Signatures for CPE dictionary?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Signatures for CPE dictionary?

Jan-Oliver Wagner-3
Hello,

at a quick glance I did not find a way to verify the CPE dictionary
we download is indeed the official one.

There seem to be no GnuPG signatures for the CPE files (or other cryptographic
signatures that allow to check the individual files).

Also, there are indeed some checksum, but no HTTPS to download them and therefore
gain at least some level of confirmation it is not compromised.

Any procedure known to verify the CPE dictionary is indeed the original one from NIST?

Best

        Jan

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Reply | Threaded
Open this post in threaded view
|

Re: Signatures for CPE dictionary?

Booth, Harold
Hi Jan,

  I have been working on obtaining a certificate that can be used to sign this and other content produced by the NVD.  In the meantime I will look into how we can address some of the valid concerns you have raised, by seeing if we can move the checksum file to a location where a valid SSL/TLS connection can be established.

Regards,

-Harold

-----Original Message-----
From: Jan-Oliver Wagner [mailto:[hidden email]]
Sent: Tuesday, November 08, 2011 2:15 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Signatures for CPE dictionary?

Hello,

at a quick glance I did not find a way to verify the CPE dictionary
we download is indeed the official one.

There seem to be no GnuPG signatures for the CPE files (or other cryptographic
signatures that allow to check the individual files).

Also, there are indeed some checksum, but no HTTPS to download them and therefore
gain at least some level of confirmation it is not compromised.

Any procedure known to verify the CPE dictionary is indeed the original one from NIST?

Best

        Jan

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Reply | Threaded
Open this post in threaded view
|

Re: Signatures for CPE dictionary?

Jan-Oliver Wagner-3
On Thursday, 10. November 2011, Booth, Harold wrote:
>   I have been working on obtaining a certificate that can be used to sign this and other content produced by the NVD.  In the meantime I will look into how we can address some of the valid concerns you have raised, by seeing if we can move the checksum file to a location where a valid SSL/TLS connection can be established.

it would be great to extend this to the other SCAP content as well!
Thanks for taking care of this.

Best

        Jan

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner