>>> opinion.
>>>>>
>>>>> Some media, people in general will see OWASP participation in RSA as
>>>>> negative, hence the debate.
>>>>> Cancelling a contract does not really cut it. its "window dressing."
>>>>>
>>>>> Either we  (OWASP) are engaging with RSAC or not, its that simple.
>>>>>
>>>>> Delivering anything at RSAC shall be interpreted as a sign of support,
>>>>> this is the root cause of the debate: Are we to support RSAC this year given
>>>>> the allegations? (contract is circumstantial).
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 7 January 2014 00:42, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>
>>>>> My vote is: Yes. OWASP shall terminate the co-marketing agreement with
>>>>> RSA for RSA 2014.
>>>>>
>>>>> My reasons are:
>>>>>
>>>>> 1. community feedback and discussion (there seems to be a significant
>>>>> part of the community concerned about this) Note: I would have loved to see
>>>>> an OWASP community poll on this before making this decision to get a better
>>>>> feel for the wishes of our community, but acknowledge Michael's request that
>>>>> we need to decide this urgently.
>>>>>
>>>>> 2. we have an alternative (as outlined in Sarah's email, BSides) that
>>>>> can fulfil the goal equally.
>>>>>
>>>>> 3. I understand that there is a lot of uncertainty about RSA's level of
>>>>> involvement. And I don't feel in a position to make a final judgement about
>>>>> this. And as often with secrecy, we possibly never will be.
>>>>> But in this case we don't have to have final judgement. The
>>>>> co-marketing agreement is quite extensive and could be seen as active
>>>>> endorsement. To follow such an agreement we would need to have a very high
>>>>> level of confidence and trust in the other party. So already a reasonable
>>>>> shadow of doubt is sufficient grounds, to distance OWASP in this case from a
>>>>> very active co-marketing agreement with the company RSA, to avoid being
>>>>> interpreted as an active endorsement of a commercial entity currently under
>>>>> review. And we should abstain from actively endorsing RSA for the time
>>>>> being, until all facts of the case have been properly examined (note: not by
>>>>> us, as we are not an investigative body).
>>>>>
>>>>> In addition to that:
>>>>> I propose that OWASP should prepare and release a press release or
>>>>> public statement that OWASP thinks weakening or undermining crypto is a
>>>>> really bad idea. (I will be happy to assist with the preparation of the
>>>>> text.) This press release shall advocate our general OWASP principles and
>>>>> shall _not_ mention RSA, the RSA conference or any other company by name.
>>>>> (personal note: btw. RSA should have no problem with such a press release,
>>>>> as they officially deny any such activities...)
>>>>>
>>>>> All the best, Tobias
>>>>>
>>>>>
>>>>> Tobias Gondrom
>>>>> Owasp Global Board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 06/01/14 23:51, Michael Coates wrote:
>>>>>
>>>>> "OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
>>>>> This may place our training at risk, but if permitted we will still
>>>>> provide the free training at RSA and the OWASP speaking slot."
>>>>>
>>>>> Michael - Yes
>>>>> Tom -
>>>>> Tobias -
>>>>> Fabio -
>>>>> Josh - Yes
>>>>> Jim - abstain
>>>>> Eoin - abstain
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Michael Coates
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Jan 6, 2014 at 3:47 PM, Eoin Keary <eoin.keary at owasp.org>
>>>>> wrote:
>>>>>
>>>>> Same here, I can't vote, I believe as the class delivery and material
>>>>> is mine and it would be a conflict.
>>>>> I would be a "no" if I could.
>>>>>
>>>>> Not sure why participation in an event requires a vote given other
>>>>> events did not require such....
>>>>>
>>>>> My view is based on
>>>>>
>>>>> 1.
>>>>>
>>>>> --
>>>>> Eoin Keary
>>>>> OWASP Member
>>>>> https://twitter.com/EoinKeary
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>
>>
>


More information about the Owasp-board mailing list