RE: The nomenclature process in other fields
-----BEGIN PGP SIGNED MESSAGE-----
There is no relationship between a taxonomy and the CVE, and we should
all strive to ensure one doesn't get drawn until Spaf gets
acceptance/adoption through CERIAS for something serious. The
implications of a taxonomy are huge, and if it hasn't been fully
vetted in the educational community, I fear it would only further
confuse the user community (not to mention our CVE efforts).
A taxonomy is directly applicable to a Vulnerability Database (VdB).
The CVE is definitely not a VdB. The CMEX is fearfully close to
becoming a VdB, but I believe we all know we'll have to minimize its
possible functionality to avoid it becoming one.
We're certainly, I believe, in a rare situation of trying to enumerate
before a taxonomy has been defined, let alone accepted. Such is the
distinct nature of the items we're working with. Keeping this
distinction in mind will help, I believe, to reduce the pressures some
feel about the approaches we're considering. Imagine what will happen
when our CVE numbers start appearing in patents...;-[
Hopefully, before that time, the CERIAS VdB effort will have borne,
um, more fruit.
Russ - NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
-----END PGP SIGNATURE-----