Re: REF URL require ToU/Conduct policy

On 2018-06-21 23:55, Kurt Seifried wrote: > Yes, I click the links and if I can't read them all without a hassle > I set the CVE request to HOLD:LACK_REF_URL and they can provide > working urls... It's not ideal but I don't have a better solution > (well I do, but I haven't implemented it yet, TL;DR: download the > link with like wget and snapshot that). While I like the idea, I suspect the local copy provided to others violates the ToU. 1. At least one material and free/public/unencumbered URL or no CVE? 2. Allow free but encumbered (e.g., free login, click through ToU) URLs but flag them as such? If the world really wants CVE IDs, they'll do 1. Else, those who want to reduce their CVE exposure can hide behind ToU. An extension of #2 could be to flag or set state of a CVE entry. Not going so far as the CAN days, but "this entry is incomplete, the issuer gets a D+ passing grade (in the US), but it's in the corpus." The incompleteness could be for encumbered URLs/references or other issues. Some of the CNA metrics should be published, including a count/graph of incompleteness (also public-but-not-populated). - Art > On Thu, Jun 21, 2018 at 9:40 PM, Millar, Thomas > mailto:Thomas.Millar@hq.dhs.gov>> wrote: > > Yeah, this is unacceptable. On to the hard question: how can we > enforce free and open access to references? > > -----Original Message----- > From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu> <mailto:pmeunier@cerias.purdue.edu>]>发送：2018年6月21日23:30> to：Kurt Seifried mailto:kurt@seifried.org>>; > cve-editorial-board-list  <mailto:cve-editorial-board-list@mitre.org>>>主题：回复：ref URL需要tou/行为策略>>我获得了登录对话框“使用您的Google帐户登录”，因此它是>登录和权利投降，并且它是Google，a>跟踪我查看的哪些安全信息，从何处和何时>，将与其他分析信息一起组成，以及我与其他人互动或在同一组织中工作的其他人以及Google知道或可以使用的所有其他事项推论>关于我们。>几乎不需要想象力，这是令人不寒而栗的 - 对于企业，学生，对于安全研究人员来说，甚至对于那些很好奇并且碰巧在错误的时间上查找它的人。此设置还使Google有可能有选择地>提供或保留安全信息。>>访问CVE安全参考应尽其所能匿名，并放弃权利以换取访问权限>与此相反，因为协议需要责任。还应在没有跟踪器的情况下提供对安全引用的访问。>但是，警务可能很困难和繁重。相比之下>在不登录和协议的情况下，很容易访问，因此我们应该将其最低限制。我非常希望看到为您的两个拟议句子而选择的“必须”。 > > Pascal > > On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote: > > So real world example I have a CVE request which has a > reference url: > > > >https://issuetracker.google.com/issues/77809383> <https://issuetracker.google.com/issues/77809383>>>>>>>>>>> >> >>>>>>>>>>>>>>>>>我认可并同意Google服务条款>> <<https://www.google.com/policies/terms/> <https://www.google.com/policies/terms/>> and the Google IssueTracker > > Conduct Policy <https://issuetracker.google.com/terms> <https://issuetracker.google.com/terms>>. > > Which... I dunno. I don't want links that require logins > (because you > > can't grab them with tools easily), and I feel like this is the > same, > > and also requiring people to agree to a ToU (that for example > maybe > > requires you to give up your first born) is not really kosher. > > > > So I'd like to add to the CVE/CNA docs discussion: > > > > can we get ruling on reference URL's, specifically: > > > > 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a > login of > > any sort (even a free login) > > 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require > acceptance > > of ToU/Conduct Policy/etc. > > > > In my mind I should be able to "wget >http://example.org/refurl/";和>>获取页面。少的东西是不可接受的。但是我也认为>>董事会应该讨论并对其进行规则进行记录。>>>>>>>>>>  - >> kurt seifried> kurt@seifried.org <mailto:kurt@seifried.org>