CPE Issue Summary - Microsoft Naming -- Request for additional input
|
|
With respect to the discussion about updating Microsoft CPE names, I have
received and reviewed Drew's recommendation (attached and in-line). After working through the issues the DoD and NIST would have to address if it is implemented (i.e. required re-write of internal NSA products with hard-coded CPE names, as well as an extensive re-work of the NIST CPE Dictionary, and an internal rewrite of VMS) I took this issue to the ISAP Working Group for resolution. The ISAP WG agreed that the benefits of naming windows CPEs in a more technically correct manner (consistent with option 2) would have significant and measurable costs due to significant product re-work required to implement them in NSA products, VMS, and NVD. They further agreed that the issue should be re-opened in light of this new information prior to coming to a decision. The specific problem is using "windows" as a product name, which is not an actual product, but an abstraction of all Microsoft Windows-branded operating systems. However, the "Title" of the CPE name uses concrete product names (e.g. Windows XP, Windows Server 2003, etc). Both VMS and CPE Dictionary support left-to-right hierarchies that dynamically build CPEs by specifying vendor, product, version, etc and require a discrete product name prior to selecting other CPE components. Both would have to be extensively redesigned to deal with a product title that is ambiguous until the edition field is populated. On the other hand, the main benefit of the suggested name change seems to be technical correctness, with no associated cost avoidance or savings. However, with respect to including the version number in Microsoft Windows CPE names, the ISAP Working Group did not have any issues. The ISAP Working Group asked me to write up these issues and circulate them on the CPE discussion list to ensure there aren't any additional unknown impacts, one way or the other, of making the changes prior to issuing a final decision. I've asked Drew to work through this issue prior to closing out this discussion. Joe Wolfkiel, CPE Sponsor **************************************************************************** **************** Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Friday, June 05, 2009 2:16 PM To: Wolfkiel, Joseph Cc: Baker, Jon Subject: CPE Issue Summary - Microsoft Naming Lt Col, Attached please find the issue summary from the Microsoft naming discussion. My recommendation is twofold: 1) in the short term, follow option 2 and re-work the Microsoft OS names in the dictionary 2) in the longer term, work on a proposal to explore some of the ideas brought up during the discussion. Please take a look at the attached and let me know what you decision is regarding the path forward. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Wednesday, May 27, 2009 6:52 AM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue I encourage anyone with an opinion on this matter to share their thoughts so that the correct decision can be made going forward. I personally think that a change to the current Microsoft Windows CPE Names would be the correct way forward. I think the change would make technical sense and it will bring the Windows names into alignment with the specification. This of course would mean deprecating all the existing names. I am very interested to see if you agree with this position, or if you think that this might not be the smartest move to do at this time. Thanks Drew >-----Original Message----- >From: Buttner, Drew [mailto:[hidden email]] >Sent: Monday, May 18, 2009 7:43 AM >To: cpe-discussion-list CPE Community Forum >Subject: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue > >** reply by Friday June 5th ** > >The creation of CPE Names for the different Microsoft operating systems >has been a source of discussion since the beginning of CPE. In October >2007 the issue was discussed in depth and it was decided to that these >names should be based off of the commonly known marketing names. We >have tried this approach for the past year and a half but some issues >still remain. > >We are realizing that names based off the marketing names are hard to >manage as marketing names change frequently. Marketing names also >lead to incorrect CPE Matching as a marketing name may stay the same >but the underlying code may change. Or the marketing name may change >even if the code doesn't. > >I'd like to formally bring this up this issue to the CPE community >again and make sure we are still going down the correct path. >Obviously, one option will be to keep going down the current path. But >other options would require changes to the current names. This would >mean a lot of depreciation and potential vendor work to readjust their >mapping. The costs of this change may not be worth the benefits. >Unfortunately I do not see the issues and/or discussions surrounding >Microsoft names subsiding until we fix the root of the problem. So at >some point I think we are going to have to make some type of change. > >Some examples of the issues we currently face: > >- Windows XP 64-Bit Edition, Version 2003 which is actually based off >of the code for Windows