再保险:[CVEPRI]处理由史蒂夫Christey发现新的漏洞

哇。这样的火风暴。我会尽量保持接近史蒂夫的原始具体的事项,我就扔在我2美分只在一个更大的问题。然而,史蒂夫Christey写道:>候选人预约>将提供给谁问,包括那些可能不相信我。理论上如果这种>事件发生,这将是我的话对>他们的。欢迎来到俱乐部。BindView,假设,斜接,说可能被指控共谋的人如果1)BindView请求一个数字2)横切储备可以随后BindView 3)第三方请求数量可以为同一问题4)斜方否认请求(代表BindView)所以,信任是一个问题不管横切产生警告。当你正确地指出,真正的问题是这是缺乏信任的斜方第三方。“Steven m . Christey”写道:> 2)勤奋一级CVE候选人预约允许> 1 CVE候选人数量分配给一个未知的聚会。(见>http://cve.mitre.org/board/archives/2000-05/msg00179.html)。复苏的风险从过去的编辑委员会会议,讨论我断言,“信任”问题是深深复合如果斜方开始储备可以在CVE编号为的人不是。让我解释一下……大卫·勒布朗写道:>学术界(我可以从自己的经历说起,正如我的名字>正确可以B.S.A.紧随其后E, M.S.A.E博士)无疑是一个最让我完成这个句子来满足我自己的需要!学术界是很容易的一个最有经验的在处理这些问题。我们应该从他们如果有帮助借了大量的钱。一般来说,学术期刊只会考虑用适当的凭证提交人。和注意,他们这样做的风险投诉的non-credentialed这样做,期刊拒绝一个声音不同意见,只保护占主导地位的正统或叙事[插入股票,后现代解构主义的咆哮在这里如果你想;^)。CVE过程应用这一观察,我建议只接受是有意义可以从那些请求对方接受凭证编辑委员会成员。 This will go a long way to take care of any concerns about MITRE's handling of these matters as it would guarantee a certain level of professionalism for all involved and thus, a higher level of trust. If we are concerned with the CVE process becoming too closed to to the general public, then we can rely on certain identified Board Members to be the publicly identified "gatekeepers" who can request CANs in proxy for those outside of the Board. It also makes sense to me separate this gatekeeping function from the CAN assignment function played by MITRE. That is, I would suggest that MITRE NOT directly assign CANs to people or orgs not on the Editorial Board. NOTE: Presently, *any* Editorial Board member can request a CAN number in proxy for somebody outside of the board! Consider, as a board member I could request a CAN number and nobody on the board, including MITRE, really needs to know where or how I got the info or who did the initial discovery. The discoverer, if different from me, is trusting me with the info and I as her proxy, am trusting MITRE and the Editorial Board to handle the info appropriately. My point here is that currently, all board members could, at this very moment, be requesting CAN numbers in proxy for outsiders and none of us have the ability to know the difference, one way or another. This is fully appropriate, imo. I trust my fellow board members and as long as they feel the issue warrants a CAN number, they are entitled to request the CAN number from MITRE. Going back to the academic journal example, an academic journal may not even consider a paper from David LeBlanc's mom, but they might from her son because he has the peer accepted credentials of a terminal degree in his field. More importantly to my point, they would consider the paper even if it contained his mom's ideas. David would merely be her proxy. [FWIW: A Budget Of A Trisection from the Springer-Verlag library makes a great read on the subject of non-credentialed mathematical crack-pots. It may shed some light on the noise we see in mailing lists.] ============= TANGENTIAL COMMENTARY BEGINS HERE ================ For those debating the relative merits of security advisories, I offer up the following snippets from an article recently written by Al Berg and published by ICSA in Information Security Magazine. "When you buy a vulnerability scanner, you are buying expertise... Hence, before choosing a vulnerability-scanning product, you should take a careful look at the team supporting it... A good indicator of the technical savvy of a vendor's team is the number and quality of papers, advisories and tools it has authored." One could challenge Mr. Berg's assertion by citing a chicken and egg paradox. To whit, has Mr. Berg merely bought into the marketing hype of vendor advisories hook, line and sinker? Or, are advisories, the quality of the research team and the quality of the tools directly related? It's an interesting question but it is totally missing the point. Whether or not they have real technical merit, security advisories are an established feature in the marketplace. To deny this is to ignore market realities. Until that reality changes, they have value. 'best, Dave -- ============================================================== Dave Mann || e-mail: dmann@bos.bindview.com Senior Security Analyst || phone: 508-485-7737 x254 RAZOR Security Team || cell: 617-968-2697 BindView Corporation || fax: 508-485-0737