Re: CNA requirements

[Art Manion <amanion@cert.org>]

On 2016-05-17 10:54, Waltermire, David A. (Fed) wrote:
> IMHO, I believe we need to address this in a way that supports a 
> non-hierarchical, graph of communications between CNAs. This models 
> what happens in the real world. It should be possible for any CNA to 
> find any other CNA, get their contact info, and then reach out to 
> them to coordinate on a CVE assignment. Relying on parent CNAs does 
> not make this work.

How about:  A CNA must have a working email and phone contact with their
parent CNA and MITRE.  Responsibility of the CNA to keep it a working
contact, don't specify that it's two contacts.  Perhaps all CNA contacts
go on a mailing list.  CNAs are required to maintain certain public
information (that could be presented on their site, parent CNA, and/or
MITRE).

 - Art


>> -----Original Message-----
>> From: owner-cve-editorial-board-list@lists.mitre.org 
>> [mailto:owner-cve-
>> editorial-board-list@lists.mitre.org] On Behalf Of Kent Landfield
>> Sent: Tuesday, May 17, 2016 9:41 AM
>> To: Adinolfi, Daniel R <dadinolfi@mitre.org>
>> Cc: Kurt Seifried <kseifried@redhat.com>; cve-editorial-board-list 
>> <cve-
>> editorial-board-list@lists.mitre.org>
>> Subject: Re: CNA requirements
>>
>> Why can't we make it one of the rules for a CNA?
>>
>>  There must be two points of contact identified at all times either 
>> to MITRE or
>> the parent CNA. If a listed point of contact leaves the company, the 
>> company
>> is required to notify the appropriate parent CNA of the POC change.
>>
>> Kent Landfield
>> +1.817.637.8026
>>
>>> On May 17, 2016, at 7:33 AM, Adinolfi, Daniel R 
>>> <dadinolfi@mitre.org>
>> wrote:
>>>
>>> Kurt,
>>>
>>> Regarding the specific question concerning points of contact, I 
>>> address it a
>> bit in the draft CNA roster document:
>>>
>>> http://cveproject.github.io/docs/cna/DRAFT%20-
>> %20Review%20and%20Update
>>> %20of%20CNA%20Roster.docx
>>>
>>> Periodically, each CNA will update their public, primary, and 
>>> alternate
>> contact points. The primary and alternate contacts should be 
>> individuals,
>> whereas the public should probably be a mail alias that sends 
>> messages to
>> queues or multiple individuals. This gives us a way to get into the 
>> generic
>> email queue and also reach past that queue to get to the real people 
>> behind
>> it.
>>>
>>> For projects where there is not a generic queue and contact is only 
>>> with
>> individuals, we could still request multiple contacts and keep that 
>> list updated
>> periodically. If there is only one individual, if that person falls 
>> off the face of
>> the Earth and they don’t give you an alternate or replacement, they 
>> should
>> be disqualified from being a CNA. Providing active points of contact 
>> should be
>> a requirement for being a CNA, I believe.
>>>
>>> Thoughts?
>>>
>>> Thanks.
>>>
>>> -Dan
>>>
>>>> On 5/16/16, 19:43, "owner-cve-editorial-board-list@lists.mitre.org 
>>>> on
>> behalf of Kurt Seifried" 
>> <owner-cve-editorial-board-list@lists.mitre.org on
>> behalf of kseifried@redhat.com> wrote:
>>>>
>>>> So I'm looking at the CNA requirements for DWF CNA's, obviously 
>>>> most
>>>> of
>>>>
>>>>
>>>> https://cve.mitre.org/cve/cna.html
>>>>
>>>>
>>>> pretty much directly applies. But one thing I have run into in 
>>>> other
>>>> situations is single point of contact, and the person leaves/etc. 
>>>> I'm
>> thinking for the case of a lot of smaller Open Source projects you 
>> usually
>> have a main developer so I think a single point of contact being a 
>> problem is
>> moot here (since without them the project won't get updates, let 
>> alone
>> CVEs). I was wondering what other people thought?
>>>>
>>>> --
>>>> Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995
>>>> 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security
>>>> contact: secalert@redhat.com
>>>