Server 2003 > >- determining which CPE Name to use being difficult as the technical >information returned from a system query is not associated with any CPE >Name > >- inconsistencies when dealing with beta and pre-releases, for example >the current Windows 7 betas and if the OS marketing name will actually >be Windows 7 > >- difficulty determining if certain updates/editions are really >different versions, for example the R2 releases > >- inconsistency between operating system and application naming as many >of the Microsoft application names follow the technical name (see >Internet Explorer) > >Below are two options that I see as possible paths forward. I urge >everyone to share their opinion as we can only understand the best >course by knowing how it affects the entire community. If you have >other ideas, please don't be afraid to share them as well. > >Discussion on this issue will end on Friday June 5th (3 weeks) at which >time a decision will be made based on community consensus. > >---------------------------------- >OPTION 1 >---------------------------------- > >Keep things the way they currently are. Although not perfect, the >current way of creating CPE Names for Microsoft operating systems is a >good balance between technical correctness and human understanding. In >addition, the work required to deprecate the current Microsoft CPE >Names and remap to new names would not be worth the benefits of the change. > >The CPE Specification should be updated to clarify how create CPE Names >for Microsoft operating systems and platforms that exhibit related >properties. > >---------------------------------- >OPTION 2 >---------------------------------- > >In order to put to bed the continued discussions on Microsoft names we >should change how we create these names. We should leverage the >internal version of the operating system and use that in the version >component. In a way, this is more true to the current CPE >Specification. > >The <title> element in the dictionary would be used to hold the >marketing name associated with each different version. For example: > >cpe:/o:microsoft:windows:5.1.2600 - Microsoft Windows XP >cpe:/o:microsoft:windows:5.1.2600:2180 - Microsoft Windows XP SP2 >cpe:/o:microsoft:windows:5.1.2600:5512 - Microsoft Windows XP SP3 >cpe:/o:microsoft:windows:5.2.3790 - Microsoft Windows Server 2003 >cpe:/o:microsoft:windows:5.2.3790:3959 - Microsoft Windows Server >2003 >SP2 > >Note that this option would require deprecating all the existing >Microsoft names in the CPE dictionary. But this option better aligns >with the way the specification is currently written. > >---------------------------------- >---------------------------------- > >Again, I urge everyone to share their opinion by Friday June 5th. > > >Thanks >Drew > > > > >--------- > >Andrew Buttner >The MITRE Corporation >[hidden email] >781-271-3515 |
||||||||
microsoft_naming.docx (22K)
|
I'd like to make another push to try and close the issue around the Microsoft
OS CPE names. There has been a request to better understand the costs of this decision, both for and against the change. I will attempt to kick start this by offering up my own personal thoughts on the costs. It is my belief that cost associated with NOT making the proposed change is having an initiative that continues to struggle in gaining acceptance and making forward progress. I think the CPE Names for Microsoft OS's currently in the Official CPE Dictionary are detrimental to the adoption of the effort. I say this not because of the costs that are associated with implementations, etc. Rather, I see the success of the enumeration tied to its technical correctness and its consistency / ease of understanding. The current CPE Names for Microsoft OS's damage both aspects. The current names do not follow the guidance in the CPE Specification and thus users of CPE question what is going on. This makes understanding CPE more difficult thus hurting adoption. This also severely hurts the ability of others to help in the creation of new names as they struggle to understand how to implement the guidance in the specification. The current names are not technically correct. They use version information to generate the product component and then leave the version component blank. This is looked upon with curiosity and gives the appearance that CPE as a project does not know what it is talking about. Users will be less likely to invest in an effort if they are not convinced of its technical merit. Failing in regards to both technical correctness and compliance with the specification puts adoption of CPE at risk, and therefore puts at risk the ability of the community to develop a strong enumeration to bring the community together in the area of platform naming. It is the lack of coordination that is the cost of NOT moving forward with the proposal. Thanks Drew >-----Original Message----- >From: Wolfkiel, Joseph [mailto:[hidden email]] >Sent: Monday, July 13, 2009 8:23 AM >To: cpe-discussion-list CPE Community Forum >Subject: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming -- >Request for additional input > >With respect to the discussion about updating Microsoft CPE names, I >have >received and reviewed