|
Grex > Coop > #343: Nominations for the 2014 Grex Board of Directors | |
|
| Author |
Message |
| 22 new of 40 responses total. |
dtk
|
|
response 19 of 40:
| 
Dec 1 04:38 UTC 2013 |
Resp:16 The web page is not trustworthy at this point; the web server is
not presenting a valid certificate (NotAfter has passed). If we require use of
a b0rken website in order to participate we give people an ultimatum between
poor security and participation.
|
kentn
|
|
response 20 of 40:
|
Dec 1 14:29 UTC 2013 |
You have to log in to vote, anyway. So I don't see the issue with the
certificate on the web page.
|
kentn
|
|
response 21 of 40:
|
Dec 1 16:16 UTC 2013 |
The other nominees have been contacted weeks ago.
As for announcing the nominations/election, it was/is in the motd and
was announced in agora (item 3). It is also announced on the grex main
web page.
|
dtk
|
|
response 22 of 40:
|
Dec 1 17:48 UTC 2013 |
The whole reason that a certifying authority sets a "NotValidAfter" attribute
is to limit the time during which an adversary can subvert or snoop the
traffic in-flight, whether because the adversary stole the key (and the
inattentive system operators did not notice) or the adversary guessed the key.
Allowing the certificate to lapse not only shows neglect by the organization
operating the system that asserts the certificate, but exposes all ussers of
the interface that asserts the certificate to having their in-flight traffic
(including credentials, non-public information or other traffic) stolen or
changed on the wire.
I am not concerned that I have to enter my credentials in order to vote; I
would expect and hope to have to (a reasonable control). The concern is that
an adversary on or off the system could intercept my attempt to vote and
either view the credentials used to put in the vote or change my vote
in-flight.
I work as a registration authority for an internal certifying authority and
deal with this foolishness in my day job.
-DTK
|
kentn
|
|
response 23 of 40:
|
Dec 1 18:18 UTC 2013 |
So do you think someone guessed the key? Maybe we should just go
back to self-generated certs and cut this mysterious certifying
authority out. I'm not sure we can trust them, either.
|
dtk
|
|
response 24 of 40:
|
Dec 1 18:46 UTC 2013 |
A self-signed certificate exacerbates the problem, because there is no way
to tell if the certificate was in fact signed by the system itself, or by an
adversary posing as the system. Since Grex's self-signed certificate is not
by default in browsers' trust-stores, there would be no basis for trusting
it, and without an out-of-band mechanism to convey the certificate for
establishing trust, people would assume it has been compromised. The value
of a CA (id eddum Certifying Authority) is that it anchors trust to a handful
(actually over a hundred) organizations whose primary business is serving as
trust providers, and whose root certificate (trust anchor) is included with
browsers. CAs participate in what is known as the CA-Browser Forum, and are
held to a high level of scrutiny. They in-turn scrutinize signing requests,
and for highly trusted certificaes (Extended Validation (green address bar)),
they perform extensive research to validate that the certificate was requested
only by the entity that claims to be, and not by an imposter (can take up to
three weeks for a new second-level domain; usually involves company
letterhead, interviewing named company officers, whois registration, etc).
To make the analogy, they serve as notary public for the PKI, and their
activity is cryptographically verifyable.
no, I do not think that the Grex private key has been pwned and taken home,
but training people to ignore certificate warnings is in itself dangerous,
as it lowers everybody's security awareness, and is poor OPSEC. Furthermore,
the longer a key-pair hangs out there, the greater the likelihood of it being
silently pwned, hence the expiration date on every certificate, giving a known
(planned) end of usefulness.
|
keesan
|
|
response 25 of 40:
|
Dec 1 20:55 UTC 2013 |
Is it too late to nominate Tod for board member, since the voting process is
not working yet anyway and we need two more members? If not, I nominate him.
He told me he would accept. He has run before.
|
rcurl
|
|
response 26 of 40:
|
Dec 1 22:58 UTC 2013 |
I haven't looked at the Grex bylaws recently, but I presume there is some
mechanism for filling vacancies. There will now be two vacancies for the
Board to fill. This will be simpler than restarting the voting - which, in
fact, is not provided for the the bylaws.
|
kentn
|
|
response 27 of 40:
|
Dec 1 23:09 UTC 2013 |
The voting process IS working. I don't know why anyone would think it
isn't.
We'll need a special election, I expect, unless we want to interrupt
the voting. The bylaws provide for filling vacancies in the Board
via special election.
BTW, this is the nominations item, not the "justify an SSL certificate"
or "complain about why our SSL certificate has expired" item.
|
kentn
|
|
response 28 of 40:
|
Dec 1 23:59 UTC 2013 |
Tod, do you accept this belated nomination?
If so, we can discuss what to do about it in re the current election.
|
tod
|
|
response 29 of 40:
|
Dec 2 00:29 UTC 2013 |
I accept
|
kentn
|
|
response 30 of 40:
|
Dec 2 00:47 UTC 2013 |
Thanks, Tod. I hope we can get you on the ballot for this election.
I'm checking with our vote admin. It won't affect the election of
anyone else since we have four slots open.
|
kentn
|
|
response 31 of 40:
|
Dec 2 21:14 UTC 2013 |
We'll call this nominations item closed as of Nov. 30, 2013 and set up a
separate nominations item for a special election for the two remaining
seats. I wish the people who are so critical of things here would do
the right thing, which is to help with Grex, but alas, criticizing is
easy, helping with the operation of Grex is not.
|
mary
|
|
response 32 of 40:
|
Dec 2 21:27 UTC 2013 |
Ignore them. It's time. Past time, actually.
|
kentn
|
|
response 33 of 40:
|
Dec 3 02:00 UTC 2013 |
Okay, I'm checking with the vote admin to see if we can get another
candidate added. This would help us quite a bit.
|
tod
|
|
response 34 of 40:
|
Dec 3 04:17 UTC 2013 |
Thanks Kent
|
kentn
|
|
response 35 of 40:
|
Dec 3 13:33 UTC 2013 |
I've entered a new nominations item, coop 344, so we can continue
there. We will need to do a special election in any event.
|
gelinas
|
|
response 36 of 40:
|
Jan 12 02:04 UTC 2014 |
I've made an unofficial, provisional count of the votes in the regular
election for the Board of Directors for 2014. Six people voted. Five voted
for both candidates, and one voted for only one candidate. So if any of the
five who voted for both are members, and the candidates are members, then the
two candidates were elected.
The Treasurer has not provided a list of the members as of the end of the
voting period, so I cannot make an official count.
|
gelinas
|
|
response 37 of 40:
|
Feb 25 02:04 UTC 2014 |
Of the members, one voted in this election. Unfortunately, one of the
candidates, glitch, was not a member at the time of the election and so was
not eligible to run. The one member who voted did vote for kentn, so Kent is
elected to a two year term, which started on January 1, 2014.
|
kentn
|
|
response 38 of 40:
|
Feb 25 03:59 UTC 2014 |
Thanks for doing the counting, gelinas. Time to organize
another special election.
|
keesan
|
|
response 39 of 40:
|
Feb 25 04:52 UTC 2014 |
Thanks for running for election, Kent. Strange to have an election with as
many voters as candidates.
|
kentn
|
|
response 40 of 40:
|
Feb 25 15:31 UTC 2014 |
You're welcome. There were a lot of membership expirations toward the end
of the year, and then a lot of renewals in January, as I understand the
situation.
|