|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Sun, Jul 18, 1999 at 05:20:47PM -0800, Pascal Meunier wrote: | At 11:05 AM -0700 7/16/99, Aleph One wrote: | | >If we follow the logic we did during our meeting at Black Hats | >then each distinct non-announced account/password should be a | >separate CVE entry. If I am using a scanner I want to know whether | >it knows about the specific 3com backdoor, not whether its knowns | >about backdoors in some general sense. Ditto for default passwords. | > | | How about a single CVE entry that explicitely enumerates all default or | non-announced accounts/passwords with version numbers of the affected | software, or points to a comprehensive list of them? I would think it is a | compact notation completely equivalent to having separate entries. | Pascal This is getting into a database issue. I don't think that we want to try to make the CVE into something that attempts to enumerate all default passwords, the problem is very large ard requires large investments of work to succeed. The goal of providing a translation mechanism can be achieved without this level of comprehensiveness. I'm concerned that by attempting to list them all, rather than put in arbitrary (and capricious) levels of abstraction, we imply that we expect to succeed, and thus that the CVE can be used as a database of all default passwords. By imposing a level of abstraction that says "documented default password," we avoid this risk in exchange for some loss of usefulness. I think thats a good tradeoff. Adam
|
||||
