Re: [TECH] Candidate Numbering Authorities
I've read the proposal, and it seems rational and reasonable. A couple
> - it must only assign candidates to security issues that will be
> made public
If a candidate is assigned, and the report is later found to be bogus or
duplicative, are there any obligations on the CNA to account for the
"missing number?" Or can it just be sent to /dev/null?
> Communications from CNA's to MITRE
> The following types of communication occur from CNA's to MITRE:
> - request a pool of candidate numbers
Must numbers within the pool be handed out sequentially? Will the pool
necessarily be contiguous? One of the things we are mildly concerned
with is leaking information about who (particularly vendors) knew what
when as regards a vulnerability. We don't want to put vendors in the
position of having to defend why one patch came out after another even
though the problems were reported in the other order.
> - suspected researcher abuses
Although we can report a "faulty" number, we can't report on
individuals' intentions if they wish to remain anonymous. Does this
imply a requirement to disclose researcher identities for those who wish
to remain anonymous?
> - they should not publish CVE candidate numbers in a manner which
> might provide them with any economic or political advantage over
> their competitors
"might provide...any" is a little broad. We sometimes disclose
information to sponsors and collaborators privately under NDA before
public dissemination, and we support that practice in general. It seems
reasonable to me that a candidate number could be part of that private
disclosure. Would such disclosure be prohibited?
> Vendor Liaisons
> A vendor liaison works with CNA's to obtain or verify CVE candidates
> in the liaison's own products. The liaison is not an Editorial Board
> member, nor is it a CNA, as it may not have the need or capability to
> satisfy the CNA requirements.
I don't understand the role of vendor liaisons. Could you elaborate, and
perhaps provide an example?
> - obtain candidates for a vulnerability report from only one CNA
> - obtain the candidate from the vendor, if the vendor is a CNA
What about when the vulnerability affects multiple vendors? Would any of
the vendor CNAs be appropriate?
> - publish through known reliable channels (vendor or response team),
> or known public channels with peer review (Bugtraq or NTBugtraq)
I assume the parenthetical clauses are just examples, right? A paper at
Crypto would be just fine, wouldn't it? Or do you mean to require the
availability of this information freely on the web?