Drew's recommendation (attached and in-line). >After >working through the issues the DoD and NIST would have to address if it >is >implemented (i.e. required re-write of internal NSA products with hard- >coded >CPE names, as well as an extensive re-work of the NIST CPE Dictionary, >and >an internal rewrite of VMS) I took this issue to the ISAP Working Group >for >resolution. > >The ISAP WG agreed that the benefits of naming windows CPEs in a more >technically correct manner (consistent with option 2) would have >significant >and measurable costs due to significant product re-work required to >implement them in NSA products, VMS, and NVD. They further agreed that >the >issue should be re-opened in light of this new information prior to >coming >to a decision. > >The specific problem is using "windows" as a product name, which is not >an >actual product, but an abstraction of all Microsoft Windows-branded >operating systems. However, the "Title" of the CPE name uses concrete >product names (e.g. Windows XP, Windows Server 2003, etc). Both VMS and >CPE >Dictionary support left-to-right hierarchies that dynamically build CPEs >by >specifying vendor, product, version, etc and require a discrete product >name >prior to selecting other CPE components. Both would have to be >extensively >redesigned to deal with a product title that is ambiguous until the >edition >field is populated. On the other hand, the main benefit of the >suggested >name change seems to be technical correctness, with no associated cost >avoidance or savings. > >However, with respect to including the version number in Microsoft >Windows >CPE names, the ISAP Working Group did not have any issues. > >The ISAP Working Group asked me to write up these issues and circulate >them >on the CPE discussion list to ensure there aren't any additional unknown >impacts, one way or the other, of making the changes prior to issuing a >final decision. > >I've asked Drew to work through this issue prior to closing out this >discussion. > >Joe Wolfkiel, CPE Sponsor > >************************************************************************ >**** >**************** >Lt Col Joseph L. Wolfkiel >Director, Computer Network Defense Research & Technology (CND R&T) >Program >Management Office >9800 Savage Rd Ste 6767 >Ft Meade, MD 20755-6767 >Commercial 410-854-5401 DSN 244-5401 >Fax 410-854-6700 > >-----Original Message----- >From: Buttner, Drew [mailto:[hidden email]] >Sent: Friday, June 05, 2009 2:16 PM >To: Wolfkiel, Joseph >Cc: Baker, Jon >Subject: CPE Issue Summary - Microsoft Naming > >Lt Col, > >Attached please find the issue summary from the Microsoft naming >discussion. >My recommendation is twofold: > >1) in the short term, follow option 2 and re-work the Microsoft OS names >in >the dictionary > >2) in the longer term, work on a proposal to explore some of the ideas >brought up during the discussion. > >Please take a look at the attached and let me know what you decision is >regarding the path forward. > >Thanks >Drew > >--------- > >Andrew Buttner >The MITRE Corporation >[hidden email] >781-271-3515 >-----Original Message----- >From: Buttner, Drew [mailto:[hidden email]] >Sent: Wednesday, May 27, 2009 6:52 AM >To: [hidden email] >Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue > >I encourage anyone with an opinion on this matter to share their >thoughts so >that the correct decision can be made going forward. I personally think >that a change to the current Microsoft Windows CPE Names would be the >correct way forward. I think the change would make technical sense and >it >will bring the Windows names into alignment with the specification. >This of >course would mean deprecating all the existing names. I am very >interested >to see if you agree with this position, or if you think that this might >not >be the smartest move to do at this time. > >Thanks >Drew > > > > >>-----Original Message----- >>From: Buttner, Drew [mailto:[hidden email]] >>Sent: Monday, May 18, 2009 7:43 AM >>To: cpe-discussion-list CPE Community Forum >>Subject: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue >> >>** reply by Friday June 5th ** >> >>The creation of CPE Names for the different Microsoft operating systems >>has been a source of discussion since the beginning of CPE. In October >>2007 the issue was discussed in depth and it was decided to that these >>names should be based off of the commonly known marketing names. We >>have tried this approach for the past year and a half but some issues >>still remain. >> >>We are realizing that names based off the marketing names are hard to >>manage as marketing names change frequently. Marketing names also >>lead to incorrect CPE Matching as a marketing name may stay the same >>but the underlying code may change. Or the marketing name may change >>even if the code doesn't. >> >>I'd like to formally bring this up this issue to the CPE community >>again and make sure we are still going down the correct path. >>Obviously, one option will be to keep going down the current path. But >>other options would require changes to the current names. This would >>mean a lot of depreciation and potential vendor work to readjust their >>mapping. The costs of this change may