再保险:杜松添加到官方列表区域

在2016-04-26 03:01 Carsten Eiram写道:……>没有参加的人打电话,只有列表> >的讨论形成一个意见,好像遇到布莱恩的担忧更多> >驳回,斜方和董事会成员更渴望>得到另一个CNA机载和花时间充分探索>担忧。为什么这么着急?因为重要的是斜方> >展示他们在CNA方面取得进展,这是明显的从> >初始电子邮件公告。我注意到布莱恩的担忧,不怀疑他们有价值。通常我也同意你的评估情况。但是,对我来说,这仅仅是扩大CVE更重要,这意味着更多的必须的一部分,尤其是供应商CNAs谁应该主要负责作业在他们自己的软件。我相信布莱恩瞻博网络有问题。我有关于戒烟第一手的经验,与另一个供应商CNA没有遵循规则。我敢肯定还有其他的例子。 Without refreshed CNA governance rules, it doesn't matter a whole lot. Once the rules are in place and being reasonably enforced, Juniper can follow them or face the consequences, like all the CNAs. Speaking of consequences, what if Juniper doesn't follow the rules? Withdraw their CNA status? Then who is going to issue CVE IDs for Juniper vulnerabilities? If a CNA assigns incorrectly, reject their assignments. If the CNA actually wants their CVE IDs to count, they'll shape up. If they don't, de-list them. And yes, this does sound like laissez-faire. The current model doesn't scale. Growing CVE is going decrease fidelity. As far as I've thought about it, MITRE acting as CNA registrar/auditor/manager and ultimate arbiter of assignments from many CNAs might work as an organizational model. - Art