[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Juniper to be added to the official list of CNAs

On 2016-04-26 03:01, Carsten Eiram wrote:

...
> As someone who didn't attend the call and just have the list 
> discussions
> to form an opinion on, it comes across as if Brian's concerns were 
> more
> or less dismissed, and that MITRE and Board members were more eager to
> get another CNA onboard vs. taking the time to fully explore the
> concerns raised. Why the rush? Because it's important for MITRE to 
> show
> that they're making progress on the CNA front, which is clear from 
> their
> initial email announcement.

I noted Brian's concerns and do not doubt that they have merit.  I also
generally agree with your assessment of the situation.  But, to me, it's
simply more important to expand CVE, and part of that means more CNAs,
particularly vendor CNAs who should be largely responsible for
assignments in their own software.

I believe Brian that Juniper has issues.  I have first hand experience
with another vendor CNA who has not followed the rules.  I'm pretty sure
there are other examples.

Without refreshed CNA governance rules, it doesn't matter a whole lot.
Once the rules are in place and being reasonably enforced, Juniper can
follow them or face the consequences, like all the CNAs.

Speaking of consequences, what if Juniper doesn't follow the rules?
Withdraw their CNA status?  Then who is going to issue CVE IDs for
Juniper vulnerabilities?  If a CNA assigns incorrectly, reject their
assignments.  If the CNA actually wants their CVE IDs to count, they'll
shape up.  If they don't, de-list them.  And yes, this does sound like
laissez-faire.  The current model doesn't scale.

Growing CVE is going decrease fidelity.  As far as I've thought about
it, MITRE acting as CNA registrar/auditor/manager and ultimate arbiter
of assignments from many CNAs might work as an organizational model.

 - Art
Page Last Updated or Reviewed: April 27, 2016