[Owasp-board] Vote Request - OWASP Participation at RSA (Update)

Josh Sokol josh.sokol at owasp.org
Wed Jan 8 14:18:06 UTC 2014


My understanding was that there were time pressures around when the
contract needed to be signed by and a vote was necessary to determine our
next steps.  Definitely sucks that we had to take action before everyone
had a chance to vote but we had several days worth of discussion with
plenty of community feedback so I feel ok with it.

~josh
On Jan 8, 2014 8:06 AM, "Tom Brennan" <tomb at owasp.org> wrote:

> I love the community poll -- disappointed that the "vote" has already
> happened.
>
> On Wed, Jan 8, 2014 at 9:03 AM, psiinon <psiinon at gmail.com> wrote:
> > Current proposed close date is Jan 14, which I put on
> > https://www.owasp.org/index.php/Polls ;)
> > I also put that you have to have an OWASP email account to vote, but I'm
> > still getting a load of requests to share the poll.
> > *sigh* ;)
> >
> > Simon
> >
> >
> > On Wed, Jan 8, 2014 at 1:57 PM, Tom Brennan <tomb at owasp.org> wrote:
> >>
> >> Simon,
> >>
> >> When does this public community vote close?
> >>
> >>
> >>
> https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AmN7t2D5ENBddFhrNGw2d29wdDhJeUo2VWR5OEtINkE#gid=0
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Jan 7, 2014 at 5:16 PM, Michael Coates <
> michael.coates at owasp.org>
> >> wrote:
> >> > Tobias & Board,
> >> >
> >> > Here are the updated votes.
> >> > We have 3 YES votes, 1 NO vote, 2 abstain and Fabio's vote is unclear.
> >> >
> >> > This vote has quorum 6 of 7 board members vote recorded (Fabio's vote
> >> > pending) and a majority of the votes (3 of 5) voted in favor of the
> >> > measure.
> >> > Unless there are any other comments we should move forward with this
> >> > finalized vote. Tobias, as Secretary any further comments on this
> vote?
> >> > Can
> >> > you record the results?
> >> >
> >> >
> >> > Vote Proposal:
> >> >
> >> > OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
> >> > This may place our training at risk, but if permitted we will still
> >> > provide
> >> > the free training at RSA and the OWASP speaking slot.
> >> >
> >> > Vote Results:
> >> >
> >> > Michael - Yes
> >> > Tom - No
> >> > Tobias - Yes
> >> > Fabio - clarification needed*
> >> >
> >> > Josh - Yes
> >> > Jim - abstain
> >> > Eoin - abstain
> >> >
> >> >
> >> > From Fabio's email:
> >> > "But for the time being, my decision stands to go ahead as planned."
> I'd
> >> > interpret this as a NO to the proposal, but no vote has been recorded
> >> > until
> >> > Fabio clarifies.
> >> >
> >> >
> >> > --
> >> > Michael Coates
> >> > @_mwc
> >> >
> >> >
> >> >
> >> > On Tue, Jan 7, 2014 at 10:33 AM, Michael Coates
> >> > <michael.coates at owasp.org>
> >> > wrote:
> >> >>
> >> >> Board,
> >> >>
> >> >> Here is the current status of the vote:
> >> >>
> >> >> Michael - Yes
> >> >> Tom - No vote cast or opinion stated
> >> >> Tobias - Yes
> >> >> Fabio - clarification needed
> >> >> Josh - Yes
> >> >> Jim - abstain
> >> >> Eoin - abstain
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Michael Coates
> >> >> @_mwc
> >> >>
> >> >>
> >> >>
> >> >> On Tue, Jan 7, 2014 at 8:32 AM, Michael Coates
> >> >> <michael.coates at owasp.org>
> >> >> wrote:
> >> >>>
> >> >>> Fabio,
> >> >>>
> >> >>> Thanks for your thoughts and reading through the thread of
> discussion.
> >> >>>
> >> >>> Can you clarify your position in regards to the proposed vote? In
> >> >>> addition to whether or not OWASP provides the free training there is
> >> >>> also
> >> >>> the element of co-marketing with RSA. Sarah provided all the details
> >> >>> here
> >> >>>
> >> >>> (
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012876.html)
> >> >>>
> >> >>> The proposed vote is to cancel the co-marketing contract and, if
> >> >>> possible, still provide the free training. This specifically means
