CPE Issue Summary - Microsoft Naming -- Request for additional input

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CPE Issue Summary - Microsoft Naming -- Request for additional input

Wolfkiel, Joseph
With respect to the discussion about updating Microsoft CPE names, I have
received and reviewed Drew's recommendation (attached and in-line).  After
working through the issues the DoD and NIST would have to address if it is
implemented (i.e. required re-write of internal NSA products with hard-coded
CPE names, as well as an extensive re-work of the NIST CPE Dictionary, and
an internal rewrite of VMS) I took this issue to the ISAP Working Group for
resolution.

The ISAP WG agreed that the benefits of naming windows CPEs in a more
technically correct manner (consistent with option 2) would have significant
and measurable costs due to significant product re-work required to
implement them in NSA products, VMS, and NVD.  They further agreed that the
issue should be re-opened in light of this new information prior to coming
to a decision.

The specific problem is using "windows" as a product name, which is not an
actual product, but an abstraction of all Microsoft Windows-branded
operating systems.  However, the "Title" of the CPE name uses concrete
product names (e.g. Windows XP, Windows Server 2003, etc).  Both VMS and CPE
Dictionary support left-to-right hierarchies that dynamically build CPEs by
specifying vendor, product, version, etc and require a discrete product name
prior to selecting other CPE components.  Both would have to be extensively
redesigned to deal with a product title that is ambiguous until the edition
field is populated.  On the other hand, the main benefit of the suggested
name change seems to be technical correctness, with no associated cost
avoidance or savings.

However, with respect to including the version number in Microsoft Windows
CPE names, the ISAP Working Group did not have any issues.

The ISAP Working Group asked me to write up these issues and circulate them
on the CPE discussion list to ensure there aren't any additional unknown
impacts, one way or the other, of making the changes prior to issuing a
final decision.

I've asked Drew to work through this issue prior to closing out this
discussion.

Joe Wolfkiel, CPE Sponsor

****************************************************************************
****************
Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Friday, June 05, 2009 2:16 PM
To: Wolfkiel, Joseph
Cc: Baker, Jon
Subject: CPE Issue Summary - Microsoft Naming

Lt Col,

Attached please find the issue summary from the Microsoft naming discussion.
My recommendation is twofold:

1) in the short term, follow option 2 and re-work the Microsoft OS names in
the dictionary

2) in the longer term, work on a proposal to explore some of the ideas
brought up during the discussion.

Please take a look at the attached and let me know what you decision is
regarding the path forward.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, May 27, 2009 6:52 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue

I encourage anyone with an opinion on this matter to share their thoughts so
that the correct decision can be made going forward.  I personally think
that a change to the current Microsoft Windows CPE Names would be the
correct way forward.  I think the change would make technical sense and it
will bring the Windows names into alignment with the specification.  This of
course would mean deprecating all the existing names.  I am very interested
to see if you agree with this position, or if you think that this might not
be the smartest move to do at this time.

