[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: CVE for hosted services

To : jericho < jericho@attrition.org >
Subject : Re: CVE for hosted services
From : Art Manion < amanion@cert.org >
Date : Tue, 28 Feb 2017 09:50:05 -0500
Authentication-results : spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc : cve-editorial-board-list < cve-editorial-board-list@LISTS.MITRE.ORG >
Delivery-date : Tue Feb 28 10:33:33 2017
In-reply-to : < alpine.LNX.2.00.1702262338220.19881@forced.attrition.org >
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < A4305A50-AD19-4025-842E-D89337B8269C@cisco.com > < 379DDB8A-F1D2-4E4B-9307-CFBFDB0521F5@intel.com > < 8942442A-17E2-4EEB-9943-648F27125AA6@cisco.com > < 079d4575-d5ef-be7c-bdfb-f817e625b02e@cert.org > <CANO=Ty052fUY+BUC2zziFeiJ=cBPQWUbQozm-9ymKDkBuxo2Xg@mail.gmail.com> < ad8435b9-ba08-a5ee-25ef-cf314c75e0e5@cert.org > < 1487797534.7382.18.camel@cerias.purdue.edu > < alpine.LNX.2.00.1702221518090.19881@forced.attrition.org > < d78f00cb-280e-a674-9264-edf9ed3b4507@cert.org > < CY4PR09MB1255385CC89FEF05C100E83BE6530@CY4PR09MB1255.namprd09.prod.outlook.com > < alpine.LNX.2.00.1702231801000.19881@forced.attrition.org > < 4689d956-c638-b3cc-94cb-1e877c5dc64d@cert.org > < MWHPR09MB14858DAA97929742041D5606A1520@MWHPR09MB1485.namprd09.prod.outlook.com > < alpine.LNX.2.00.1702241614480.19881@forced.attrition.org > < 6a9a57eb-bad0-bea7-a71b-88b059a82969@cert.org > < alpine.LNX.2.00.1702262338220.19881@forced.attrition.org >
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput : 1:2
User-agent : Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1

On 2017-02-27 00:56, jericho wrote:

> : What does CAN/CVE mean in this discussion?
> :
> The CNA/CVE abstraction from day one made sense. Historically, it was
> the
> board voting on if an issue warranted a CVE assignment. It was a
> CANdidate
> until the board voted, or MITRE made an execute decision. The
> MITRE/CVE
> site actually showed those votes for a decade.
>
> If there were two schemes, for vuln in software (i.e. the context and
> purpose of CVE), for a *decade*...
>
> How can you possibly ask what CAN/CVE means in this discussion?

I know why CAN/CVE existed.  That reason (early days of defining
vulnerabilities, candidates, discussion, voting, ratification as CVE)
doesn't match what discussing today today (service vs. product vulns).
That's why I'm asking.

I too am interested in other opinions on 1. tracking service vulns at
all and 2. using a new scheme or not.  I'm mildly against using a
number-space carve-out, seems like this could change frequently enough
to cause trouble.  DWF==CVE, so DWF in 7 digits isn't quite the same
issue.

 - Art

Follow-Ups :
- Re: CVE for hosted services
  - From: Kurt Seifried <kurt@seifried.org>

References :
- CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Re: CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- RE: CVE for hosted services
  - From: "Booth, Harold (Fed)" <harold.booth@nist.gov>
- RE: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- RE: CVE for hosted services
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: jericho <jericho@attrition.org>

Prev by Date: Re: CVE for hosted services
Next by Date: Re: CVE for hosted services
Previous by thread: Re: CVE for hosted services
Next by thread: Re: CVE for hosted services
Index(es):
- Date
- Thread