Regarding the automation options, it would be helpful to have a bit more guidance on whether the approach should be "one size fits all" or “run your house as you see fit.” If the desire is to enforce a uniform workflow (one size fits all) then we could use the code to enforce a 3-way handshake among the transferring CNA, receiving CNA and Root CNA so that transfers of IDs can only occur when all the parties agree. The advantage of this approach is that the same process is enforced for all CNAs, so it is uniform across the program. The disadvantage is that changes to this policy require changes to the code (write code, test new code, deploy code, fix bugs, etc.) and increases code complexity.
On the other end of the spectrum, the Root CNA could have the ability to move IDs among subordinate CNAs unilaterally, or to delegate this ability to subordinate CNAs. The advantage is that different workflows can be implemented without making changes to the code. The disadvantage is that the code doesn't enforce any particular workflow, so CNAs could deviate by accident, or with ill intent, and the code wouldn’t prevent it from happening (although it could always be undone).
My personal preference is for code that gives root CNAs the ability to manage ID transfers but doesn't enforce it. This would allow the community to try different workflows without having to change the code. If, at some point, the workflows settle into a stable state, we could always modify the code to enforce that process. That said, I’m not a user of the system and shouldn’t have a vote.
Until we get explicit guidance to enforce a specific workflow in the code, we can implement an approach that allows Root CNAs to move IDs or to delegate that ability. This will maximize flexibility and provide a feasible solution.
Best regards,
Lew
Lewis A. Loren, Ph.D.
Office: 781-271-5969
Cell: 781-715-5125
People like to say that the conflict is between good and evil.
The real conflict is between truth and lies – Don Miguel Ruiz
One of my actions is to produce a document covering the procedure for transferring CVE IDs between CNAs. That's below. You'll note there are no technical controls implemented -- that would be up to AWG and the Board to implement. Right now, this could be implemented as a series of emails with judicious use of the cc: field, and some editing on MITRE's secret ownership database, with automation options fairly open.
Process for transferring CVE IDs between CNAs :
1. The CNA which has been allocated the CVE IDs and the recipient CNA must both agree for the transfer or CVE IDs and associated responsibilities.
2. Both the CNAs shall submit a request independently to their parent CNA or the program root CNA, listing the specific CVEs being transferred.
3. The parent CNA or the program root CNA reviews the requests, makes necessary changes to allocation records, and confirms the completion of the transfer process to the requesting CNAs or responds to the request with reasons if the transfer can not be completed.
NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, partners, and employees is paramount. If you received this email in error, please notify the sender and delete it from your inbox right away. Learn how Rapid7 handles privacy at rapid7.com/privacy-policy . To opt-out of Rapid7 marketing emails, please click here or email .