Thanks
Drew




>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Monday, May 18, 2009 7:43 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue
>
>** reply by Friday June 5th **
>
>The creation of CPE Names for the different Microsoft operating systems
>has been a source of discussion since the beginning of CPE.  In October
>2007 the issue was discussed in depth and it was decided to that these
>names should be based off of the commonly known marketing names.  We
>have tried this approach for the past year and a half but some issues
>still remain.
>
>We are realizing that names based off the marketing names are hard to
>manage as marketing  names change frequently.  Marketing names also
>lead to incorrect CPE Matching as a marketing name may stay the same
>but the underlying code may change.  Or the marketing name may change
>even if the code doesn't.
>
>I'd like to formally bring this up this issue to the CPE community
>again and make sure we are still going down the correct path.  
>Obviously, one option will be to keep going down the current path.  But
>other options would require changes to the current names.  This would
>mean a lot of depreciation and potential vendor work to readjust their
>mapping.  The costs of this change may not be worth the benefits.  
>Unfortunately I do not see the issues and/or discussions surrounding
>Microsoft names subsiding until we fix the root of the problem.  So at
>some point I think we are going to have to make some type of change.
>
>Some examples of the issues we currently face:
>
>- Windows XP 64-Bit Edition, Version 2003 which is actually based off
>of the code for Windows Server 2003
>
>- determining which CPE Name to use being difficult as the technical
>information returned from a system query is not associated with any CPE
>Name
>
>- inconsistencies when dealing with beta and pre-releases, for example
>the current Windows 7 betas and if the OS marketing name will actually
>be Windows 7
>
>- difficulty determining if certain updates/editions are really
>different versions, for example the R2 releases
>
>- inconsistency between operating system and application naming as many
>of the Microsoft application names follow the technical name  (see
>Internet Explorer)
>
>Below are two options that I see as possible paths forward.  I urge
>everyone to share their opinion as we can only understand the best
>course by knowing how it affects the entire community.  If you have
>other ideas, please don't be afraid to share them as well.
>
>Discussion on this issue will end on Friday June 5th (3 weeks) at which
>time a decision will be made based on community consensus.
>
>----------------------------------
>OPTION 1
>----------------------------------
>
>Keep things the way they currently are.  Although not perfect, the
>current way of creating CPE Names for Microsoft operating systems is a
>good balance between technical correctness and human understanding.  In
>addition, the work required to deprecate the current Microsoft CPE
>Names and remap to new names would not be worth the benefits of the change.
>
>The CPE Specification should be updated to clarify how create CPE Names
>for Microsoft operating systems and platforms that exhibit related
>properties.
>
>----------------------------------
>OPTION 2
>----------------------------------
>
>In order to put to bed the continued discussions on Microsoft names we
>should change how we create these names.  We should leverage the
>internal version of the operating system and use that in the version
>component.  In a way, this is more true to the current CPE
>Specification.
>
>The <title> element in the dictionary would be used to hold the
>marketing name associated with each different version.  For example:
>
>cpe:/o:microsoft:windows:5.1.2600  -  Microsoft Windows XP
>cpe:/o:microsoft:windows:5.1.2600:2180  -  Microsoft Windows XP SP2
>cpe:/o:microsoft:windows:5.1.2600:5512  -  Microsoft Windows XP SP3
>cpe:/o:microsoft:windows:5.2.3790  -  Microsoft Windows Server 2003
>cpe:/o:microsoft:windows:5.2.3790:3959  -  Microsoft Windows Server
>2003
>SP2
>
>Note that this option would require deprecating all the existing
>Microsoft names in the CPE dictionary.  But this option better aligns
>with the way the specification is currently written.
>
>----------------------------------
>----------------------------------
>
>Again, I urge everyone to share their opinion by Friday June 5th.
>
>
>Thanks
>Drew
>
>
>
>
>---------
>
>Andrew Buttner
>The MITRE Corporation
>[hidden email]
>781-271-3515

microsoft_naming.docx (22K) Download Attachment
smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CPE Issue Summary - Microsoft Naming -- Request for additional input

Andrew Buttner
Administrator
I'd like to make another push to try and close the issue around the Microsoft
OS CPE names.  There has been a request to better understand the costs of this
decision, both for and against the change.  I will attempt to kick start this
by offering up my own personal thoughts on the costs.

It is my belief that cost associated with NOT making the proposed change is
having an initiative that continues to struggle in gaining acceptance and
making forward progress.  I think the CPE Names for Microsoft OS's currently
in the Official CPE Dictionary are detrimental to the adoption of the effort.
I say this not because of the costs that are associated with implementations,
etc.  Rather, I see the success of the enumeration tied to its technical
correctness and its consistency / ease of understanding.  The current CPE
Names for Microsoft OS's damage both aspects.

The current names do not follow the guidance in the CPE Specification and thus
users of CPE question what is going on.  This makes understanding CPE more
difficult thus hurting adoption.  This also severely hurts the ability of
others to help in the creation of new names as they struggle to understand how
to implement the guidance in the specification.

The current names are not technically correct.  They use version information
to generate the product component and then leave the version component blank.
This is looked upon with curiosity and gives the appearance that CPE as a
project does not know what it is talking about.  Users will be less likely to
invest in an effort if they are not convinced of its technical merit.

Failing in regards to both technical correctness and compliance with the
specification puts adoption of CPE at risk, and therefore puts at risk the
ability of the community to develop a strong enumeration to bring the
community together in the area of platform naming.  It is the lack of
coordination that is the cost of NOT moving forward with the proposal.

