Umm, head-slap moment. I happen to be the proud owner of worthiness.org.
Truly. It is not hosted, but I have been sitting on the domain name for several years. It was part of my M.Sc in IT project on Open Systems Trustworthiness. I won't go into that here. There is a reasonable capsule of where I got on the subject of trustworthiness here: <http://orcmid.com/blog/2008/05/trust-but-demonstrate.asp>. I stand by that. For the current conversation, it is useful to leap to the end. I have the domain so I could create an organization with regard to certification and assurance processes. I fancy [email protected] as an identity with regard to digital signatures for attestations and counter-signing of other attestations that had been audited successfully. This can be made available for a security-community retargeting too. It is clearly INELIGIBLE for a *trustworthy* neutral HOSTING. First, if I fail to renew the domain-name lease (by disappearing from the mortal plane, or other disability), too bad. Secondly, if the hosting site I would lease anything on were to fail or be hacked, I would have no recourse. And then there is the matter of vigilance around the site, its backup, and most of all, protection of the sensitivity of the conversations that are conducted on its list. As an individual, I am not able to offer the care that is required, nor should I be relied upon to do so. So, that's how neutrality is not trustworthiness, OK? On the other hand, worthiness.org might be useful. I am rather attached to it though. - Dennis (It is difficult to find domain names with "trust" in them, which is why I have the peculiar TROSTing.org domain too -- that and an inability to come up with a meaningful project title that abbreviated to TRUST.) -----Original Message----- From: Dave Fisher [mailto:[email protected]] Sent: Tuesday, October 25, 2011 13:01 To: [email protected] Subject: Re: Neutral / shared security list ... On Oct 25, 2011, at 10:55 AM, Michael Meeks wrote: > > On Tue, 2011-10-25 at 10:22 -0700, Dave Fisher wrote: >> You are welcome! I'm looking for common ground and I am trying to listen to >> logic. > > :-) > >>> So where does that leave us ? one approach that hasn't been discussed >>> (and is perhaps a good compromise) - is for me to go ahead and setup the >>> list @freedesktop, and for you guys to advertise the @ooo alias on your >>> pages, and us to advertise the freedesktop one on ours. > .. >>> What do you think ? >> >> I think we are getting somewhere. The last detail is which is the real ML >> and which is the forwarder. While the AOOo project might prefer to have > > Fair point - for ultra-fairness we should perhaps publish two > forwarding addresses - [email protected] and securityteam@tdf one each, > both pointing at the neutrally hosted list. This leads to an interesting approach that can be taken by any peer. (1) There is a neutrally hosted Security ML for all Peers. Individuals are signed up representing one or more peers. The individuals are private. The peers are public. LO, AOOo, ODF Toolkit, RedOffice, Lotus Symphony, ... (2) Each peer project can maintain their own private security list. (3) Each peer project has an email forwarder that forwards email to (1) and optionally (2). (4) Each peer project should have a security page with links to any private security list and when to use the neutrally hosted / shared list. Having a public list of the peers on the shared list is essential to properly informing the user where they are sending their security report. If the peer list included links to each peer's security web page that would be helpful. A neutral domain name like "office-security.org" would be registered. Perhaps Team OpenOffice can help by buying the domain and setting up Mailing list hosting. I suspect that hosting details can be discussed among the [email protected] members. Regards, Dave
