How to guess a numerical ID?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to guess a numerical ID?

Andrew Buttner
Administrator
One of the topics that has come up again is that of a numerical based identifier for CPE as opposed to the current URI based identifier.  There is a major concern with this however that I would love to hear opinions about.

How and when would new identifiers be assigned for users that need to identify a new platform?

When performing system inventory, it is common to run across a new product or a new version of an existing product and this might not have been given a name to date.  How would a vendor handle this?  With the URI approach, the goal was to enable the user to "guess" what the identifier would be.  (granted this hasn't worked very well)  But with a numerical id guessing will be impossible.

Will the user have to wait for the new identifier to be added to the dictionary before they can use it?

Thoughts?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: [nasa-ascs-external] [CPE-DISCUSSION-LIST] How to guess a numerical ID?

Richard Haas
Drew, et. al.,

These all appear to be questions that have answers, or lessons, in the historical records for the handling of Media Access Control (MAC) addresses for network devices.  

Leading bits would be used to define vendor ranges with trailing bits becoming more "loose" -- perhaps down to version updates -- which might be ignored by vulnerability data (for example) or not depending on the nature of the vulnerability.  Certainly, the frequency of encountering a new vendor is far less than encountering existing vendors releasing new or updated products.  XML data feeds seem inherently useful to support the near real time registration of CPE codes.

I would recommend attempting to improve upon the efforts of the past with modern techniques, not to retrace the same learning processes.

My $0.02.

--
 Richard A. Haas, Senior Systems Engineer --  [hidden email]
 NASA Glenn Research Center  --  DB Consulting Group, Inc.
--


On Mar 9, 2009, at 8:43 PM, Buttner, Drew wrote:

One of the topics that has come up again is that of a numerical based identifier for CPE as opposed to the current URI based identifier.  There is a major concern with this however that I would love to hear opinions about.

How and when would new identifiers be assigned for users that need to identify a new platform?

When performing system inventory, it is common to run across a new product or a new version of an existing product and this might not have been given a name to date.  How would a vendor handle this?  With the URI approach, the goal was to enable the user to "guess" what the identifier would be.  (granted this hasn't worked very well)  But with a numerical id guessing will be impossible.

Will the user have to wait for the new identifier to be added to the dictionary before they can use it?

Thoughts?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Reply | Threaded
Open this post in threaded view
|

Ontology vs Vocabulary

Buckley, Michael
In reply to this post by Andrew Buttner
 
May I suggest that we step back a minute and add the following to our
consideration of using semantic technology for the CPE issues/use cases.

Not all tools available in the semantic stack are appropriate to every
data management issue.  We (others too) tend to talk about the ontology
part of the stack as if that was always preferred. With all that implied
overhead. I suggest we scale down a bit and consider that the CPE data
represented at the RDFS layer---what some may call 'RDF ontology' but
which is really a domain vocabulary---may be adequate.  CPE, or any
other SCAP spec contributing data to the NVD, may want to create an
ontology to permit reasoning, or provide aspects such as cardinality,
but you probably don't have to in order to satisfy current CPE use
cases, least of all our use case 1.  Harold has already said that
explicitly.

Mike Buckley
NSA ISAP Program Manager
410 854-5155
410 854-6700 (fax)
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to guess a numerical ID?

Wolfkiel, Joseph
In reply to this post by Richard Haas
Just with reference to learning from the past, I just yesterday saw the parallel between the URI structure and it's lack of a symbol for "not populated" and the Roman Numeral numbering system and its lack of a zero--which held up mathematical development for centuries. 
 
Looks like we're repeating history :->  Hopefully our learning curve for CPE will be much shorter.

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

 


From: Richard Haas [mailto:[hidden email]]
Sent: Tuesday, March 10, 2009 1:19 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] [nasa-ascs-external] [CPE-DISCUSSION-LIST] How to guess a numerical ID?

Drew, et. al.,

These all appear to be questions that have answers, or lessons, in the historical records for the handling of Media Access Control (MAC) addresses for network devices.  

Leading bits would be used to define vendor ranges with trailing bits becoming more "loose" -- perhaps down to version updates -- which might be ignored by vulnerability data (for example) or not depending on the nature of the vulnerability.  Certainly, the frequency of encountering a new vendor is far less than encountering existing vendors releasing new or updated products.  XML data feeds seem inherently useful to support the near real time registration of CPE codes.

I would recommend attempting to improve upon the efforts of the past with modern techniques, not to retrace the same learning processes.

My $0.02.

--
 Richard A. Haas, Senior Systems Engineer --  [hidden email]
 NASA Glenn Research Center  --  DB Consulting Group, Inc.
--


On Mar 9, 2009, at 8:43 PM, Buttner, Drew wrote:

One of the topics that has come up again is that of a numerical based identifier for CPE as opposed to the current URI based identifier.  There is a major concern with this however that I would love to hear opinions about.

How and when would new identifiers be assigned for users that need to identify a new platform?

When performing system inventory, it is common to run across a new product or a new version of an existing product and this might not have been given a name to date.  How would a vendor handle this?  With the URI approach, the goal was to enable the user to "guess" what the identifier would be.  (granted this hasn't worked very well)  But with a numerical id guessing will be impossible.

Will the user have to wait for the new identifier to be added to the dictionary before they can use it?

Thoughts?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to guess a numerical ID?

Gary Gapinski
Wolfkiel, Joseph wrote:
> Just with reference to learning from the past, I just yesterday saw the
> parallel between the URI structure and it's lack of a symbol for "not
> populated" and the Roman Numeral numbering system and its lack of a
> zero--which held up mathematical development for centuries.


Traditional Hebrew also lacks zero, as did some other mathematical systems.


>  
> Looks like we're repeating history :->  Hopefully our learning curve for
> CPE will be much shorter.


One problem with CPE is not quite the same as the lack of zero. It is
more precisely the presence of uncertainty, certain absence, and even
irrelevancy, with any of those denoted by the absence of some component
of a CPE identifier. When such is expressed in the CPE lexical system,
it prevents simple lexical comparisons of CPE identifiers. While such
absences could be considered assertions, they might better be considered
to be the absence thereof. This introduces at least ternary logic, but
the specific absence of information remains: the absent information has
multiple meanings lacking precise denotation, complicating equivalence
and similarity comparisons.



As for the subject question, I'll just point out that the "E" in CPE was
perhaps not the most fortuitous choice. Practically, UUID (e.g.,
http://en.wikipedia.org/wiki/Uuid) is one solution to the uncoordinated
creation of novel and unique identifiers. Registry can be a consequent
rather than an antecedent.

While it is possible to coin unique identifiers for all 7-tuples CPE
attempts to enumerate, I do not think that is a desirable goal.

It would be useful to enumerate all the things one can say about things
of interest (vendors, products, versions, etc.), and then be allowed to
say as many or as few things as one needs to sufficiently establish what
one is talking about. This is sometimes called a domain, or universe, of
discourse. Enumerating all valid statements one can utter in such a
domain is theoretically possible but has limited practical utility.