Thanks
Drew



>-----Original Message-----
>From: Wolfkiel, Joseph [mailto:[hidden email]]
>Sent: Monday, July 13, 2009 8:23 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming --
>Request for additional input
>
>With respect to the discussion about updating Microsoft CPE names, I
>have
>received and reviewed Drew's recommendation (attached and in-line).
>After
>working through the issues the DoD and NIST would have to address if it
>is
>implemented (i.e. required re-write of internal NSA products with hard-
>coded
>CPE names, as well as an extensive re-work of the NIST CPE Dictionary,
>and
>an internal rewrite of VMS) I took this issue to the ISAP Working Group
>for
>resolution.
>
>The ISAP WG agreed that the benefits of naming windows CPEs in a more
>technically correct manner (consistent with option 2) would have
>significant
>and measurable costs due to significant product re-work required to
>implement them in NSA products, VMS, and NVD.  They further agreed that
>the
>issue should be re-opened in light of this new information prior to
>coming
>to a decision.
>
>The specific problem is using "windows" as a product name, which is not
>an
>actual product, but an abstraction of all Microsoft Windows-branded
>operating systems.  However, the "Title" of the CPE name uses concrete
>product names (e.g. Windows XP, Windows Server 2003, etc).  Both VMS and
>CPE
>Dictionary support left-to-right hierarchies that dynamically build CPEs
>by
>specifying vendor, product, version, etc and require a discrete product
>name
>prior to selecting other CPE components.  Both would have to be
>extensively
>redesigned to deal with a product title that is ambiguous until the
>edition
>field is populated.  On the other hand, the main benefit of the
>suggested
>name change seems to be technical correctness, with no associated cost
>avoidance or savings.
>
>However, with respect to including the version number in Microsoft
>Windows
>CPE names, the ISAP Working Group did not have any issues.
>
>The ISAP Working Group asked me to write up these issues and circulate
>them
>on the CPE discussion list to ensure there aren't any additional unknown
>impacts, one way or the other, of making the changes prior to issuing a
>final decision.
>
>I've asked Drew to work through this issue prior to closing out this
>discussion.
>
>Joe Wolfkiel, CPE Sponsor
>
>************************************************************************
>****
>****************
>Lt Col Joseph L. Wolfkiel
>Director, Computer Network Defense Research & Technology (CND R&T)
>Program
>Management Office
>9800 Savage Rd Ste 6767
>Ft Meade, MD 20755-6767
>Commercial 410-854-5401 DSN 244-5401
>Fax 410-854-6700
>
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Friday, June 05, 2009 2:16 PM
>To: Wolfkiel, Joseph
>Cc: Baker, Jon
>Subject: CPE Issue Summary - Microsoft Naming
>
>Lt Col,
>
>Attached please find the issue summary from the Microsoft naming
>discussion.
>My recommendation is twofold:
>
>1) in the short term, follow option 2 and re-work the Microsoft OS names
>in
>the dictionary
>
>2) in the longer term, work on a proposal to explore some of the ideas
>brought up during the discussion.
>
>Please take a look at the attached and let me know what you decision is
>regarding the path forward.
>
>Thanks
>Drew
>
>---------
>
>Andrew Buttner
>The MITRE Corporation
>[hidden email]
>781-271-3515
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Wednesday, May 27, 2009 6:52 AM
>To: [hidden email]
>Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue
>
>I encourage anyone with an opinion on this matter to share their
>thoughts so
>that the correct decision can be made going forward.  I personally think
>that a change to the current Microsoft Windows CPE Names would be the
>correct way forward.  I think the change would make technical sense and
>it
>will bring the Windows names into alignment with the specification.
>This of
>course would mean deprecating all the existing names.  I am very
>interested
>to see if you agree with this position, or if you think that this might
>not
>be the smartest move to do at this time.
>
>Thanks
>Drew
>
>
>
>
>>-----Original Message-----
>>From: Buttner, Drew [mailto:[hidden email]]
>>Sent: Monday, May 18, 2009 7:43 AM
>>To: cpe-discussion-list CPE Community Forum
>>Subject: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue
>>
>>** reply by Friday June 5th **
>>
>>The creation of CPE Names for the different Microsoft operating systems
>>has been a source of discussion since the beginning of CPE.  In October
>>2007 the issue was discussed in depth and it was decided to that these
>>names should be based off of the commonly known marketing names.  We
>>have tried this approach for the past year and a half but some issues
>>still remain.
>>
>>We are realizing that names based off the marketing names are hard to
>>manage as marketing  names change frequently.  Marketing names also
>>lead to incorrect CPE Matching as a marketing name may stay the same
>>but the underlying code may change.  Or the marketing name may change
>>even if the code doesn't.
>>
>>I'd like to formally bring this up this issue to the CPE community
>>again and make sure we are still going down the correct path.
>>Obviously, one option will be to keep going down the current path.  But
>>other options would require changes to the current names.  This would
>>mean a lot of depreciation and potential vendor work to readjust their
>>mapping.  The costs of this change may not be worth the benefits.
>>Unfortunately I do not see the issues and/or discussions surrounding
>>Microsoft names subsiding until we fix the root of the problem.  So at
>>some point I think we are going to have to make some type of change.
>>
>>Some examples of the issues we currently face:
>>
>>- Windows XP 64-Bit Edition, Version 2003 which is actually based off
>>of the code for Windows Server 2003
>>
>>- determining which CPE Name to use being difficult as the technical
>>information returned from a system query is not associated with any CPE
>>Name
>>
>>- inconsistencies when dealing with beta and pre-releases, for example
>>the current Windows 7 betas and if the OS marketing name will actually
>>be Windows 7
>>
>>- difficulty determining if certain updates/editions are really
>>different versions, for example the R2 releases
>>
>>- inconsistency between operating system and application naming as many
>>of the Microsoft application names follow the technical name  (see
>>Internet Explorer)
>>
>>Below are two options that I see as possible paths forward.  I urge
>>everyone to share their opinion as we can only understand the best
>>course by knowing how it affects the entire community.  If you have
>>other ideas, please don't be afraid to share them as well.
>>
>>Discussion on this issue will end on Friday June 5th (3 weeks) at which
>>time a decision will be made based on community consensus.
>>
>>----------------------------------
>>OPTION 1
>>----------------------------------
>>
>>Keep things the way they currently are.  Although not perfect, the
>>current way of creating CPE Names for Microsoft operating systems is a
>>good balance between technical correctness and human understanding.  In
>>addition, the work required to deprecate the current Microsoft CPE
>>Names and remap to new names would not be worth the benefits of the
>change.
>>
>>The CPE Specification should be updated to clarify how create CPE Names
>>for Microsoft operating systems and platforms that exhibit related
>>properties.
>>
>>----------------------------------
>>OPTION 2
>>----------------------------------
>>
>>In order to put to bed the continued discussions on Microsoft names we
>>should change how we create these names.  We should leverage the
>>internal version of the operating system and use that in the version
>>component.  In a way, this is more true to the current CPE
>>Specification.
>>
>>The <title> element in the dictionary would be used to hold the
>>marketing name associated with each different version.  For example:
>>
>>cpe:/o:microsoft:windows:5.1.2600  -  Microsoft Windows XP
>>cpe:/o:microsoft:windows:5.1.2600:2180  -  Microsoft Windows XP SP2
>>cpe:/o:microsoft:windows:5.1.2600:5512  -  Microsoft Windows XP SP3
>>cpe:/o:microsoft:windows:5.2.3790  -  Microsoft Windows Server 2003
>>cpe:/o:microsoft:windows:5.2.3790:3959  -  Microsoft Windows Server
>>2003
>>SP2
>>
>>Note that this option would require deprecating all the existing
>>Microsoft names in the CPE dictionary.  But this option better aligns
>>with the way the specification is currently written.
>>
>>----------------------------------
>>----------------------------------
>>
>>Again, I urge everyone to share their opinion by Friday June 5th.
>>
>>
>>Thanks
>>Drew
>>
>>
>>
>>
>>---------
>>
>>Andrew Buttner
>>The MITRE Corporation
>>[hidden email]
>>781-271-3515

