[cabf_governance] Ballot 206 comments

[Dean Coclin]

Yes, but I wasn't referring to security by obscurity. Rather, threats and bugs get disclosed to manufacturers all the time before they are made public. These are the type of things one would not want on a public list.


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, November 2, 2017 5:38 AM
To: Dean Coclin <Dean_Coclin at symantec.com>; CA/Browser Forum Governance WG List <govreform at cabforum.org>; Virginia Fournier <vfournier at apple.com>
Subject: Re: [cabf_governance] Ballot 206 comments

On 01/11/17 20:29, Dean Coclin wrote:
> Regarding your comment on system security, working groups talk about a 
> lot of things, not necessarily directly related to the design of a 
> system. Especially with regard to code signing, there is discussion on 
> list of threats, potential threats, ways to subvert things, etc.
> Does that really need to be public?

Absolutely. Potential ways to subvert things are among the most important topics to be discussed in public.

https://clicktime.symantec.com/a/1/2Hk6m1KZotn6Rt259lK3kHcsRCgNIKapASWwGdq-x9M=?d=Ny3nSZPsuLPuZvkrhU_4nBBHVIbFHk2ZarqhghKyfdo806f94TVcRm3n8OZV_dxiPdBiB7S1pqFLx4fbwTNhuBiBwD4WnOxoFhkbIhys6cSJL1JmQ5RyDUrxQk5SVswuT_-88RduAxn8cx0tLgOeCxKSdMh9uOZVxZjo3irBQQtBfup7qv6rkrNUeckh8zRRKDwAyfaCLRXM9CG9nVt_Ufg2qfCqq8m7KrM6CH9OgWRWgi_D1CeiRbgdIVCfvh6Sl1VYR2tIDtBW0g5AkiDU0r3SOeXbCTkBm7SBZAMQBx4QDjRQs8_TWUCbdd-uJMS7BoqpFvQBGZd0DN9xVLlSxNRwv0kejw9ikD4C7O0pN1crUK9yV0GuPEaKqqlr7oLLVg%3D%3D&u=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSecurity_through_obscurity has more discussion of this point.

Gerv