Informal Meeting at RSA

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Informal Meeting at RSA

Andrew Buttner
Administrator
For those in the CPE Community that will be out at the RSA Conference
in San Francisco in April, we will be having an informal meeting on
Tuesday morning (April 8th) at 8AM.  Location will be the lobby of the
Marriott Hotel adjacent to the conference center. (they have an area
with a number of couches and chairs in the lobby)  We will try to keep
things to an hour, but most likely will spill over a bit.

I propose we spend this meeting asking each member in attendance what
they want to see out of Version 3.0.  Or put another way, what they
think needs to change to make CPE a better success.  The answers, and
any following discussion, will help us frame the discussions for CPE
Developer Day a few weeks later.

I will also have the agenda for CPE Developer Day with me and if
discussion slows down, we can go over the agenda and discuss some of
the ideas that MITRE is thinking about.

Our goal for this meeting is to get a better feel for the desires and
ideas within the community so they can be expressed as we moved
forward.

I do ask that if you are planning on joining us, please let me know so
that I can have an idea about numbers and who is stopping by.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Kent Landfield
Before we go too far down the path of Version 3.0 it would be nice to
see content for other Operating Systems than just Microsoft and Red Hat.
Product vendors want to use this for various reasons, content
generation, tool interoperability, accurate reporting, etc.  

What is the status of adding other basic cpe entries say for Macintosh,
Solaris, and HP-UX? The entries do not need to be massively complete
with every "xbox" type entry under the sun. We need CPE entries so we
can cooperate and identify the basis OS information.

CPE is critical to the other component standards and to vendors that are
not just simply focused on Microsoft.  

When can we expect a real CPE content update?

--
Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com
 

> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Wednesday, March 19, 2008 11:43 AM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] Informal Meeting at RSA
>
> For those in the CPE Community that will be out at the RSA Conference
> in San Francisco in April, we will be having an informal meeting on
> Tuesday morning (April 8th) at 8AM.  Location will be the lobby of the
> Marriott Hotel adjacent to the conference center. (they have an area
> with a number of couches and chairs in the lobby)  We will try to keep
> things to an hour, but most likely will spill over a bit.
>
> I propose we spend this meeting asking each member in attendance what
> they want to see out of Version 3.0.  Or put another way, what they
> think needs to change to make CPE a better success.  The answers, and
> any following discussion, will help us frame the discussions for CPE
> Developer Day a few weeks later.
>
> I will also have the agenda for CPE Developer Day with me and if
> discussion slows down, we can go over the agenda and discuss some of
> the ideas that MITRE is thinking about.
>
> Our goal for this meeting is to get a better feel for the desires and
> ideas within the community so they can be expressed as we moved
> forward.
>
> I do ask that if you are planning on joining us, please let me know so
> that I can have an idea about numbers and who is stopping by.
>
> Thanks
> Drew
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Waltermire, Dave [USA]
Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA
Kent,
 
We will be expanding the scope of vendors included in the CPE dictionary when we release the next dictionary revision on April 15th.  It will have data from ~250 common vendors of products (i.e. hp, sun, oracle, etc).  I will post more info as we get closer to this date.
 
Dave


From: Kent Landfield [mailto:[hidden email]]
Sent: Wed 3/19/2008 9:03 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

Before we go too far down the path of Version 3.0 it would be nice to
see content for other Operating Systems than just Microsoft and Red Hat.
Product vendors want to use this for various reasons, content
generation, tool interoperability, accurate reporting, etc. 

What is the status of adding other basic cpe entries say for Macintosh,
Solaris, and HP-UX? The entries do not need to be massively complete
with every "xbox" type entry under the sun. We need CPE entries so we
can cooperate and identify the basis OS information.

CPE is critical to the other component standards and to vendors that are
not just simply focused on Microsoft. 

When can we expect a real CPE content update?