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CPE Issue Summary - Microsoft Naming -- Request for additional input

Dawn Adams
Well said Drew!!

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: July 29, 2009 10:19 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming --
Request for additional input

* PGP - S/MIME Signed by an unverified key: 07/29/09 at 10:19:08

I'd like to make another push to try and close the issue around the
Microsoft
OS CPE names.  There has been a request to better understand the costs of
this
decision, both for and against the change.  I will attempt to kick start
this
by offering up my own personal thoughts on the costs.

It is my belief that cost associated with NOT making the proposed change is
having an initiative that continues to struggle in gaining acceptance and
making forward progress.  I think the CPE Names for Microsoft OS's currently

in the Official CPE Dictionary are detrimental to the adoption of the
effort.
I say this not because of the costs that are associated with
implementations,
etc.  Rather, I see the success of the enumeration tied to its technical
correctness and its consistency / ease of understanding.  The current CPE
Names for Microsoft OS's damage both aspects.

The current names do not follow the guidance in the CPE Specification and
thus
users of CPE question what is going on.  This makes understanding CPE more
difficult thus hurting adoption.  This also severely hurts the ability of
others to help in the creation of new names as they struggle to understand
how
to implement the guidance in the specification.

The current names are not technically correct.  They use version information

to generate the product component and then leave the version component
blank.
This is looked upon with curiosity and gives the appearance that CPE as a
project does not know what it is talking about.  Users will be less likely
to
invest in an effort if they are not convinced of its technical merit.

Failing in regards to both technical correctness and compliance with the
specification puts adoption of CPE at risk, and therefore puts at risk the
ability of the community to develop a strong enumeration to bring the
community together in the area of platform naming.  It is the lack of
coordination that is the cost of NOT moving forward with the proposal.