not be worth the benefits. >>Unfortunately I do not see the issues and/or discussions surrounding >>Microsoft names subsiding until we fix the root of the problem. So at >>some point I think we are going to have to make some type of change. >> >>Some examples of the issues we currently face: >> >>- Windows XP 64-Bit Edition, Version 2003 which is actually based off >>of the code for Windows Server 2003 >> >>- determining which CPE Name to use being difficult as the technical >>information returned from a system query is not associated with any CPE >>Name >> >>- inconsistencies when dealing with beta and pre-releases, for example >>the current Windows 7 betas and if the OS marketing name will actually >>be Windows 7 >> >>- difficulty determining if certain updates/editions are really >>different versions, for example the R2 releases >> >>- inconsistency between operating system and application naming as many >>of the Microsoft application names follow the technical name (see >>Internet Explorer) >> >>Below are two options that I see as possible paths forward. I urge >>everyone to share their opinion as we can only understand the best >>course by knowing how it affects the entire community. If you have >>other ideas, please don't be afraid to share them as well. >> >>Discussion on this issue will end on Friday June 5th (3 weeks) at which >>time a decision will be made based on community consensus. >> >>---------------------------------- >>OPTION 1 >>---------------------------------- >> >>Keep things the way they currently are. Although not perfect, the >>current way of creating CPE Names for Microsoft operating systems is a >>good balance between technical correctness and human understanding. In >>addition, the work required to deprecate the current Microsoft CPE >>Names and remap to new names would not be worth the benefits of the >change. >> >>The CPE Specification should be updated to clarify how create CPE Names >>for Microsoft operating systems and platforms that exhibit related >>properties. >> >>---------------------------------- >>OPTION 2 >>---------------------------------- >> >>In order to put to bed the continued discussions on Microsoft names we >>should change how we create these names. We should leverage the >>internal version of the operating system and use that in the version >>component. In a way, this is more true to the current CPE >>Specification. >> >>The <title> element in the dictionary would be used to hold the >>marketing name associated with each different version. For example: >> >>cpe:/o:microsoft:windows:5.1.2600 - Microsoft Windows XP >>cpe:/o:microsoft:windows:5.1.2600:2180 - Microsoft Windows XP SP2 >>cpe:/o:microsoft:windows:5.1.2600:5512 - Microsoft Windows XP SP3 >>cpe:/o:microsoft:windows:5.2.3790 - Microsoft Windows Server 2003 >>cpe:/o:microsoft:windows:5.2.3790:3959 - Microsoft Windows Server >>2003 >>SP2 >> >>Note that this option would require deprecating all the existing >>Microsoft names in the CPE dictionary. But this option better aligns >>with the way the specification is currently written. >> >>---------------------------------- >>---------------------------------- >> >>Again, I urge everyone to share their opinion by Friday June 5th. >> >> >>Thanks >>Drew >> >> >> >> >>--------- >> >>Andrew Buttner >>The MITRE Corporation >>[hidden email] >>781-271-3515 |
||||||||
|
|
||||||||
|
|
Just a reminder, the counter-proposal to deleting real product names from
the Microsoft CPEs and replacing them all with the abstraction "windows" along with the version numbers was to just add in version numbers to create CPEs for all known MS Windows product versions. The new CPEs would include version numbers along with real product names. This solution would be backwards-compatible with existing CPE names and just require the addition to the CPE dictionary of fully-specified CPE names for MS Windows products that include the version numbers. It wouldn't require deprecation of any existing CPEs since the matching algorithm would make the existing CPE without version numbering match the CPE with the version number populated. I don't think anyone on the list is opposed to adding version numbers to the CPEs for Microsoft Windows products. You can probably safely start doing that today. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Dawn Adams [mailto:[hidden email]] Sent: Wednesday, July 29, 2009 10:28 AM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming -- Request for additional input Well said Drew!! -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: July 29, 2009 10:19 AM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming -- Request for additional input * PGP - S/MIME Signed by an unverified key: 07/29/09 at 10:19:08 I'd like to make another push to try and close the issue around the Microsoft OS CPE names. There has been a request to better understand the costs of this decision, both for and against the change. I will attempt to kick start this by offering up my own personal thoughts on the costs. It is my belief that cost associated with NOT making the proposed change is having an initiative that continues to struggle in gaining acceptance and making forward progress. I think the CPE Names for