--
Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com


> -----Original Message-----
> From: Buttner, Drew [[hidden email]]
> Sent: Wednesday, March 19, 2008 11:43 AM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] Informal Meeting at RSA
>
> For those in the CPE Community that will be out at the RSA Conference
> in San Francisco in April, we will be having an informal meeting on
> Tuesday morning (April 8th) at 8AM.  Location will be the lobby of the
> Marriott Hotel adjacent to the conference center. (they have an area
> with a number of couches and chairs in the lobby)  We will try to keep
> things to an hour, but most likely will spill over a bit.
>
> I propose we spend this meeting asking each member in attendance what
> they want to see out of Version 3.0.  Or put another way, what they
> think needs to change to make CPE a better success.  The answers, and
> any following discussion, will help us frame the discussions for CPE
> Developer Day a few weeks later.
>
> I will also have the agenda for CPE Developer Day with me and if
> discussion slows down, we can go over the agenda and discuss some of
> the ideas that MITRE is thinking about.
>
> Our goal for this meeting is to get a better feel for the desires and
> ideas within the community so they can be expressed as we moved
> forward.
>
> I do ask that if you are planning on joining us, please let me know so
> that I can have an idea about numbers and who is stopping by.
>
> Thanks
> Drew
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Matthew N. Wojcik
Waltermire, Dave [USA] <mailto:[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.    
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Kent Landfield
In reply to this post by Waltermire, Dave [USA]
Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

This is great news.  We are actively using CPEs in our product and need the breadth of vendors you are alluding to.

 

Thanks for the update Dave.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 9:37 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Kent,

 

We will be expanding the scope of vendors included in the CPE dictionary when we release the next dictionary revision on April 15th.  It will have data from ~250 common vendors of products (i.e. hp, sun, oracle, etc).  I will post more info as we get closer to this date.

 

Dave

 


From: Kent Landfield [mailto:[hidden email]]
Sent: Wed 3/19/2008 9:03 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

Before we go too far down the path of Version 3.0 it would be nice to
see content for other Operating Systems than just Microsoft and Red Hat.
Product vendors want to use this for various reasons, content
generation, tool interoperability, accurate reporting, etc. 

What is the status of adding other basic cpe entries say for Macintosh,
Solaris, and HP-UX? The entries do not need to be massively complete
with every "xbox" type entry under the sun. We need CPE entries so we
can cooperate and identify the basis OS information.

CPE is critical to the other component standards and to vendors that are
not just simply focused on Microsoft. 

When can we expect a real CPE content update?

--
Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com


> -----Original Message-----
> From: Buttner, Drew [[hidden email]]
> Sent: Wednesday, March 19, 2008 11:43 AM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] Informal Meeting at RSA
>
> For those in the CPE Community that will be out at the RSA Conference
> in San Francisco in April, we will be having an informal meeting on
> Tuesday morning (April 8th) at 8AM.  Location will be the lobby of the
> Marriott Hotel adjacent to the conference center. (they have an area
> with a number of couches and chairs in the lobby)  We will try to keep
> things to an hour, but most likely will spill over a bit.
>
> I propose we spend this meeting asking each member in attendance what
> they want to see out of Version 3.0.  Or put another way, what they
> think needs to change to make CPE a better success.  The answers, and
> any following discussion, will help us frame the discussions for CPE
> Developer Day a few weeks later.
>
> I will also have the agenda for CPE Developer Day with me and if
> discussion slows down, we can go over the agenda and discuss some of
> the ideas that MITRE is thinking about.
>
> Our goal for this meeting is to get a better feel for the desires and
> ideas within the community so they can be expressed as we moved
> forward.
>
> I do ask that if you are planning on joining us, please let me know so
> that I can have an idea about numbers and who is stopping by.
>
> Thanks
> Drew
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Waltermire, Dave [USA]
In reply to this post by Matthew N. Wojcik
Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA
Matt,
 
The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.
 
Dave


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Ernest Park-2
The NVD CPE list includes around 5500 vendors, over 20,000 releases.
 