Thanks
Drew



>-----Original Message-----
>From: Wolfkiel, Joseph [mailto:[hidden email]]
>Sent: Monday, July 13, 2009 8:23 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming --
>Request for additional input
>
>With respect to the discussion about updating Microsoft CPE names, I
>have
>received and reviewed Drew's recommendation (attached and in-line).
>After
>working through the issues the DoD and NIST would have to address if it
>is
>implemented (i.e. required re-write of internal NSA products with hard-
>coded
>CPE names, as well as an extensive re-work of the NIST CPE Dictionary,
>and
>an internal rewrite of VMS) I took this issue to the ISAP Working Group
>for
>resolution.
>
>The ISAP WG agreed that the benefits of naming windows CPEs in a more
>technically correct manner (consistent with option 2) would have
>significant
>and measurable costs due to significant product re-work required to
>implement them in NSA products, VMS, and NVD.  They further agreed that
>the
>issue should be re-opened in light of this new information prior to
>coming
>to a decision.
>
>The specific problem is using "windows" as a product name, which is not
>an
>actual product, but an abstraction of all Microsoft Windows-branded
>operating systems.  However, the "Title" of the CPE name uses concrete
>product names (e.g. Windows XP, Windows Server 2003, etc).  Both VMS and
>CPE
>Dictionary support left-to-right hierarchies that dynamically build CPEs
>by
>specifying vendor, product, version, etc and require a discrete product
>name
>prior to selecting other CPE components.  Both would have to be
>extensively
>redesigned to deal with a product title that is ambiguous until the
>edition
>field is populated.  On the other hand, the main benefit of the
>suggested
>name change seems to be technical correctness, with no associated cost
>avoidance or savings.
>
>However, with respect to including the version number in Microsoft
>Windows
>CPE names, the ISAP Working Group did not have any issues.
>
>The ISAP Working Group asked me to write up these issues and circulate
>them
>on the CPE discussion list to ensure there aren't any additional unknown
>impacts, one way or the other, of making the changes prior to issuing a
>final decision.
>
>I've asked Drew to work through this issue prior to closing out this
>discussion.
>
>Joe Wolfkiel, CPE Sponsor
>
>************************************************************************
>****
>****************
>Lt Col Joseph L. Wolfkiel
>Director, Computer Network Defense Research & Technology (CND R&T)
>Program
>Management Office
>9800 Savage Rd Ste 6767
>Ft Meade, MD 20755-6767
>Commercial 410-854-5401 DSN 244-5401
>Fax 410-854-6700
>
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Friday, June 05, 2009 2:16 PM
>To: Wolfkiel, Joseph
>Cc: Baker, Jon
>Subject: CPE Issue Summary - Microsoft Naming
>
>Lt Col,
>
>Attached please find the issue summary from the Microsoft naming
>discussion.
>My recommendation is twofold:
>
>1) in the short term, follow option 2 and re-work the Microsoft OS names
>in
>the dictionary
>
>2) in the longer term, work on a proposal to explore some of the ideas
>brought up during the discussion.
>
>Please take a look at the attached and let me know what you decision is
>regarding the path forward.
>
>Thanks
>Drew
>
>---------
>
>Andrew Buttner
>The MITRE Corporation
>[hidden email]
>781-271-3515
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Wednesday, May 27, 2009 6:52 AM
>To: [hidden email]
>Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue
>
>I encourage anyone with an opinion on this matter to share their
>thoughts so
>that the correct decision can be made going forward.  I personally think
>that a change to the current Microsoft Windows CPE Names would be the
>correct way forward.  I think the change would make technical sense and
>it
>will bring the Windows names into alignment with the specification.
>This of
>course would mean deprecating all the existing names.  I am very
>interested
>to see if you agree with this position, or if you think that this might
>not
>be the smartest move to do at this time.
>
>Thanks
>Drew
>
>
>
>
>>-----Original Message-----
>>From: Buttner, Drew [mailto:[hidden email]]
>>Sent: Monday, May 18, 2009 7:43 AM
>>To: cpe-discussion-list CPE Community Forum
>>Subject: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue
>>
>>** reply by Friday June 5th **
>>
>>The creation of CPE Names for the different Microsoft operating systems
>>has been a source of discussion since the beginning of CPE.  In October
>>2007 the issue was discussed in depth and it was decided to that these
>>names should be based off of the commonly known marketing names.  We
>>have tried this approach for the past year and a half but some issues
>>still remain.
>>
>>We are realizing that names based off the marketing names are hard to
>>manage as marketing  names change frequently.  Marketing names also
>>lead to incorrect CPE Matching as a marketing name may stay the same
>>but the underlying code may change.  Or the marketing name may change
>>even if the code doesn't.
>>
>>I'd like to formally bring this up this issue to the CPE community
>>again and make sure we are still going down the correct path.
>>Obviously, one option will be to keep going down the current path.  But
>>other options would require changes to the current names.  This would
>>mean a lot of depreciation and potential vendor work to readjust their
>>mapping.  The costs of this change may not be worth the benefits.
>>Unfortunately I do not see the issues and/or discussions surrounding
>>Microsoft names subsiding until we fix the root of the problem.  So at
>>some point I think we are going to have to make some type of change.
>>
>>Some examples of the issues we currently face:
>>
>>- Windows XP 64-Bit Edition, Version 2003 which is actually based off
>>of the code for Windows Server 2003
>>
>>- determining which CPE Name to use being difficult as the technical
>>information returned from a system query is not associated with any CPE
>>Name
>>
>>- inconsistencies when dealing with beta and pre-releases, for example
>>the current Windows 7 betas and if the OS marketing name will actually
>>be Windows 7
>>
>>- difficulty determining if certain updates/editions are really
>>different versions, for example the R2 releases
>>
>>- inconsistency between operating system and application naming as many
>>of the Microsoft application names follow the technical name  (see
>>Internet Explorer)
>>
>>Below are two options that I see as possible paths forward.  I urge
>>everyone to share their opinion as we can only understand the best
>>course by knowing how it affects the entire community.  If you have
>>other ideas, please don't be afraid to share them as well.
>>
>>Discussion on this issue will end on Friday June 5th (3 weeks) at which
>>time a decision will be made based on community consensus.
>>
>>----------------------------------
>>OPTION 1
>>----------------------------------
>>
>>Keep things the way they currently are.  Although not perfect, the
>>current way of creating CPE Names for Microsoft operating systems is a
>>good balance between technical correctness and human understanding.  In
>>addition, the work required to deprecate the current Microsoft CPE
>>Names and remap to new names would not be worth the benefits of the
>change.
>>
>>The CPE Specification should be updated to clarify how create CPE Names
>>for Microsoft operating systems and platforms that exhibit related
>>properties.
>>
>>----------------------------------
>>OPTION 2
>>----------------------------------
>>
>>In order to put to bed the continued discussions on Microsoft names we
>>should change how we create these names.  We should leverage the
>>internal version of the operating system and use that in the version
>>component.  In a way, this is more true to the current CPE
>>Specification.
>>
>>The <title> element in the dictionary would be used to hold the
>>marketing name associated with each different version.  For example:
>>
>>cpe:/o:microsoft:windows:5.1.2600  -  Microsoft Windows XP
>>cpe:/o:microsoft:windows:5.1.2600:2180  -  Microsoft Windows XP SP2
>>cpe:/o:microsoft:windows:5.1.2600:5512  -  Microsoft Windows XP SP3
>>cpe:/o:microsoft:windows:5.2.3790  -  Microsoft Windows Server 2003
>>cpe:/o:microsoft:windows:5.2.3790:3959  -  Microsoft Windows Server
>>2003
>>SP2
>>
>>Note that this option would require deprecating all the existing
>>Microsoft names in the CPE dictionary.  But this option better aligns
>>with the way the specification is currently written.
>>
>>----------------------------------
>>----------------------------------
>>
>>Again, I urge everyone to share their opinion by Friday June 5th.
>>
>>
>>Thanks
>>Drew
>>
>>
>>
>>
>>---------
>>
>>Andrew Buttner
>>The MITRE Corporation
>>[hidden email]
>>781-271-3515

