再保险:程序惩罚或撤销CNA状态?

来:“Christey,史蒂文m .”<coley@mitre.org耶利哥>,<jericho@attrition.org>
主题再保险:程序惩罚或撤销CNA状态?
从马尼恩:艺术<amanion@cert.org>
日期:2015年9月1日星期二22:04:22 -0400
Authentication-Results:防晒系数= softfail(发送者的IP 129.83.29.2) smtp.mailfrom = cert.org;mitre.mail.onmicrosoft.com;dkim =失败(签名没有验证)header.d = cert.org, mitre.mail.onmicrosoft.com;dmarc = noneaction =没有header.from = cert.org;
CC:cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
交付给:coley@rcf-smtp.mitre.org
交货日期:2015年9月1 22:04:33星期二
DKIM-Signature:v = 1;一个= rsa-sha256;c =放松/简单;d = cert.org; s = jthatj15xw2j;t = 1441159465; bh = 4 bblibdylj5edxs / RypjEA5G0cvPzOUVOX6Jgdv + NJc =; h =问题:日期::MIME-Version:: CC:主题:引用:回答:内容类型:Content-Transfer-Encoding:发送方:应答;b = KBrEd3xhAiq8zIWYb10N + b3RerRbpJ7UGBaFpk9FGRQZ8I2CHC3xPk2wTmq99QnKu uoZ6fwALBMJoV9HsLxnfG0zGmUyXcKt5GjE4B118Tatofhe84PFJ2u5Gg1OOy51tPW r2APTqWEVBv7Gb + kU7DO4LjoqW0Oa7jjXWAaqWBY =
在回复:<CY1PR09MB03780DD9AFA89BC8BE180778B56A0@CY1PR09MB0378.namprd09.prod.outlook.com>
引用:< alpine.LNX.2.00.1409252348190.6528@forced.attrition.org > < Pine.LNX.4.64.1410101327160.14743@beijing.mitre.org > < alpine.LNX.2.00.1508282333000.15040@forced.attrition.org > <CY1PR09MB03780DD9AFA89BC8BE180778B56A0@CY1PR09MB0378.namprd09.prod.outlook.com>
SpamDiagnosticMetadata:NSPM
SpamDiagnosticOutput:23
用户代理:Mozilla / 5.0(麦金塔电脑;Intel Mac OS X 10.10;房车:31.0)壁虎/ 20100101雷鸟/ 31.7.0

> > - - - - -原始消息- - - - - - > >:耶利哥(mailto: jericho@attrition.org]> >发送:星期六,8月29日,2015年是1:53 > >:Christey, Steven m . < coley@mitre.org > > > Cc: cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org > > >主题:Re:程序惩罚或撤销CNA状态?> >这是337天,也没有进展。之前别人> >在黑板上开始抱怨,已经有一系列的邮件我> >和CVE之间在这段时间里,挑战一个特定CNA违反政策。> >斜方选择一个电子邮件发送到中央社(所以他们说)和> >其他,没有后续,没有回应我的后续的时候> > CNA不断打破协议自最初的投诉。> > > >我现在回复因为第二CNA显然不是政策> >作业后(特别是相关作业,没有别的)。自> >横切后不会真正挑战CNA数以百计的错误> >近一年的时间内,我不认为他们会采取行动。> >不会弹出第二CNA,直到第一次解决,谁> >更严重得多。> > > >因此,我把它的输入。我们在这里指导和给CVE过程输入> >,对吧?我相信这篇社论的目的是> >,在纸上。 Personally, I think the purpose stops there as far as >> MITRE is concerned... on paper. ... CERT/CC has experienced at least one, possibly two CNAs that do not assign CVE IDs in a timely or correct manner, per the CVE content decision/abstraction rules. We see this when: 1. Researchers ask us for CVE IDs and say that the CNA who should be assigning -- the vendor of the vulnerable component -- has not assigned an ID. 2. We're coordinating a disclosure that isn't public yet and the CNA who should be assigning (vendor) doesn't take action. Now what? Do we assign? Let disclosure happen and ping MITRE? We make a judgement call for each case, and I have informed MITRE about one CNA that we've observed problems with. I don't know how much of the board bylaws are written down anywhere, but maybe we should consider some basic governance/voting procedures. Even if we don't right away agree on everything that goes in to decisions to add/remove CNAs, we could have a procedure along the lines of: * period of time to present evidence (in support of adding or removing) * vote by the board, requiring a quorum and majority (or more, 2/3 majority?) Document the evidence and vote on the mailing list. Also, it's common for group members to lose voting privileges (or even membership) due to lack of participation. I realize adding more formal rules/bylaws increases the governance overhead, but it may be necessary to move that direction. A couple documents about board membership were circulated in April. Would an active board member volunteer to draft something about CNA requirements? Regards, - Art

跟进:
- 再保险:程序惩罚或撤销CNA状态?
  - 来自:“大妈,斯蒂芬·v .”
- 再保险:程序惩罚或撤销CNA状态?
  - 来自:耶利哥< jericho@attrition.org >

引用:
- 再保险:程序惩罚或撤销CNA状态?
  - 来自:“Christey, Steven m .”