The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.
 
The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.
 
  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.
 
 
The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.
 
I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.
 
What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.
 
 
Ernie


On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:
Matt,
 
The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.
 
Dave


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Kent Landfield

Wow… very old data… A word count on The Official NVD CPE Dictionary is

    2661    7586  133511 cpe-dictionary-2.0.xml

 

And has only 839 CPE entries from two vendors.

 

What you are looking at was the NVD dictionary before CPE 2.0 was adopted.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 1:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Wolfkiel, Joseph
In reply to this post by Andrew Buttner
I agree.  These issues need to be addressed at the April CPE discussion.
 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.
 
The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.
 
The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.
 
  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.
 
 
The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.
 
I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.
 
What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.
 
 
Ernie


On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:
Matt,
 
The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.
 
Dave


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Waltermire, Dave [USA]
Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?
 
Dave


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.
 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.
 
The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.
 
The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.
 
  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.
 
 
The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.
 
I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.
 
What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.
 
 
Ernie


On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:
Matt,
 
The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.
 
Dave


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Kent Landfield

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Ernest Park-2
In reply to this post by Waltermire, Dave [USA]
Perfectly said -
 
I suggest that we discuss CPE 2.1 - where we discuss the elements missing to get the existing XML from where it is to 100,000 vendors, and so on, and where 2.1 has adoption, use and data milestones to be met before we go to 3.0.
 
If we keep redesigning the data schema before we just work on adoption, there is little motivation to actually get 1000 registered users, aliases, and a live growing database.
 
 
Ernie
 
On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:
Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?
 
Dave


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM

To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 
I agree.  These issues need to be addressed at the April CPE discussion.
 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.
 
The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.
 
The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.
 
  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.
 
 
The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.
 
I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.
 
What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.
 
 
Ernie


On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:
Matt,
 
The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.
 
Dave


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]


 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Wolfkiel, Joseph
In reply to this post by Andrew Buttner
I found this a little confusing.
 
Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?
 
I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.
 
Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...
 
Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Kent Landfield

<Stepping onto my soapbox ;-)>

 

I am looking for real stability in CPE so we can actually use it in commercial products, content and databases.  

 

A little history… First we had the initial release of CPE. NVD created a very extensive database but it was not really CPE formatted but was extremely complete and useful. While we were in discussions for a newer version of CPE and actively discussing improvements 2.0 suddenly came out seemingly to meet an arbitrary deadline, the SCAP Conference.  Vendors then and now wanted to use something as complete as the earlier NVD dictionary. To date all we have are 839 checks from two vendors and 2.x has been out since September 2007.  We as a community of user and vendors need a stable CPE for which content and code can be written.  All we really have at this point is a spec with little real meat behind it.  Vendors are actively investing serious resources in getting products developed to satisfy the needs of the market and our existing customers. If the level of differences between 2.0 to 3.0 is as extreme as it was from 1.0 to 2.0 we need to rethink the effort. Changing schemas formats and redoing content is extremely disruptive.  I only have history to go on…

 

Now… if the ground rules for 3.0 are that it must be backward compatible with 2.x, that’s a different story.  That was not the case in the past.

 

I would have no problem with a workshop that incorporated 2.x issues and also 3.0 future issues if the ground rules for 3.0 were that it was to be backward compatible with 2.x.  While this may seem an obvious assumption…Like I said, I only have history to go on…

 

<Stepping down… >

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 4:31 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

I found this a little confusing.

 

Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?

 

I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.

 

Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Waltermire, Dave [USA]
Kent and Joe,
 
I think we need to put the breaks on 3.0 for now.  We are getting to a point where 2.x is stabilizing.  We are nearing a point with the NVD where we can fully support CPE 2.1 and build a community based CPE lifecycle management process in the next few months.  Cleanup of our product names are underway and we are taking in contributions from Apple and Red Hat.  We are embarking on an enterprise level test of CPE with the CND Pilot that is shedding light on a number of issues.
 