> >> >>> OWASP
> >> >>> would be at RSA; however, we would not be engaging in any promotion
> of
> >> >>> the
> >> >>> event per the contract outlined in Sarah's email.
> >> >>>
> >> >>> Here is the exact wording proposed:
> >> >>>
> >> >>>
> >> >>> OWASP will terminate the co-marketing agreement with RSA for RSA
> 2014.
> >> >>> This may place our training at risk, but if permitted we will still
> >> >>> provide the free training at RSA and the OWASP speaking slot.
> >> >>>
> >> >>>
> >> >>>
> >> >>> Thanks,
> >> >>> Michael
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> On Tue, Jan 7, 2014 at 6:23 AM, Fabio Cerullo <fcerullo at owasp.org>
> >> >>> wrote:
> >> >>>>
> >> >>>> Hey guys
> >> >>>>
> >> >>>> Apologies for the silence in the last couple of days. It took me a
> >> >>>> while
> >> >>>> to read the whole thread and reviewing external sources as well
> while
> >> >>>> on the
> >> >>>> road.
> >> >>>>
> >> >>>> As Eoin's just stated below, we need to take an 'in or out'
> decision.
> >> >>>>
> >> >>>> Cancelling the contract but maybe delivering training is not an
> >> >>>> option.
> >> >>>>
> >> >>>> To his question "Are we to support RSAC this year given the
> >> >>>> allegations?"
> >> >>>>
> >> >>>> I would personally vote YES. My reasoning is as follows:
> >> >>>>
> >> >>>> - There is no concrete evidence about the allegations of a payout.
> >> >>>> - RSA is firmly refuting any accusations.
> >> >>>> - i still believe in the premise: "Innocent until proven guilty"
> >> >>>>
> >> >>>> I'm also monitoring the poll created by Simon to get a feel of the
> >> >>>> Community and there is no clear distinction between one opinion or
> >> >>>> the
> >> >>>> other. If the Community strongly believes we should pull out, and
> as
> >> >>>> a
> >> >>>> matter of principles, I might be inclined to change my decision and
> >> >>>> vote NO
> >> >>>> instead. But for the time being, my decision stands to go ahead as
> >> >>>> planned.
> >> >>>>
> >> >>>> In any case, if we (OWASP) are dropping our support and making an
> >> >>>> official statement about 'weaking crypto in products is bad' I
> would
> >> >>>> highly
> >> >>>> recommend for this document to be reviewed by a solicitor or
> >> >>>> qualified
> >> >>>> professional before making it public. I don't feel is OWASP
> position
> >> >>>> to
> >> >>>> accuse companies of any wrongdoings based on news articles or blog
> >> >>>> posts.
> >> >>>>
> >> >>>> Regards
> >> >>>> Fabio
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> El Tuesday, January 7, 2014, Eoin escribió:
> >> >>>>>
> >> >>>>> I am not voting but the topic that is up for vote is wrong in my
> >> >>>>> opinion.
> >> >>>>>
> >> >>>>> Some media, people in general will see OWASP participation in RSA
> as
> >> >>>>> negative, hence the debate.
> >> >>>>> Cancelling a contract does not really cut it. its "window
> dressing."
> >> >>>>>
> >> >>>>> Either we  (OWASP) are engaging with RSAC or not, its that simple.
> >> >>>>>
> >> >>>>> Delivering anything at RSAC shall be interpreted as a sign of
> >> >>>>> support,
> >> >>>>> this is the root cause of the debate: Are we to support RSAC this
> >> >>>>> year given
> >> >>>>> the allegations? (contract is circumstantial).
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> On 7 January 2014 00:42, Tobias <tobias.gondrom at owasp.org> wrote:
> >> >>>>>
> >> >>>>> My vote is: Yes. OWASP shall terminate the co-marketing agreement
> >> >>>>> with
> >> >>>>> RSA for RSA 2014.
> >> >>>>>
> >> >>>>> My reasons are:
> >> >>>>>
> >> >>>>> 1. community feedback and discussion (there seems to be a
> >> >>>>> significant
> >> >>>>> part of the community concerned about this) Note: I would have
> loved
> >> >>>>> to see
> >> >>>>> an OWASP community poll on this before making this decision to
> get a
> >> >>>>> better
> >> >>>>> feel for the wishes of our community, but acknowledge Michael's