* Buttner Andrew <[hidden email]>
* Issuer: mitre.org - Unverified
Reply | Threaded
Open this post in threaded view
|

Re: CPE Issue Summary - Microsoft Naming -- Request for additional input

Wolfkiel, Joseph
Just a reminder, the counter-proposal to deleting real product names from
the Microsoft CPEs and replacing them all with the abstraction "windows"
along with the version numbers was to just add in version numbers to create
CPEs for all known MS Windows product versions.  The new CPEs would include
version numbers along with real product names.

This solution would be backwards-compatible with existing CPE names and just
require the addition to the CPE dictionary of fully-specified CPE names for
MS Windows products that include the version numbers.  It wouldn't require
deprecation of any existing CPEs since the matching algorithm would make the
existing CPE without version numbering match the CPE with the version number
populated.

I don't think anyone on the list is opposed to adding version numbers to the
CPEs for Microsoft Windows products.  You can probably safely start doing
that today.

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Dawn Adams [mailto:[hidden email]]
Sent: Wednesday, July 29, 2009 10:28 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming --
Request for additional input

Well said Drew!!

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: July 29, 2009 10:19 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming --
Request for additional input

* PGP - S/MIME Signed by an unverified key: 07/29/09 at 10:19:08

I'd like to make another push to try and close the issue around the
Microsoft OS CPE names.  There has been a request to better understand the
costs of this decision, both for and against the change.  I will attempt to
kick start this by offering up my own personal thoughts on the costs.

