lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri Feb  3 21:52:48 2006
From: coley at mitre.org (Steven M. Christey)
Subject: Re: Open Letter on the Interpretation of
	"Vulnerability Statistics"


Florian Weimer said:

>> Unless things have changed since I went through the process, the
>> authority involved does not extend to Debian in general but only to
>> specific individuals.
>
>Certainly, at Debian, only certain individuals issue CVEs. I can't
>tell if this is Debian's choice, or a result of MITRE's rules.

Like some other aspects of CVE, there is a distinct lack of
distinction between individuals and organizations.  In the case of
these Candidate Numbering Authorities (CNAs), a specific individual at
the CNA goes through some period of training to ensure that he/she
learns how to assign the proper number of identifiers in accordance
with CVE's content decisions.  Usually this training is for a specific
individual of the organization.  But as long as the CNA collectively
follows CVE's content decisions when it assigns identifiers, how it
"implements" those actions is not within CVE's purview.  For example,
Red Hat and CERT are two other organizations that have multiple people
assigning CVE identifiers.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