再保险:DWF和CVE集成方案

很好,我很高兴你在想我的前面。干杯,帕斯卡04/06/2016 09:57,Kurt Seifried写道:
> 2016年结婚,4月6日上午七51,帕斯卡默< pmeunier@cerias.purdue.edu >写道:
> > 这听起来太好了。魔鬼在细节,如业务连续性规划和生命周期规划(例如,如果/当根CNA风)。有一个隐含的假设,使用当前DWF设置为例,GitHub不会失败,等等。不过以后应该可以解决的,没有理由延迟。
> >      
> 恰恰相反,我认为在某种程度上GitHub将失败/拉来源伪造或者做其他的事情,导致我们不得不移动。没关系,因为一切都在Git和琐碎的完全保持更新日期归档(就发出拉X请求每小时为您的本地副本)。我们可能会失去这些问题(bug报告),但这将是远离严重打击(假设我们可以复制/导出数据)的问题。对于组织的连续性,这就是为什么有5 DWF董事会成员。
> > 好的开始!我等不及要看到种子开花。帕斯卡在04/06/2016 06:52,Landfield,肯特B写道:
> > > 之后,所有的谈话我们董事会上周称,库尔特,DWF董事会,自己和其他CVE董事会成员一直在努力放在一起建议应斜接。我们试图制定的意图,参数,期望和希望成功的结果将会导致什么。我们很高兴听到斜方的协议和项目的总体目标中列出的电话,看到它的董事会会议记录。所要求的乔恩·贝克,记录下面的建议并提交。我们相信这是在最佳利益的CVE和社区发起DWF / CVE尽早集成项目。DWF和技术集成方案提议:哈罗德·布斯NIST (harold.booth@nist.gov <mailto: harold.booth@nist.gov>)拉里·w·Cashdollar Akamai技术(larry@akamai.com < mailto: larry@akamai.com >)肯特Landfield英特尔(kent.b.landfield@intel.com < mailto: kent.b.landfield@intel.com >)艺术·马尼恩,CERT / CC (amanion@cert.org <mailto: amanion@cert.org>)布莱恩·马丁OSF / OSVDB (jericho@attrition.org < mailto: jericho@attrition.org >) Kurt Seifried, Red Hat (kseifried@redhat.com <mailto: kseifried@redhat.com
> > > > )
> > > >        
> > > 大卫•Waltermire NIST (david.waltermire@nist.gov < mailto: david.waltermire@nist.gov >) Zachary Wikholm,独立(kestrel@trylinux。我们< mailto: kestrel@trylinux.us >)面积集中分布式弱点申请(DWF)项目提供了一个基于社区的开源面向过程的解决方案让CVE标识符到需要它们的人手中。DWF旨在工作与安全研究人员和其他的“生产者”CVE id,以确保及时分配id。项目的主要关注点是成为一个CVE编号权威(CNA)主要针对开源社区。提出一种新型的CNA的总体目的这一概念验证(PoC)是测试创建一个新的类CNA的有效性。过去CNAs一直,在大多数情况下,端点的CVE ID发行过程。授权必须发行CVE ID池中的一块然后他们用于发行自己的组织ID。这个建议是创建一个根CNA。DWF根CNA能够充当一个现有CNA通过发行CVE id要求。此外,DWF根CNA能够培训和协调其他组织和人民创造CNAs居住DWF的名称空间。 As this is a PoC, the plan is to take a “fail fast” approach. DWF will be experimenting where we believe good ideas should be put into an operational production environment to test the usefulness of the idea. The following are the proposed specifics of the effort: ● The DWF Project will act as a CNA and ensure no conflicts between DWF and current CVE ID ranges. The DWF will start at a high range of numbers to avoid conflicts with CVE numbers. ● DWF Project will use the ID range CVE-YEAR-1000000 through CVE-YEAR-1999999. ● The DWF will assign CVE IDs to answer requests sent directly to the DWF by researchers, vendors and others. ● Any subordinate DWF authorized CNAs will only be allowed to exist under the DWF hierarchy and be restricted to the DWF authorized namespace (that is CVE-YEAR-1000000 through CVE-YEAR-1999999). The DWF project will continue to work with MITRE and others to create guidelines and requirements for CVE requests, CNA creation, curation of CVEs and so forth. As mentioned earlier, the DWF will focus on Open Source software, security researchers and security vendors that find and report security vulnerabilities. The DWF Project will continue to coordinate closely with MITRE and the CVE Editorial Board to ensure compatibility with existing and future CVE requirements and processes such as “what counts as a vulnerability”, SPLIT/MERGE and so forth. DWF will work with MITRE and the CVE Editorial Board to create a base set of documentation of best practices that can assist with the development and processes of the Root CNA usage and deployment. While targeted towards DWF, the documentation can be used by others within the CVE management community. Proposed Outcome The intent of this POC is to determine the effectiveness of new techniques, ideas and a new hierarchy-based model for CNA creation and CVE issuance. If successful, this approach will allow for other Root CNA authorities to be set up. Future CNAs could be assigned based on technology sectors or national boundaries thus allowing expansion and expertise in areas of vulnerability identification not currently possible in the existing CVE management approach/scheme. --- Kent Landfield +1.817.637.8026
> > >       
> >      
>