OpenSSL Corporation Advisory Committees

I made my first contribution to OpenSSL around 2008 when I was a young, bright-eyed, bushy-tailed PhD student. Since that time, as an academic I’ve used OpenSSL as a basis for the vast majority of my research. Over the years, I’ve discovered and (responsibly) disclosed quite a few vulnerabilities in OpenSSL, most of which have CVEs assigned (grep around in CHANGES.md). What separates me from most other academics who use OpenSSL in their research is, I typically contribute software patches for fixes myself, not just point out problems. I’ve also helped with API and functionality issues, particularly in the EC module. I also enjoy contributing to unit and regression testing, either porting public test cases to OpenSSL or designing my own, both positive and negative tests. For an academic, I consider myself pretty active on OpenSSL’s GitHub, submitting my own PRs and/or participating in discussions. At RIT, I run a course called “Open Source Software Security” which I built on OpenSSL. My students are required to submit PRs to the project, and some of them even get merged :D. I feel like my current roles at RIT position me nicely to serve on the BAC. My leadership role in RIT’s GCI entails plenty of committee-based decision making, which is in fact quite abundant throughout academia at large. Topically, I bring not only my own state-of-the-art expertise in my academic discipline, but also exposure to RIT’s significantly broader academic community, packed with far more talented scholars than myself. In summary, I’d be honored to serve on the BAC, allowing me to continue to contribute to OpenSSL, yet in a more formal way!

I have almost a decade of experience working closely with and for the OpenSSL project, including five years as an OMC member and seven years as a committer and as an OTC member. I have spent thirty-five years working for businesses from start ups to large multinational corporations on a wide range of security applications, which has afforded me knowledge, acumen and insight into the business requirements and priorities of the project and its community. I understand the nature of the funding model and I am a primary developer responsible for several of its key components. Given my background, I’m confident that I can facilitate nuanced input that represents the consensus of the committer community to inform the decisions and direction of the project via a BAC role.*

I’m Jaroslav Reznik, long time Red Hatter and open source enthusiast, currently working as Compliance Program Manager in Red Hat’s Product Security Compliance team. I believe I can provide value to the OpenSSL Corporation Business Advisory Committee as Red Hat is well known OpenSSL community member, I have experience with FIPS 140 and other cybersecurity regulations important for OpenSSL and I believe sharing the same goal can benefit both OpenSSL and Red Hat. In my background, I have a lot of experience in the distribution ecosystems, mainly in Red Hat Enterprise Linux and Fedora - from engineering work (packaging, bringing up a new architecture), through release management, security updates handling to compliance. Even though I don’t have a direct OpenSSL community experience yet ;-), I have a deep open source community background as I was Fedora Program Manager in the past for four years and I was on Fedora Board (as an elected member) and Fedora Council (as an appointed member). This gave me an unique experience of being a person between community and corporate entities and help shaping the Foundation and the Corporation cooperation.

I have been the community maintainer for the NonStop port of OpenSSL since 1.0.2. My participation in Open Source goes back to the early 1990s, when I was involved in porting NFS, RPC, and other smaller components to the NonStop platform. I started in the industry in 1979. My contribution for BAC of the Foundation or the Corporation is to provide perspectives and experience from exotic platforms to the OpenSSL team. I have served on the boards of directors of two companies (one as chair) and the Richmond Hill Board of Trade (director and chair). I also have extensive experience with Roberts New Rules of Order.

I would like to nominate myself to represent the large business community in the Corporate BAC. I have long believed the work that OpenSSL does is critical in securing the world’s communications and data. This, of course, is fundamental in securing every individuals right to privacy. Within the context of my position at Cisco, I have been fortunate to work with OpenSSL and other open source initiatives such as Open Quantum Safe (OQS). This work has taken many forms; research funding, in-kind engineering resources and sponsoring. I strongly believe in a corporation’s responsibility to protect customer’s (ultimately all individual’s) right to privacy and a great way to ensure this right is to work with critical broadly adopted open source initiatives. I am fortunate that in my position at Cisco my team enables these same principles in software deployed across the portfolio, thereby affecting millions of individuals across the globe. My professional passion is that; making these principles a reality in products and systems used by real people around the globe. I look forward to assisting OpenSSL in their endeavors to engage with the corporate community. During my 25 years at Cisco, my position as a leader in delivering common security modules across the Cisco portfolio, has exposed my team to 100’s of CIsco products and services (if not 1000’s). As such, my team is at the forefront of customer requests and issues. My team has firsthand knowledge of requests for new technologies and capabilities. Additionally my team is responsible for delivering security software that is capable of being integrated into these products that enable global certifications (FIPS, Common Criteria, etc). In this last case, my team is heavily involved with NIST via NCCoE to advance the automation of FIPS certifications (ACVP and AMVP). Given all this, what would I want to do in this position? It’s simple really. Help build a relational community where others can share their voices to advance a common goal. A community where disagreement is considered diversity of thought and isn’t avoided. A community dedicated to the success of open source and in particular OpenSSL. This journey isn’t particularly easy but as my father told me, “nothing worthwhile is easy.” In my position at Cisco I am encouraged by my leadership, to further Cisco’s relationships with open source initiatives. My leadership is fully supportive of my commitment and participation in such endeavors (such as Linux Foundation PQCA), both in time and travel. (if a further written commitment is needed from my leadership I can get that.) (On a personal note, I really want to improve the relationships and communication between open source initiatives and corporations such as Cisco. I feel like these relationships can be needlessly adversarial at times. I honestly believe the relationships could be and should be mutually beneficial, especially considering the outcomes both desire. Cisco has stated that an individual right to privacy is a fundamental and universal right shared by everyone across the globe. I believe that’s where a better relationship can start…. by understanding our common and core values and working together for the benefit of everyone.)

James is an information technology professional specialising in cybersecurity and software development, predominantly, in the media and entertainment industry. In addition to technical disciplines, his expertise includes strategy, operations, governance, accounting, budgeting, negotiation, talent acquisition, team building, and mentoring. James’ roles and titles include: CEO of FireDaemon Technologies Limited. Media & Entertainment Cybersecurity and SSDLC Specialist. TPN Assessor. Animation, VFX, and Post Production Systems Administrator and Engineer. With his outstanding patience and communication skills, he is able to summarize and convey issues clearly and concisely, and I can confidently endorse him as a valuable member of the BAC. Additionally, James has overseen the FireDaemon’s adoption and promotion of OpenSSL by:*

• Making available OpenSSL binaries for Microsoft Windows including build scripts and other technical advice regarding integrating OpenSSL for free. The link can be found via the OpenSSL Wiki https://wiki.openssl.org/index.php/Binaries
• Integrating OpenSSL into FireDaemon shrink-wrapped software products including FireDaemon Fusion (web services/API), FireDaemon Certify One (TLS verification), and FireDaemon Lozenge (checksums). See https://www.firedaemon.com/products
• Offering bespoke OpenSSL software development services. See https://www.firedaemon.com/software-development-services

To become a member of the Advisory Committee:

• Go to the OpenSSL Communities website and click “SIGN IN“.
• Create your account by entering your email address and clicking “CONTINUE WITH EMAIL“.

• Fill in your name and surname and click “CREATE ACCOUNT“.

• Enter the code from your email address and click “SIGN IN“.
• Choose the community or communities you associate with and want to represent and click “JOIN GROUP“.

• Please specify why you want to join each community you wish to participate in.

• You will receive a notification once the administrators approve your request.