It is my belief that cost associated with NOT making the proposed change is
having an initiative that continues to struggle in gaining acceptance and
making forward progress.  I think the CPE Names for Microsoft OS's currently

in the Official CPE Dictionary are detrimental to the adoption of the
effort.
I say this not because of the costs that are associated with
implementations, etc.  Rather, I see the success of the enumeration tied to
its technical correctness and its consistency / ease of understanding.  The
current CPE Names for Microsoft OS's damage both aspects.

The current names do not follow the guidance in the CPE Specification and
thus users of CPE question what is going on.  This makes understanding CPE
more difficult thus hurting adoption.  This also severely hurts the ability
of others to help in the creation of new names as they struggle to
understand how to implement the guidance in the specification.

The current names are not technically correct.  They use version information

to generate the product component and then leave the version component
blank.
This is looked upon with curiosity and gives the appearance that CPE as a
project does not know what it is talking about.  Users will be less likely
to invest in an effort if they are not convinced of its technical merit.

Failing in regards to both technical correctness and compliance with the
specification puts adoption of CPE at risk, and therefore puts at risk the
ability of the community to develop a strong enumeration to bring the
community together in the area of platform naming.  It is the lack of
coordination that is the cost of NOT moving forward with the proposal.

Thanks
Drew



>-----Original Message-----
>From: Wolfkiel, Joseph [mailto:[hidden email]]
>Sent: Monday, July 13, 2009 8:23 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming --
>Request for additional input
>
>With respect to the discussion about updating Microsoft CPE names, I
>have received and reviewed Drew's recommendation (attached and
>in-line).
>After
>working through the issues the DoD and NIST would have to address if it
>is implemented (i.e. required re-write of internal NSA products with
>hard- coded CPE names, as well as an extensive re-work of the NIST CPE
>Dictionary, and an internal rewrite of VMS) I took this issue to the
>ISAP Working Group for resolution.
>
>The ISAP WG agreed that the benefits of naming windows CPEs in a more
>technically correct manner (consistent with option 2) would have
>significant and measurable costs due to significant product re-work
>required to implement them in NSA products, VMS, and NVD.  They further
>agreed that the issue should be re-opened in light of this new
>information prior to coming to a decision.
>
>The specific problem is using "windows" as a product name, which is not
>an actual product, but an abstraction of all Microsoft Windows-branded
>operating systems.  However, the "Title" of the CPE name uses concrete
>product names (e.g. Windows XP, Windows Server 2003, etc).  Both VMS
>and CPE Dictionary support left-to-right hierarchies that dynamically
>build CPEs by specifying vendor, product, version, etc and require a
>discrete product name prior to selecting other CPE components.  Both
>would have to be extensively redesigned to deal with a product title
>that is ambiguous until the edition field is populated.  On the other
>hand, the main benefit of the suggested name change seems to be
>technical correctness, with no associated cost avoidance or savings.
>
>However, with respect to including the version number in Microsoft
>Windows CPE names, the ISAP Working Group did not have any issues.
>
>The ISAP Working Group asked me to write up these issues and circulate
>them on the CPE discussion list to ensure there aren't any additional
>unknown impacts, one way or the other, of making the changes prior to
>issuing a final decision.
>
>I've asked Drew to work through this issue prior to closing out this
>discussion.
>
>Joe Wolfkiel, CPE Sponsor
>
>***********************************************************************
>*
>****
>****************
>Lt Col Joseph L. Wolfkiel
>Director, Computer Network Defense Research & Technology (CND R&T)
>Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD
>20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700
>
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Friday, June 05, 2009 2:16 PM
>To: Wolfkiel, Joseph
>Cc: Baker, Jon
>Subject: CPE Issue Summary - Microsoft Naming
>
>Lt Col,
>
>Attached please find the issue summary from the Microsoft naming
>discussion.
>My recommendation is twofold:
>
>1) in the short term, follow option 2 and re-work the Microsoft OS
>names in the dictionary
>
>2) in the longer term, work on a proposal to explore some of the ideas
>brought up during the discussion.
>
>Please take a look at the attached and let me know what you decision is
>regarding the path forward.
>
>Thanks
>Drew
>
>---------
>
>Andrew Buttner
>The MITRE Corporation
>[hidden email]
>781-271-3515
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Wednesday, May 27, 2009 6:52 AM
>To: [hidden email]
>Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue
>
>I encourage anyone with an opinion on this matter to share their
>thoughts so that the correct decision can be made going forward.  I