Microsoft OS's currently in the Official CPE Dictionary are detrimental to the adoption of the effort. I say this not because of the costs that are associated with implementations, etc. Rather, I see the success of the enumeration tied to its technical correctness and its consistency / ease of understanding. The current CPE Names for Microsoft OS's damage both aspects. The current names do not follow the guidance in the CPE Specification and thus users of CPE question what is going on. This makes understanding CPE more difficult thus hurting adoption. This also severely hurts the ability of others to help in the creation of new names as they struggle to understand how to implement the guidance in the specification. The current names are not technically correct. They use version information to generate the product component and then leave the version component blank. This is looked upon with curiosity and gives the appearance that CPE as a project does not know what it is talking about. Users will be less likely to invest in an effort if they are not convinced of its technical merit. Failing in regards to both technical correctness and compliance with the specification puts adoption of CPE at risk, and therefore puts at risk the ability of the community to develop a strong enumeration to bring the community together in the area of platform naming. It is the lack of coordination that is the cost of NOT moving forward with the proposal. Thanks Drew >-----Original Message----- >From: Wolfkiel, Joseph [mailto:[hidden email]] >Sent: Monday, July 13, 2009 8:23 AM >To: cpe-discussion-list CPE Community Forum >Subject: [CPE-DISCUSSION-LIST] CPE Issue Summary - Microsoft Naming -- >Request for additional input > >With respect to the discussion about updating Microsoft CPE names, I >have received and reviewed Drew's recommendation (attached and >in-line). >After >working through the issues the DoD and NIST would have to address if it >is implemented (i.e. required re-write of internal NSA products with >hard- coded CPE names, as well as an extensive re-work of the NIST CPE >Dictionary, and an internal rewrite of VMS) I took this issue to the >ISAP Working Group for resolution. > >The ISAP WG agreed that the benefits of naming windows CPEs in a more >technically correct manner (consistent with option 2) would have >significant and measurable costs due to significant product re-work >required to implement them in NSA products, VMS, and NVD. They further >agreed that the issue should be re-opened in light of this new >information prior to coming to a decision. > >The specific problem is using "windows" as a product name, which is not >an actual product, but an abstraction of all Microsoft Windows-branded >operating systems. However, the "Title" of the CPE name uses concrete >product names (e.g. Windows XP, Windows Server 2003, etc). Both VMS >and CPE Dictionary support left-to-right hierarchies that dynamically >build CPEs by specifying vendor, product, version, etc and require a >discrete product name prior to selecting other CPE components. Both >would have to be extensively redesigned to deal with a product title >that is ambiguous until the edition field is populated. On the other >hand, the main benefit of the suggested name change seems to be >technical correctness, with no associated cost avoidance or savings. > >However, with respect to including the version number in Microsoft >Windows CPE names, the ISAP Working Group did not have any issues. > >The ISAP Working Group asked me to write up these issues and circulate >them on the CPE discussion list to ensure there aren't any additional >unknown impacts, one way or the other, of making the changes prior to >issuing a final decision. > >I've asked Drew to work through this issue prior to closing out this >discussion. > >Joe Wolfkiel, CPE Sponsor > >*********************************************************************** >* >**** >**************** >Lt Col Joseph L. Wolfkiel >Director, Computer Network Defense Research & Technology (CND R&T) >Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD >20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 > >-----Original Message----- >From: Buttner, Drew [mailto:[hidden email]] >Sent: Friday, June 05, 2009 2:16 PM >To: Wolfkiel, Joseph >Cc: Baker, Jon >Subject: CPE Issue Summary - Microsoft Naming > >Lt Col, > >Attached please find the issue summary from the Microsoft naming >discussion. >My recommendation is twofold: > >1) in the short term, follow option 2 and re-work the Microsoft OS >names in the dictionary > >2) in the longer term, work on a proposal to explore some of the ideas >brought up during the discussion. > >Please take a look at the attached and let me know what you decision is >regarding the path forward. > >Thanks >Drew > >--------- > >Andrew Buttner >The MITRE Corporation >[hidden email] >781-271-3515 >-----Original Message----- >From: Buttner, Drew [mailto:[hidden email]] >Sent: Wednesday, May 27, 2009 6:52 AM >To: [hidden email] >Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue > >I encourage anyone with an opinion on this matter to share their >thoughts so that the correct decision can be made going forward. I >personally think