Re: Notice of Pilot Activity in CVE Auto WG

[Kurt Seifried <kseifried@redhat.com>]

On Tue, May 9, 2017 at 1:23 PM, Art Manion <amanion@cert.org> wrote:

 

Why can't MITRE just pull from all of its immediately subordinate CNAs
(who in turn are required to pull from theirs)?  That'd give MITRE a
full view.

One thing I want to note is that PULL means I need to check ALL my sub CNA's (and I will hopefully have hundreds) meaning I need to do X hundred PULLS every Y minutes, vs. PUSH where we only do it as needed. 

 

I won't claim to be a blockchain expert, but I've talked with colleagues
at CERT/CC about a model to sign assertions about vulnerabilities (e.g.,
Red Hat claims a blob of vulnerability information is correct, CERT/CC
agrees and signs, somebody else disagrees and signs...).

So without getting to in depth there's a bunch of different properties you can have in blockchains for various use cases (e.g. a currency vs. a land title vs. an insurance records blockchain). The main thing would be defining what we want with respect to CVE, do we want to be able to roll back transactions and "delete" data? or do we make it inviolate? how many entities have to vote/what weighting is used? do we want side chains for privacy (e.g. embargoed issues)? and so on. Part of my current goal is to get operational experience sharing the data so we can figure out what properties we actually need (e.g. in picking git one aspect is we can get rid of stuff, but it's not "deleted", but I think this is ok because once you publish stuff on the Internet, well, you can't really scrub it off any ways). 

 

 - Art

--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com