> >> >>>>> request that
> >> >>>>> we need to decide this urgently.
> >> >>>>>
> >> >>>>> 2. we have an alternative (as outlined in Sarah's email, BSides)
> >> >>>>> that
> >> >>>>> can fulfil the goal equally.
> >> >>>>>
> >> >>>>> 3. I understand that there is a lot of uncertainty about RSA's
> level
> >> >>>>> of
> >> >>>>> involvement. And I don't feel in a position to make a final
> >> >>>>> judgement about
> >> >>>>> this. And as often with secrecy, we possibly never will be.
> >> >>>>> But in this case we don't have to have final judgement. The
> >> >>>>> co-marketing agreement is quite extensive and could be seen as
> >> >>>>> active
> >> >>>>> endorsement. To follow such an agreement we would need to have a
> >> >>>>> very high
> >> >>>>> level of confidence and trust in the other party. So already a
> >> >>>>> reasonable
> >> >>>>> shadow of doubt is sufficient grounds, to distance OWASP in this
> >> >>>>> case from a
> >> >>>>> very active co-marketing agreement with the company RSA, to avoid
> >> >>>>> being
> >> >>>>> interpreted as an active endorsement of a commercial entity
> >> >>>>> currently under
> >> >>>>> review. And we should abstain from actively endorsing RSA for the
> >> >>>>> time
> >> >>>>> being, until all facts of the case have been properly examined
> >> >>>>> (note: not by
> >> >>>>> us, as we are not an investigative body).
> >> >>>>>
> >> >>>>> In addition to that:
> >> >>>>> I propose that OWASP should prepare and release a press release or
> >> >>>>> public statement that OWASP thinks weakening or undermining crypto
> >> >>>>> is a
> >> >>>>> really bad idea. (I will be happy to assist with the preparation
> of
> >> >>>>> the
> >> >>>>> text.) This press release shall advocate our general OWASP
> >> >>>>> principles and
> >> >>>>> shall _not_ mention RSA, the RSA conference or any other company
> by
> >> >>>>> name.
> >> >>>>> (personal note: btw. RSA should have no problem with such a press
> >> >>>>> release,
> >> >>>>> as they officially deny any such activities...)
> >> >>>>>
> >> >>>>> All the best, Tobias
> >> >>>>>
> >> >>>>>
> >> >>>>> Tobias Gondrom
> >> >>>>> Owasp Global Board
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> On 06/01/14 23:51, Michael Coates wrote:
> >> >>>>>
> >> >>>>> "OWASP will terminate the co-marketing agreement with RSA for RSA
> >> >>>>> 2014.
> >> >>>>> This may place our training at risk, but if permitted we will
> still
> >> >>>>> provide the free training at RSA and the OWASP speaking slot."
> >> >>>>>
> >> >>>>> Michael - Yes
> >> >>>>> Tom -
> >> >>>>> Tobias -
> >> >>>>> Fabio -
> >> >>>>> Josh - Yes
> >> >>>>> Jim - abstain
> >> >>>>> Eoin - abstain
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> --
> >> >>>>> Michael Coates
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> On Mon, Jan 6, 2014 at 3:47 PM, Eoin Keary <eoin.keary at owasp.org>
> >> >>>>> wrote:
> >> >>>>>
> >> >>>>> Same here, I can't vote, I believe as the class delivery and
> >> >>>>> material
> >> >>>>> is mine and it would be a conflict.
> >> >>>>> I would be a "no" if I could.
> >> >>>>>
> >> >>>>> Not sure why participation in an event requires a vote given other
> >> >>>>> events did not require such....
> >> >>>>>
> >> >>>>> My view is based on
> >> >>>>>
> >> >>>>> 1.
> >> >>>>>
> >> >>>>> --
> >> >>>>> Eoin Keary
> >> >>>>> OWASP Member
> >> >>>>> https://twitter.com/EoinKeary
> >> >>>>>
> >> >>>>
> >> >>>> _______________________________________________
> >> >>>> Owasp-board mailing list
> >> >>>> Owasp-board at lists.owasp.org
> >> >>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >> >>>>
> >> >>>
> >> >>
> >> >
> >
> >
> >
> >
> > --
> > OWASP ZAP Project leader
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140108/fe563557/attachment-0001.html>


More information about the Owasp-board mailing list