that a change to the current Microsoft Windows CPE >Names would be the correct way forward. I think the change would make >technical sense and it will bring the Windows names into alignment with >the specification. >This of >course would mean deprecating all the existing names. I am very >interested to see if you agree with this position, or if you think that >this might not be the smartest move to do at this time. > >Thanks >Drew > > > > >>-----Original Message----- >>From: Buttner, Drew [mailto:[hidden email]] >>Sent: Monday, May 18, 2009 7:43 AM >>To: cpe-discussion-list CPE Community Forum >>Subject: [CPE-DISCUSSION-LIST] Microsoft OS Naming Issue >> >>** reply by Friday June 5th ** >> >>The creation of CPE Names for the different Microsoft operating >>systems has been a source of discussion since the beginning of CPE. >>In October >>2007 the issue was discussed in depth and it was decided to that these >>names should be based off of the commonly known marketing names. We >>have tried this approach for the past year and a half but some issues >>still remain. >> >>We are realizing that names based off the marketing names are hard to >>manage as marketing names change frequently. Marketing names also >>lead to incorrect CPE Matching as a marketing name may stay the same >>but the underlying code may change. Or the marketing name may change >>even if the code doesn't. >> >>I'd like to formally bring this up this issue to the CPE community >>again and make sure we are still going down the correct path. >>Obviously, one option will be to keep going down the current path. >>But other options would require changes to the current names. This >>would mean a lot of depreciation and potential vendor work to readjust >>their mapping. The costs of this change may not be worth the benefits. >>Unfortunately I do not see the issues and/or discussions surrounding >>Microsoft names subsiding until we fix the root of the problem. So at >>some point I think we are going to have to make some type of change. >> >>Some examples of the issues we currently face: >> >>- Windows XP 64-Bit Edition, Version 2003 which is actually based off >>of the code for Windows Server 2003 >> >>- determining which CPE Name to use being difficult as the technical >>information returned from a system query is not associated with any >>CPE Name >> >>- inconsistencies when dealing with beta and pre-releases, for example >>the current Windows 7 betas and if the OS marketing name will actually >>be Windows 7 >> >>- difficulty determining if certain updates/editions are really >>different versions, for example the R2 releases >> >>- inconsistency between operating system and application naming as >>many of the Microsoft application names follow the technical name >>(see Internet Explorer) >> >>Below are two options that I see as possible paths forward. I urge >>everyone to share their opinion as we can only understand the best >>course by knowing how it affects the entire community. If you have >>other ideas, please don't be afraid to share them as well. >> >>Discussion on this issue will end on Friday June 5th (3 weeks) at >>which time a decision will be made based on community consensus. >> >>---------------------------------- >>OPTION 1 >>---------------------------------- >> >>Keep things the way they currently are. Although not perfect, the >>current way of creating CPE Names for Microsoft operating systems is a >>good balance between technical correctness and human understanding. >>In addition, the work required to deprecate the current Microsoft CPE >>Names and remap to new names would not be worth the benefits of the >change. >> >>The CPE Specification should be updated to clarify how create CPE >>Names for Microsoft operating systems and platforms that exhibit >>related properties. >> >>---------------------------------- >>OPTION 2 >>---------------------------------- >> >>In order to put to bed the continued discussions on Microsoft names we >>should change how we create these names. We should leverage the >>internal version of the operating system and use that in the version >>component. In a way, this is more true to the current CPE >>Specification. >> >>The <title> element in the dictionary would be used to hold the >>marketing name associated with each different version. For example: >> >>cpe:/o:microsoft:windows:5.1.2600 - Microsoft Windows XP >>cpe:/o:microsoft:windows:5.1.2600:2180 - Microsoft Windows XP SP2 >>cpe:/o:microsoft:windows:5.1.2600:5512 - Microsoft Windows XP SP3 >>cpe:/o:microsoft:windows:5.2.3790 - Microsoft Windows Server 2003 >>cpe:/o:microsoft:windows:5.2.3790:3959 - Microsoft Windows Server >>2003 >>SP2 >> >>Note that this option would require deprecating all the existing >>Microsoft names in the CPE dictionary. But this option better aligns >>with the way the specification is currently written. >> >>---------------------------------- >>---------------------------------- >> >>Again, I urge everyone to share their opinion by Friday June 5th. >> >> >>Thanks >>Drew >> >> >> >> >>--------- >> >>Andrew Buttner >>The MITRE Corporation >>[hidden email] >>781-271-3515 * Issuer: mitre.org - Unverified |
||||||||
| Free Embeddable Forum Powered by Nabble | Help |
