内容决定包含设计的缺点

伊莱亚斯利维问道:>我们要开始为低水平发放CVE id设计缺陷?>如。缺乏在IPv4数据包级别加密?缺乏资源>分配协议?DES的三重DES的使用?等我定义了几个相关内容决定,为AXENT会议议程。目前候选人尚未解决的CD的影响才会被添加到CVE CD的解析。(几个候选人从裂缝,成为了CVE条目之前添加了一个正式的“内容决定”字段CMEX。将来他们可能会被弃用。)简要讨论了一些在去年8月的回顾会议。 With respect to Elias' question, the following CD's are slated for *later* discussion: CD:DESIGN-WEAK-ENCRYPTION - should we include "weak" encryption (and how do we define "weak")? CD:DESIGN-WEAK-AUTH - should we include "weak" authentication? CD:DESIGN-NO-AUTH - should we include problems with "no" authentication? CD:DESIGN-SPOOF - do we include designs that allow spoofing, and how "good" does the spoofing have to be? Some other CD's of interest: CD:EX-BETA - should we include beta code? CD:EX-CLIENT-DOS - should we include client-side DoS (e.g. for ICQ and the like) CD:EX-ONLINE-SVC - should we include problems in online services, e.g. Hotmail, where the "software" is not necessarily resident on the client? There are a number of others to be discussed as well, about 40 in all at this point. The CD's above are what I have begun referring to as *inclusion criteria* - what's important enough to be included in the database/list/summary/analysis/etc.? *Abstraction criteria* include things like the Same Codebase content decisions, that specify how to fix the level of abstraction for an entry or entries. - Steve