[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax - Seeking Suggestions for Outreach

It makes me queasy, too. Another part of me says if it were done,
then when it were done, twere best it was done quickly, and perhaps
(noting Steve's mail), it would be best to announce a date when we
plan to break things.

As I think about the year, I can hope that security people will be
busy migrating away from XP in the near future, and expect they'll be
busy with Blackhat-related announcements at the start of August.  So a
soon date might be July, and a far date might be September.  The later
we push, the higher the liklihood that we're planning to scramble.


On Thu, Apr 03, 2014 at 10:58:22AM -0400, Pascal Meunier wrote:
| I thought about doing that (a test CVE) but the thought of breaking
| things in production on purpose, earlier than previously announced
| (expectations have already been set), made me queasy.  It would be
| easier to stomach if done "just before" we run out of old IDs.
| Pascal
| On Thu, 3 Apr 2014 10:40:23 -0400
| Adam Shostack <adam@homeport.org> wrote:
| > On Thu, Apr 03, 2014 at 09:04:11AM -0400, Pascal Meunier wrote:
| > 
| > | I expect most customers will get engaged only when something breaks.
| > | I think it would be most useful to publicize the switch and send
| > notices | just before you run out of old format IDs.  What "just
| > before" means | could be "1 week" but is of course debatable.
| > 
| > I think Pascal nails it here: we will get incremental value from
| > additional rounds of PR, but at some level, there will be folks who
| > don't feel a need to act until there's a need.
| > 
| > So allow me to advocate for "propaganda through action": issue a
| > single CVE soon which is intended to stress the toolchains.  Make it
| > a real CVE, so that the customers have a way to check if their
| > toolchains really work.
| > 
| > I'll further advocate that this should be done soon, and should be the
| > focus of the new round of PR.
| > 
| > 
| > Adam
| > 
| > PS:  I don't actually know if this a good idea, but wanted to
| > throw it out for consideration.
| > 
| > 

Join my mailing list, and be the first to hear about my new projects!

Page Last Updated or Reviewed: October 03, 2014