>personally think that a change to the current Microsoft Windows CPE
>Names would be the correct way forward.  I think the change would make
>technical sense and it will bring the Windows names into alignment with
>the specification.
>This of
>course would mean deprecating all the existing names.  I am very
>interested to see if you agree with this position, or if you think that
>this might not be the smartest move to do at this time.
>
>Thanks
>Drew
>
>
>
>
>>-----Original Message-----
>>From: Buttner, Drew [mailto:[hidden email]]
>>Sent: Monday, May 18, 2009 7:43 AM
>>To: cpe-discussion-list CPE Community Forum
>>Subject: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue
>>
>>** reply by Friday June 5th **
>>
>>The creation of CPE Names for the different Microsoft operating
>>systems has been a source of discussion since the beginning of CPE.  
>>In October
>>2007 the issue was discussed in depth and it was decided to that these
>>names should be based off of the commonly known marketing names.  We
>>have tried this approach for the past year and a half but some issues
>>still remain.
>>
>>We are realizing that names based off the marketing names are hard to
>>manage as marketing  names change frequently.  Marketing names also
>>lead to incorrect CPE Matching as a marketing name may stay the same
>>but the underlying code may change.  Or the marketing name may change
>>even if the code doesn't.
>>
>>I'd like to formally bring this up this issue to the CPE community
>>again and make sure we are still going down the correct path.
>>Obviously, one option will be to keep going down the current path.  
>>But other options would require changes to the current names.  This
>>would mean a lot of depreciation and potential vendor work to readjust
>>their mapping.  The costs of this change may not be worth the benefits.
>>Unfortunately I do not see the issues and/or discussions surrounding
>>Microsoft names subsiding until we fix the root of the problem.  So at
>>some point I think we are going to have to make some type of change.
>>
>>Some examples of the issues we currently face:
>>
>>- Windows XP 64-Bit Edition, Version 2003 which is actually based off
>>of the code for Windows Server 2003
>>
>>- determining which CPE Name to use being difficult as the technical
>>information returned from a system query is not associated with any
>>CPE Name
>>
>>- inconsistencies when dealing with beta and pre-releases, for example
>>the current Windows 7 betas and if the OS marketing name will actually
>>be Windows 7
>>
>>- difficulty determining if certain updates/editions are really
>>different versions, for example the R2 releases
>>
>>- inconsistency between operating system and application naming as
>>many of the Microsoft application names follow the technical name  
>>(see Internet Explorer)
>>
>>Below are two options that I see as possible paths forward.  I urge
>>everyone to share their opinion as we can only understand the best
>>course by knowing how it affects the entire community.  If you have
>>other ideas, please don't be afraid to share them as well.
>>
>>Discussion on this issue will end on Friday June 5th (3 weeks) at
>>which time a decision will be made based on community consensus.
>>
>>----------------------------------
>>OPTION 1
>>----------------------------------
>>
>>Keep things the way they currently are.  Although not perfect, the
>>current way of creating CPE Names for Microsoft operating systems is a
>>good balance between technical correctness and human understanding.  
>>In addition, the work required to deprecate the current Microsoft CPE
>>Names and remap to new names would not be worth the benefits of the
>change.
>>
>>The CPE Specification should be updated to clarify how create CPE
>>Names for Microsoft operating systems and platforms that exhibit
>>related properties.
>>
>>----------------------------------
>>OPTION 2
>>----------------------------------
>>
>>In order to put to bed the continued discussions on Microsoft names we
>>should change how we create these names.  We should leverage the
>>internal version of the operating system and use that in the version
>>component.  In a way, this is more true to the current CPE
>>Specification.
>>
>>The <title> element in the dictionary would be used to hold the
>>marketing name associated with each different version.  For example:
>>
>>cpe:/o:microsoft:windows:5.1.2600  -  Microsoft Windows XP
>>cpe:/o:microsoft:windows:5.1.2600:2180  -  Microsoft Windows XP SP2
>>cpe:/o:microsoft:windows:5.1.2600:5512  -  Microsoft Windows XP SP3
>>cpe:/o:microsoft:windows:5.2.3790  -  Microsoft Windows Server 2003
>>cpe:/o:microsoft:windows:5.2.3790:3959  -  Microsoft Windows Server
>>2003
>>SP2
>>
>>Note that this option would require deprecating all the existing
>>Microsoft names in the CPE dictionary.  But this option better aligns
>>with the way the specification is currently written.
>>
>>----------------------------------
>>----------------------------------
>>
>>Again, I urge everyone to share their opinion by Friday June 5th.
>>
>>
>>Thanks
>>Drew
>>
>>
>>
>>
>>---------
>>
>>Andrew Buttner
>>The MITRE Corporation
>>[hidden email]
>>781-271-3515
* Buttner Andrew <[hidden email]>
* Issuer: mitre.org - Unverified

smime.p7s (6K) Download Attachment