Re: CVE ID Syntax Vote - results and next steps

[Carsten Eiram <che@riskbasedsecurity.com>]

On Thu, Apr 18, 2013 at 8:51 PM, Art Manion <amanion@cert.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 

What caused me to reconsider was the idea of more and more active
CNAs.  Now, MITRE is careful to hand out modest allocations of IDs,
generally sequentially, to dozens(?) of CNAs.  I don't think there's
much waste.

Right. I don't recall who initially raised this point, but as I've previously mentioned, I find it very valid, and it did cause me to reconsider too. After some pondering, I ultimately concluded, however, that I still considered 6 digits to do the job (I won't have an issue with 7 fixed digits either).

Having more CNAs or Super CNAs is not going to significantly increase the CVE output. Sure, MITRE may have more time to assign to less prioritized issues, because other CNAs are sharing some of the burden, but ultimately having more CNAs is just going to mean that someone else is assigning a CVE instead of MITRE.

I was handling the CNA pool when managing Secunia's Research team, assigning CVEs for our own discoveries and later coordinated reports via SVCRP. However, Secunia becoming a CNA did not mean that there were suddenly being assigned a lot more CVEs; we were just covering our issues instead of MITRE.

Let us pretend every major software vendor becomes a CNA. Again, that may increase the number of CVE assignments a bit, but ultimately these CNAs will just be assigning the CVEs that MITRE otherwise would have assigned.

So the primary concern regarding more CNAs and Super CNAs seems to center around CVE waste, as touched on below.

 

What I wanted to future-proof is the world with more CNAs (100s?) with
more assignment authority (like a modulo slice or big sequential block
of the year's CVE ID space).  In this world, there still may still not
be more than 1M CVE IDs published per year, but there may be more than
1M CVE IDs allocated to CNAs.  Allocation != publication.

I completely agree that Allocation != Publication. I also agree that we should expect an increase in CVE waste, if we have more CNAs.

However, if the primary argument for 6 digits being insufficient is that we expect to see a radical increase in CVE waste, then why do we chose to "address" that concern by creating a potentially unlimited CVE range or go with >6 digits? Shouldn't we instead deal with the CVE waste problem by ensuring a solid CNA policy that minimizes it? Obviously, something would be very wrong with the CNA pool assignments, if we suddenly ended up with a radically increase in waste.

Now, I don't see any strong indicators of this particular new world.

Neither do I. Another point to consider is that while all of us here would likely love to see a ton of CNAs popping up (I've personally advocated it many times, and even took it upon myself to educate a few that didn't do it right), what are the chances that it's going to happen? There are a lot of CVE consumers, but not a lot of contributors. What is the incentive for a company to be a CNA? I don't see how the world in the future is going to change with a lot more people willing to contribute to the project.

 

But it seemed reasonable enough to want to plan in advance for.

I appreciate the point, but at the end of the day, how many "ifs" should we take into account? We need to look at where we realistically are in 10-15 years, and what is the best scheme to support that future - not what we "fear" may theoretically happen if all the stars align (in)correctly.

/Carsten