|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DoD and CVE
- To: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Subject: Re: DoD and CVE
- From: Kurt Seifried <kurt@seifried.org>
- Date: Wed, 10 Oct 2018 10:57:25 -0600
- Authentication-results: spf=softfail (sender IP is 192.52.194.235) smtp.mailfrom=seifried.org; imc.mitre.org; dkim=pass (signature was verified) header.d=seifried-org.20150623.gappssmtp.com;imc.mitre.org; dmarc=none action=none header.from=seifried.org;
- Cc: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
- Delivery-date: Wed Oct 10 13:01:59 2018
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seifried-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+CbacXa8WiZYtK1XREeTHiMHjPjG3WAqgD7y84NSsPs=; b=XgxswLd5A9W3VaowYfsl9HCy++V59qf4gZLpNSI0Vz+z6S1AdAuR/lzUaF+R6wGfGt y4jF1+MkWJUBU0/M+B60cluHCRGb4ptmr2TuZzjMhoaStF+FaB4hjzBWnJqPlcPJ5rkt nfTOUQHzDd++uKRlR0tirOSEaMsfodYAClG5jvjgPCXRe+mLppjBSTPC6scfk/GSdhhW S/BM6ZfW3Vgmbg7o6KHm0VxrwHwnGtJ2BGAqng4CYilNipwTFFD0tCIlYMcmcLZvkbnh g8lZXMZZ3yOw7lVoyCo01EQLeRQJTOe3LpTAtbOc6RSUv9rjZFdvvaNI2RzMgL6kqi4v /Z4w==
- In-reply-to: <1539190482.13789.6.camel@cerias.purdue.edu>
- References: <CABqVa3-aZShKizn_K6Vjf+w_CEinxJQNBXe5jZAaF5DOBd61CQ@mail.gmail.com> <1539190482.13789.6.camel@cerias.purdue.edu>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
A lot of military tech now includes COTS/Open Source. It's not like these companies wrote their own realtime OS and USB drivers...
On Wed, Oct 10, 2018 at 10:54 AM Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:
DoD is the most legitimate case I can think of for using their own numbering system
instead of CVEs. They have confidentiality needs beyond what CVE can support, e.g.,
vs nation-state enemies. What value would CVE IDs have to them, over any other
numbering system providing unique IDs?
I can't reconcile the idea of separate private namespaces that anyone can use however
they like, with the definition of CVE IDs as unique. They are not CVEs, they're just
numbers. At best they could be a CNA for whatever they decide to make public, but
then why not use existing CNAs?
Pascal
On Wed, 2018-10-10 at 09:58 -0600, Kurt Seifried wrote:
> I can't help but feel like the DoD might need some CVE related help:
>
> https://www.gao.gov/mobile/products/GAO-19-128
>
> Also this raises the point of "CVE's are for public vulnerabilities" but
> should we maybe look at what public means/how it is defined (I imagine the
> DoD/related community would benefit from CVE, but not always be in a
> position to make the CVEs they assign truly public). Maybe a separate
> namespace/number space for this kind of thing? (ala IPv4 space 10.*,
> 172.16.* and so on).
>
Kurt Seifried
kurt@seifried.org
kurt@seifried.org
- References:
- DoD and CVE
- From: Kurt Seifried <kurt@seifried.org>
- Re: DoD and CVE
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- DoD and CVE
- Prev by Date: Re: DoD and CVE
- Next by Date: RE: A note from GitHub about your repository
- Previous by thread: Re: DoD and CVE
- Next by thread: CVE Board Meeting Summary - 3 October 2018
- Index(es):