I am very concerned that 3.0 talk will distract the community from supporting the 2.x efforts that are well underway.  Furthermore, I am concerned that we do not have enough experience with CPE 2.x yet to get 3.x right.  Instead we should get all the 2.x issues out on the table and prioritize them and work on solutions using 2.x as much as possible.  I would like to see the focus remain on CPE 2.x for the next 6-8 months.  Once we have a better set of lessons learned we can embark on CPE 3.0.
 
Dave


From: Kent Landfield [mailto:[hidden email]]
Sent: Thu 3/20/2008 6:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

<Stepping onto my soapbox ;-)>

 

I am looking for real stability in CPE so we can actually use it in commercial products, content and databases.  

 

A little history… First we had the initial release of CPE. NVD created a very extensive database but it was not really CPE formatted but was extremely complete and useful. While we were in discussions for a newer version of CPE and actively discussing improvements 2.0 suddenly came out seemingly to meet an arbitrary deadline, the SCAP Conference.  Vendors then and now wanted to use something as complete as the earlier NVD dictionary. To date all we have are 839 checks from two vendors and 2.x has been out since September 2007.  We as a community of user and vendors need a stable CPE for which content and code can be written.  All we really have at this point is a spec with little real meat behind it.  Vendors are actively investing serious resources in getting products developed to satisfy the needs of the market and our existing customers. If the level of differences between 2.0 to 3.0 is as extreme as it was from 1.0 to 2.0 we need to rethink the effort. Changing schemas formats and redoing content is extremely disruptive.  I only have history to go on…

 

Now… if the ground rules for 3.0 are that it must be backward compatible with 2.x, that’s a different story.  That was not the case in the past.

 

I would have no problem with a workshop that incorporated 2.x issues and also 3.0 future issues if the ground rules for 3.0 were that it was to be backward compatible with 2.x.  While this may seem an obvious assumption…Like I said, I only have history to go on…

 

<Stepping down… >

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 4:31 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

I found this a little confusing.

 

Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?

 

I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.

 

Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Thomas Jones
In reply to this post by Kent Landfield


Sent from my iPhone

On Mar 20, 2008, at 5:09 PM, Kent Landfield <[hidden email]> wrote:

<Stepping onto my soapbox ;-)>

 

I am looking for real stability in CPE so we can actually use it in commercial products, content and databases.  

In my opinion, directing the focus of CPE towards only commercial products is not only a bad idea but wholly restrictive towards the seemingly common goal of developing a meaningful and complete resource for the community to utilize.

I have tried to in the past to provide an open source voice to the standard and would hate to see the implementation to be restricted due to capital backing. Or the lack thereof. 

 

A little history… First we had the initial release of CPE. NVD created a very extensive database but it was not really CPE formatted but was extremely complete and useful. While we were in discussions for a newer version of CPE and actively discussing improvements 2.0 suddenly came out seemingly to meet an arbitrary deadline, the SCAP Conference.  Vendors then and now wanted to use something as complete as the earlier NVD dictionary. To date all we have are 839 checks from two vendors and 2.x has been out since September 2007.  We as a community of user and vendors need a stable CPE for which content and code can be written.  All we really have at this point is a spec with little real meat behind it.  Vendors are actively investing serious resources in getting products developed to satisfy the needs of the market and our existing customers. If the level of differences between 2.0 to 3.0 is as extreme as it was from 1.0 to 2.0 we need to rethink the effort. Changing schemas formats and redoing content is extremely disruptive.  I only have history to go on…

 

Now… if the ground rules for 3.0 are that it must be backward compatible with 2.x, that’s a different story.  That was not the case in the past.

 

I would have no problem with a workshop that incorporated 2.x issues and also 3.0 future issues if the ground rules for 3.0 were that it was to be backward compatible with 2.x.  While this may seem an obvious assumption…Like I said, I only have history to go on…

 

<Stepping down… >

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 4:31 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

I found this a little confusing.

