Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Sun, Jul 18, 1999 at 05:20:47PM -0800, Pascal Meunier wrote:
| At 11:05 AM -0700 7/16/99, Aleph One wrote:
| >If we follow the logic we did during our meeting at Black Hats
| >then each distinct non-announced account/password should be a
| >separate CVE entry. If I am using a scanner I want to know whether
| >it knows about the specific 3com backdoor, not whether its knowns
| >about backdoors in some general sense. Ditto for default passwords.
| How about a single CVE entry that explicitely enumerates all default or
| non-announced accounts/passwords with version numbers of the affected
| software, or points to a comprehensive list of them? I would think it is a
| compact notation completely equivalent to having separate entries.
This is getting into a database issue. I don't think that we want to
try to make the CVE into something that attempts to enumerate all
default passwords, the problem is very large ard requires large
investments of work to succeed. The goal of providing a translation
mechanism can be achieved without this level of comprehensiveness.
I'm concerned that by attempting to list them all, rather than put in
arbitrary (and capricious) levels of abstraction, we imply that we
expect to succeed, and thus that the CVE can be used as a database of
all default passwords. By imposing a level of abstraction that says
"documented default password," we avoid this risk in exchange for some
loss of usefulness. I think thats a good tradeoff.