Re: [TECH] Candidate Numbering Authorities

["Shawn V. Hernan" <svh@cert.org>]

Steve,

I've read the proposal, and it seems rational and reasonable. A couple 
of questions:


>
>   - it must only assign candidates to security issues that will be
>     made public


If a candidate is assigned, and the report is later found to be bogus or 
duplicative, are there any obligations on the CNA to account for the 
"missing number?" Or can it just be sent to /dev/null?


> ----------------------------------
> Communications from CNA's to MITRE
> ----------------------------------
>
> The following types of communication occur from CNA's to MITRE:
>
>   - request a pool of candidate numbers

Must numbers within the pool be handed out sequentially? Will the pool 
necessarily be contiguous? One of the things we are mildly concerned 
with is leaking information about who (particularly vendors) knew what 
when as regards a vulnerability. We don't want to put vendors in the 
position of having to defend why one patch came out after another even 
though the problems were reported in the other order.

>   - suspected researcher abuses

Although we can report a "faulty" number, we can't report on 
individuals' intentions if they wish to remain anonymous. Does this 
imply a requirement to disclose researcher identities for those who wish 
to remain anonymous?

>   - they should not publish CVE candidate numbers in a manner which
>     might provide them with any economic or political advantage over
>     their competitors
>

"might provide...any" is a little broad. We sometimes disclose 
information to sponsors and collaborators privately under NDA before 
public dissemination, and we support that practice in general. It seems 
reasonable to me that a candidate number could be part of that private 
disclosure. Would such disclosure be prohibited?

> ---------------
> Vendor Liaisons
> ---------------
>
> A vendor liaison works with CNA's to obtain or verify CVE candidates
> in the liaison's own products.  The liaison is not an Editorial Board
> member, nor is it a CNA, as it may not have the need or capability to
> satisfy the CNA requirements.

I don't understand the role of vendor liaisons. Could you elaborate, and 
perhaps provide an example?

>   - obtain candidates for a vulnerability report from only one CNA
>
>   - obtain the candidate from the vendor, if the vendor is a CNA

What about when the vulnerability affects multiple vendors? Would any of 
the vendor CNAs be appropriate?

>   - publish through known reliable channels (vendor or response team),
>     or known public channels with peer review (Bugtraq or NTBugtraq)

I assume the parenthetical clauses are just examples, right? A paper at 
Crypto would be just fine, wouldn't it? Or do you mean to require the 
availability of this information freely on the web?

Thanks,
Shawn