 

Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?

 

I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.

 

Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Kent Landfield

Come on… Sigh… Sorry, take ‘commercial’ out of my statement and it covers open source as well.  I was trying to differentiate it from only a federal government GOTS focus. This is a community standard as you so accurately stated…

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Thomas R. Jones [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:49 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 



Sent from my iPhone


On Mar 20, 2008, at 5:09 PM, Kent Landfield <[hidden email]> wrote:

<Stepping onto my soapbox ;-)>

 

I am looking for real stability in CPE so we can actually use it in commercial products, content and databases.  

In my opinion, directing the focus of CPE towards only commercial products is not only a bad idea but wholly restrictive towards the seemingly common goal of developing a meaningful and complete resource for the community to utilize.

 

I have tried to in the past to provide an open source voice to the standard and would hate to see the implementation to be restricted due to capital backing. Or the lack thereof. 

 

A little history… First we had the initial release of CPE. NVD created a very extensive database but it was not really CPE formatted but was extremely complete and useful. While we were in discussions for a newer version of CPE and actively discussing improvements 2.0 suddenly came out seemingly to meet an arbitrary deadline, the SCAP Conference.  Vendors then and now wanted to use something as complete as the earlier NVD dictionary. To date all we have are 839 checks from two vendors and 2.x has been out since September 2007.  We as a community of user and vendors need a stable CPE for which content and code can be written.  All we really have at this point is a spec with little real meat behind it.  Vendors are actively investing serious resources in getting products developed to satisfy the needs of the market and our existing customers. If the level of differences between 2.0 to 3.0 is as extreme as it was from 1.0 to 2.0 we need to rethink the effort. Changing schemas formats and redoing content is extremely disruptive.  I only have history to go on…

 

Now… if the ground rules for 3.0 are that it must be backward compatible with 2.x, that’s a different story.  That was not the case in the past.

 

I would have no problem with a workshop that incorporated 2.x issues and also 3.0 future issues if the ground rules for 3.0 were that it was to be backward compatible with 2.x.  While this may seem an obvious assumption…Like I said, I only have history to go on…

 

<Stepping down… >

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 4:31 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

I found this a little confusing.

 

Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?

 

I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.

 

Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email][hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email][hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email][hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email][hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Kent Landfield
In reply to this post by Waltermire, Dave [USA]

I wonder what we could do incrementally to address some of the weaknesses…  Maybe a 2.2 version would be an option and provide a means to address your concerns as well Dave…

 

Just a thought…

 

Have a good holiday weekend.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:44 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Kent and Joe,

 

I think we need to put the breaks on 3.0 for now.  We are getting to a point where 2.x is stabilizing.  We are nearing a point with the NVD where we can fully support CPE 2.1 and build a community based CPE lifecycle management process in the next few months.  Cleanup of our product names are underway and we are taking in contributions from Apple and Red Hat.  We are embarking on an enterprise level test of CPE with the CND Pilot that is shedding light on a number of issues.

 

I am very concerned that 3.0 talk will distract the community from supporting the 2.x efforts that are well underway.  Furthermore, I am concerned that we do not have enough experience with CPE 2.x yet to get 3.x right.  Instead we should get all the 2.x issues out on the table and prioritize them and work on solutions using 2.x as much as possible.  I would like to see the focus remain on CPE 2.x for the next 6-8 months.  Once we have a better set of lessons learned we can embark on CPE 3.0.

 

Dave

 


From: Kent Landfield [mailto:[hidden email]]
Sent: Thu 3/20/2008 6:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

<Stepping onto my soapbox ;-)>

 

I am looking for real stability in CPE so we can actually use it in commercial products, content and databases.  

 

A little history… First we had the initial release of CPE. NVD created a very extensive database but it was not really CPE formatted but was extremely complete and useful. While we were in discussions for a newer version of CPE and actively discussing improvements 2.0 suddenly came out seemingly to meet an arbitrary deadline, the SCAP Conference.  Vendors then and now wanted to use something as complete as the earlier NVD dictionary. To date all we have are 839 checks from two vendors and 2.x has been out since September 2007.  We as a community of user and vendors need a stable CPE for which content and code can be written.  All we really have at this point is a spec with little real meat behind it.  Vendors are actively investing serious resources in getting products developed to satisfy the needs of the market and our existing customers. If the level of differences between 2.0 to 3.0 is as extreme as it was from 1.0 to 2.0 we need to rethink the effort. Changing schemas formats and redoing content is extremely disruptive.  I only have history to go on…

 

Now… if the ground rules for 3.0 are that it must be backward compatible with 2.x, that’s a different story.  That was not the case in the past.

 

I would have no problem with a workshop that incorporated 2.x issues and also 3.0 future issues if the ground rules for 3.0 were that it was to be backward compatible with 2.x.  While this may seem an obvious assumption…Like I said, I only have history to go on…

 

<Stepping down… >

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 4:31 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

I found this a little confusing.

 

Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?

 

I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.

 

Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Thomas Jones
In reply to this post by Kent Landfield


Sent from my iPhone

On Mar 20, 2008, at 5:58 PM, Kent Landfield <[hidden email]> wrote:

Come on… Sigh… Sorry, take ‘commercial’ out of my statement and it covers open source as well.  I was trying to differentiate it from only a federal government GOTS focus. This is a community standard as you so accurately stated…

It wasnt meant negatively. Just a reminder that a huge plethora of open source applications must be identified and the source resources indexed. 

As a reminder to the community, I have generated some 8,000+ CPE identifiers internally. However, I have been trying to get verification and validation from the authoritative source. A large undertaking given the diverse environment in which the authority is globally represented. 

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Thomas R. Jones [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:49 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 



Sent from my iPhone


On Mar 20, 2008, at 5:09 PM, Kent Landfield <[hidden email]> wrote:

<Stepping onto my soapbox ;-)>

 

I am looking for real stability in CPE so we can actually use it in commercial products, content and databases.  

In my opinion, directing the focus of CPE towards only commercial products is not only a bad idea but wholly restrictive towards the seemingly common goal of developing a meaningful and complete resource for the community to utilize.

 

I have tried to in the past to provide an open source voice to the standard and would hate to see the implementation to be restricted due to capital backing. Or the lack thereof. 

 

A little history… First we had the initial release of CPE. NVD created a very extensive database but it was not really CPE formatted but was extremely complete and useful. While we were in discussions for a newer version of CPE and actively discussing improvements 2.0 suddenly came out seemingly to meet an arbitrary deadline, the SCAP Conference.  Vendors then and now wanted to use something as complete as the earlier NVD dictionary. To date all we have are 839 checks from two vendors and 2.x has been out since September 2007.  We as a community of user and vendors need a stable CPE for which content and code can be written.  All we really have at this point is a spec with little real meat behind it.  Vendors are actively investing serious resources in getting products developed to satisfy the needs of the market and our existing customers. If the level of differences between 2.0 to 3.0 is as extreme as it was from 1.0 to 2.0 we need to rethink the effort. Changing schemas formats and redoing content is extremely disruptive.  I only have history to go on…

 

Now… if the ground rules for 3.0 are that it must be backward compatible with 2.x, that’s a different story.  That was not the case in the past.

 

I would have no problem with a workshop that incorporated 2.x issues and also 3.0 future issues if the ground rules for 3.0 were that it was to be backward compatible with 2.x.  While this may seem an obvious assumption…Like I said, I only have history to go on…

 

<Stepping down… >

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 4:31 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

I found this a little confusing.

 

Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?

 

I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.

 

Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email][hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email][hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email][hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email][hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email][hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Informal Meeting at RSA

Ernest Park-2
In reply to this post by Kent Landfield
Agreed with all . . .
 
