再保险:候选人编号方案

在星期五,1999年5月14日在-0400年02:53:37PM, Steven m . Christey写道:> >伊莱亚斯说:> > >唯一我担心candiate数字从未让外面> >工作小组……诅咒这个螺丝我们将使用候选人> >数字在我们的讨论和讨论将> >是公开的。> >我不认为真的有解决这个问题的办法,但候选人>数字可能只有接触到那些想要观察>的过程。也许我们可以提供一个“免责声明”或警告,他们>应该只使用CVE编号。> >我想在“完全公开”候选人数字有几个>目的。对我来说,早期的主要好处是>漏洞信息的跟踪。例如,* Bugtraq版主可以>使用自己的考号名称空间分配的帖子(让我们>避免这种方法一会儿)的可行性。这正是我*不*。第二个我们开始使用这些“候选”名称* BUGTRAQ你可以忘记任何人使用CVE编号。他们仍然继续使用“候选”号。 > > I think that most or all advisories should reference a CVE number in > their first publication, since advisories are often a primary, > universal source of vulnerability information. It helps to get *some* > number into advisories that announce a vulnerability for the first > time (say, a vendor's security analysis team). The sense that I get > is that vendors believe they have a competitive advantage in > announcing discovery of new vulnerabilities in their own advisories, > and may not be willing to give this up. If they aren't willing to > give away such information (at least to the input forum), then there > are 2 workarounds I can think of. Public candidate numbers are the > easiest way to address this problem. A different mechanism might be a > "secure channel" between MITRE and the advisory team which could > result in a "conditional" assignment of a new CVE number. Probably > the best way would be for the advisory team to post an initial > "pre-advisory" to the Input Forum for a brief and timely discussion, > and CVE number assignment. The benefits would be twofold: (a) all > vendors would know of the vulnerability and be able to update their > tools [which would immediately benefit *all* tool users], and (b) the > first fully public advisory would have a CVE number. > > The greatest risk in having public candidate numbers is in the > potential confusion caused by multiple numbering schemes. The CAN- > prefix makes it clear to knowledgeable people that the vulnerability > is "unreviewed," but the candidate number could become more widely > used than the CVE number. We want to minimize this problem as much as > possible, IMHO. If we decide to adopt a public candidate numbering > scheme, then we need to make it clear to everyone, including the end > users, that candidate numbers are in no way "official." > > - Steve > -- Aleph One / aleph1@underground.orghttp://underground.org/KeyID 1024/948FD6B5指纹EE C9 E8 AA CB AF 09年61 8 c 39 EA 47 6 A8 B8 01