[Owasp-cert] Subject Areas
avs at iki.fi
Mon Sep 1 14:59:10 EDT 2008
On 31 Aug 2008, at 17:28, james at architectbook.com wrote:
> FYI. I watched my third laptop die this week where I may have missed
> many of the emails related to this project (those that weren't
> copied to the list).
I sent some comments on the NDA. I'll resend them now, copied to the
list, and add some rationale as to why I feel these changes would be
- Please define the address and state/country of incorporation for
OWASP Inc. In addition, the NDA would need to be signed by OWASP as
Why? Because this way (given that there are two identical signed
copies) the NDA can be used to prove that one has indeed signed it and
is thus "authorised". Otherwise, anyone could claim to have signed the
NDA but they might not have ever sent it to OWASP.
- The definition of Confidential information is too wide in the cotext
of OWASP, which usually uses public documents. I believe that the NDA
should specificly cover only the OWASP certification project, not
OWASP activities generally, and only material that has been explicitly
stamped as "OWASP Certification Project Confidential" (or somesuch).
Why? Because openness should be the default. In addition, this type of
clause would encourage proper classification markings on the
documents, and most likely would also decrease the probability of
- The definition of confidential documents should explicitly exclude
information that has been published or has become public knowledge, or
information that was published or publicly known before entering the
NDA, if becoming public knowledge or publication not been due to
actions by the person in question.
Why? This is standard NDA stuff. Also acts as an anti-gagging clause,
so if laundry gets washed in public, does not prohibit people from
- Definition of an "unauthorized" individual is missing. Should
perhaps be defined as those who are not under an NDA. Otherwise, how
is the signatory spposed to know who are unauthorized? It should be
specified that when discussing issues on a mailing list, group, event
or forum maintained by OWASP, Inc. for authorized persons, the
existence of such group is enough to authorize discussion there
(meaning that each single person must not need to determine whether
all participants have an NDA or not).
Why? Because otherwise the NDA gives OWASP an open cheque to
(retroactively?) label someone as unauthorised.
- "Returning" documentation in its digital form is meaningless. This
should only apply to physical items and this should be explicit.
- There is no expiration clause, but the NDA is valid in perpetuity.
There should really be an expiration clause, for example five years,
unless a document is still being actively used in the OWASP
certification, in which case, in the context of that specific
document, the NDA would expire only after the document is obsolete.
Why? This is because if there's something badly wrong in the
Organization or Certification, whistleblowing must be possible - even
legally - after some years. Also, I see really no point in forcing
people to forever keep silent if the subject matter has long since
ceased being relevant.
- The NDA expiry date should be tied to the person informing OWASP,
Inc. about termination, and the termination should happen after the
termination period as above.
- Key/password escrow requirement does not have any reason to be
there. I mean, OWASP Inc. may internally have any data accessability
steps in place including escrow but volunteers all around the world,
while working on this project, should not have any need for that.
- "best protection" for information is too vague. OWASP must
specifically describe what level of protection is required. This has
the effect of encouraging a secure baseline for document handling
practices. Also, it would be good to add that if the Organization
provides the person with software, proper usage of that software must
be always seen to fulfill this requirement.
http://www.iki.fi/avs/ GnuPG FE5E11B666F04EE8EB0C:F261AFC299AF3DE9A7CA
GIT/CS/ED a C++$ UL+ PS++ [email protected] Y++ PGP++ [email protected] R b++ e+++ h y? avs at iki.fi
More information about the Owasp-cert