3.0 should not be on the roadmap until 2.1 and 2.2 are successfully growing and well implemented.
 
Regarding OSS versus commercial, I have categorized most of the current CPE regarding license, essentially extending the current schema to allow the addition of a small attribute.
 
I would suggest that we could look at small things like aliases at all levels, license and application type attributes, and perhaps any special attributes that can help us soft, filter and categorize the information.
 
While some of this seems superfluous, categorization by type can be a valuable metric. Some security experts use "type" or class of software to categorize the potential for risk associated to that software.
 
 
 
 
Ernie

 
On 3/20/08, Kent Landfield <[hidden email]> wrote:

I wonder what we could do incrementally to address some of the weaknesses…  Maybe a 2.2 version would be an option and provide a means to address your concerns as well Dave…

 

Just a thought…

 

Have a good holiday weekend.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.mcafee.com/" target="_blank">www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:44 PM


To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Kent and Joe,

 

I think we need to put the breaks on 3.0 for now.  We are getting to a point where 2.x is stabilizing.  We are nearing a point with the NVD where we can fully support CPE 2.1 and build a community based CPE lifecycle management process in the next few months.  Cleanup of our product names are underway and we are taking in contributions from Apple and Red Hat.  We are embarking on an enterprise level test of CPE with the CND Pilot that is shedding light on a number of issues.

 

I am very concerned that 3.0 talk will distract the community from supporting the 2.x efforts that are well underway.  Furthermore, I am concerned that we do not have enough experience with CPE 2.x yet to get 3.x right.  Instead we should get all the 2.x issues out on the table and prioritize them and work on solutions using 2.x as much as possible.  I would like to see the focus remain on CPE 2.x for the next 6-8 months.  Once we have a better set of lessons learned we can embark on CPE 3.0.

 

Dave

 


From: Kent Landfield [mailto:[hidden email]]
Sent: Thu 3/20/2008 6:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

<Stepping onto my soapbox ;-)>

 

I am looking for real stability in CPE so we can actually use it in commercial products, content and databases.  

 

A little history… First we had the initial release of CPE. NVD created a very extensive database but it was not really CPE formatted but was extremely complete and useful. While we were in discussions for a newer version of CPE and actively discussing improvements 2.0 suddenly came out seemingly to meet an arbitrary deadline, the SCAP Conference.  Vendors then and now wanted to use something as complete as the earlier NVD dictionary. To date all we have are 839 checks from two vendors and 2.x has been out since September 2007.  We as a community of user and vendors need a stable CPE for which content and code can be written.  All we really have at this point is a spec with little real meat behind it.  Vendors are actively investing serious resources in getting products developed to satisfy the needs of the market and our existing customers. If the level of differences between 2.0 to 3.0 is as extreme as it was from 1.0 to 2.0 we need to rethink the effort. Changing schemas formats and redoing content is extremely disruptive.  I only have history to go on…

 

Now… if the ground rules for 3.0 are that it must be backward compatible with 2.x, that's a different story.  That was not the case in the past.

 

I would have no problem with a workshop that incorporated 2.x issues and also 3.0 future issues if the ground rules for 3.0 were that it was to be backward compatible with 2.x.  While this may seem an obvious assumption…Like I said, I only have history to go on…

 

<Stepping down… >

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.mcafee.com/" target="_blank">www.mcafee.com

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 4:31 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

I found this a little confusing.

 

Are we suggesting having a v2.x implementation day in April along with a v3.0 planning day?

 

I'm up for it if everyone else is.  I could see spending a day to "figure out the management processes and flesh out the content." This would be in addition to spending a day to plan a more robust v3.0 that can handle aliasing and deal with concepts and dependencies that v2.x doesn't handle gracefully.

 

Alternatively, if you guys can fix v2.x at the RSA conference and let me know how that goes, that would be good too...

