RE: [CVEPRI] CVE准确性、一致性、稳定性和及时性

>所以,我建议我们创建一个新的t恤。>以下的CVE标志:“名字了他们所有,让分类学家他们。”Agreed. Being more specific helps all communities; the more exacting communities could have a method for organizing or excluding what they believe is spurious, but you can never reference what's not there. A Doctrine of Inclusion, in a matter of speaking. So Steve, will we be able to purchase these T-shirts from the MITRE store on the web? I understand that creating the MITRE/CVE store has greater priority than the voting forms. :-) (Whatever you do, try and avoid the shopping carts mentioned in those 11 CANs.) :-) :-) --Andre > -----Original Message----- > From: Dave Mann [mailto: dmann@BINDVIEW.COM]>发送:星期一,2000年6月26日下午5点>:CVE >主题:Re: [CVEPRI] CVE准确性、一致性、稳定性和>时间> > >现在!> >“Steven m . Christey”写道:> >帕斯卡默问:> >比尔Fithen补充道:> >[戴夫,刚从假期,提示肥皂箱的一侧和>步骤…]> >我强烈赞成横切放松其分析>候选人的形成。我也建议大大简化>整个的内容决定少量(不超过> 6)的指导方针。最后,我建议有疑问时,CVE宁可>更高的特异性。有几个原因。> >我将打开彻底进攻笑话。咆哮。> >上看到一件t恤与美国海军陆战队的标志:“杀死' em >,让上帝把所有的新兴市场。”>> > 1) CVE was founded on the belief that we, as a community, do not > know enough about this space to formalize it to point of agreeing > on a taxonomy or a database. While I applaud the desire to achieve > consistency with respect to enumeration issues, I think it is > crystal clear that consistency is only achievable if know enough > to formalize things properly. And if we understood things to > that level, we wouldn't be involved in CVE -- we would be involved > in a joint database effort instead. The most important things for us > to do from an academic standpoint is to admit the limitations of > our knowledge. > > Given how immature our field is, I think it is overreaching to > believe than any decisions we make now will hold up to scrutiny > in the long run. I reject the assertion that we can achieve greater > consistency by being more careful because I don't believe that > anybody knows enough to decide on consistency in a rational manner. > I think we have only 2 rational choices. Either we accept that CVE > will contain (possibly annoying) inconsistencies or we give up. > > > 2) Our recent experience with the SANS Priority One Top Ten list > gives us a concrete example of why CVE should put a higher priority > on completeness than on consistency. The Top Ten list, of which many > of us provided input, was written at such a high level that it was > terribly ambiguous. For example, when the SANS list identified > cgi sample files, the expected follow-on question on many lips > was certainly, "Which cgi sample files?" More clarity and meaning > was added to the the SANS list as soon as they incorporated CVE > names. > > "Oh. These cgi files." > > But all is not perfect. CVE falls short, literally, with respect > to the SANS list because it does not adequately cover all of the > known issues identified by the SANS list. Witness the large number > of CAN numbers instead of CVE numbers that are reference to by the > SANS list. I draw two immediate conclusions from the SANS Priority > One exercise with regards to CVE. > a) CVE must put a higher priority on timeliness and completeness, > even at the price of less consistancy. > b) When in doubt, CVE should strive for greater specificity > and avoid high level generalization. > > 3) Speaking as a vendor, CVE has greater value to me the more coverage > it has. I do not expect one to one mappings to my peers. CVE is > an enabling technology that makes life easier. I do not > expect, nor do > I need consistancy. Again, our internal experience with CVE here at > BindView is that the more precision or specificity, the better. > > > So, I propose that we create a new T-shirt. The CVE logo with > the following: "Name 'em all and let the taxonomists sort 'em out." > > > Dave > > > -- > ============================================================== > Dave Mann || e-mail: dmann@bos.bindview.com > Senior Security Analyst || phone: 508-485-7737 x254 > BindView Corporation || fax: 508-485-0737 >