Re: Juniper to be added to the official list of CNAs

On Sat, 23 Apr 2016, Landfield, Kent B wrote:

: Just to be clear.... Voting on CNAs has not occurred in the past. Or at
: least not that I can remember. I see no reason to start now.

Yet, the board used to vote on every single CVE ID assignment. Things
change.

My primary concern is that a CNA who is not following assignment
guidelines ends up causing confusion and headache for those who monitor
their advisories. We've had users and customers mail us asking about CNA
vendor assignment screwups in the past, so it isn't just us noticing. For
the last month, I have steadily increased the number of mails I am sending
to vendors and researchers about CVE assignment problems, sometimes
sending as many as five a day.

If we can better head off that problem, and make sure a potential CNA is
truly ready to step in as one, we should. I don't get the feeling that
most of the board monitors some of these vendors to the degree I do, so I
don't want a rubberstamping discussion via phone to be the only thing
stopping them from getting approved.

: I agree official votes should be on the list for items we have
: previously agreed to vote on but rough consensus on board calls is more
: than enough for most other items.

Everyone appears to agree on this so far, which I am happy to see.

: I personally would not want to start voting on everything as that would
: just slow the effort down greatly at a time when rapid improvements are
: needed.

No, but we also don't want the typical knee-jerk reaction the U.S.
government is well-known for either (and MITRE demonstrated with that
federated ID scheme change nonsense that wasn't discussed with the board).
Taking an extra few days or even weeks to ensure a solution is appropriate
benefits us more than rushing to a solution that will demand more fixes in
the months to come.