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 5:05 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

In what, delaying consideration of 3.0 or having a two day workshop to discuss 2.x uses/management?  :-)

 

I am in favor of both. We need stability in a version before we start considering a new major version, especially now… While 2.0 may have been released too early, we have it today and vendors and databases are starting to use it.  What we need to do is figure out the management processes and flesh out the content.  Otherwise we risk having to pull CPE 2.0 from an SCAP validation requirement and vendor development efforts, causing more churn at a time it is not beneficial to anyone.  I would be happy to see a two day workshop to address how to get this effort on track.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.mcafee.com/" target="_blank">www.mcafee.com

 


From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 3:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Agreed.  We could have a 2 day workshop discussing just this.  It is my hope that we can layout a framework for managing CPE 2.x going forward and have follow-on meetings to flesh out how it will work in detail.  I see getting CPE 2.x working in practice before we even start discussing 3.0.  That way we can learn from the process and not get distracted with future direction.  It might be best to delay any CPE 3.0 discussions for some time.  Anyone interested in this?

 

Dave

 


From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thu 3/20/2008 4:12 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

I agree.  These issues need to be addressed at the April CPE discussion.

 

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Thursday, March 20, 2008 2:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

The NVD CPE list includes around 5500 vendors, over 20,000 releases.

 

The existing list has approximately 5% duplicate entries, where it seems that one NVD collector created one name and entry, and another created a different vendor name.

 

The CPE needs a meta-layer, allowing name aliases for vendors, applications, releases. The aliases would allow both private and public alias for existing names. In this way, a vendor can map a proprietary naming scheme into the CPE using the alias table, without breaking his software or requiring the CPE to change.

 

  • Names for applications, releases and so on should be open to public review and approval, and the submission process should be public.
  • For every vendor, application and release name approved through a public database registration system, individuals can submit information. Following peer scrutiny, or no challenge on an entry, the entry becomes definitive. any subsequent entries can be aliased to that one.
  • CPE name search and creation could be automated, or auto-assisted. If a user searches vendors, applications, releases, a web form can structure such queries to find the right result, or build a conforming CPE string and submit for review.

 

 

The dictionary benefits when it is public, searchable, and can be synchronized among users in some fashion.

 

I believe that authoritative data can come from a number of sources. My staff researches this information daily, and can provide valuable information on an ongoing basis. If more of our professional community can rate their expertise to deliver this information, we can build a community created and edited dictionary of very reliable information, a definitive index of names and identifiers of those millions of electronic assets that we all work with.

 

What the dictionary needs is a member forum for immediately growing and editing the dictionary, and an alias framework to allow working through the duplicates and the naming irregularities.

 

 

Ernie

 

On 3/20/08, Waltermire, Dave [USA] <[hidden email]> wrote:

Matt,

 

The only authoritative data we have is from Apple and RedHat as you have indicated.  Any names beyond this are for products that we have had in the NVD that we are adding to the dictionary.

 

Dave

 


From: Wojcik, Matthew N. [mailto:[hidden email]]
Sent: Thu 3/20/2008 11:21 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Informal Meeting at RSA

 

Waltermire, Dave [USA] <[hidden email]> wrote:
> Kent,
>
> We will be expanding the scope of vendors included in the CPE
> dictionary when we release the next dictionary revision on April
> 15th.  It will have data from ~250 common vendors of products (i.e.
> hp, sun, oracle, etc).  I will post more info as we get closer to
> this date.   
>
> Dave

Dave,

Just to be clear--will it have data *from* 250 vendors, or *for* the
products from 250 vendors?  It's an important distinction.  The Red Hat
and Apple names have been contributed directly from those vendors, and
should be considered authoritative for their respective products.  Do
we really have the same kind of contributions from that many additional
vendors?

I should say that having names in the published dictionary for so many
vendors' products is a huge step even if they don't come direct from
the source, as it were.

Thanks,

--Woj                  Matthew N. Wojcik                 [hidden email]

 


12