Concerns about platform abbreviations and vendor naming convetions

Hello,

I have some questions and concerns about the use of abbreviations and
the potential for loss of fidelity between a vendor naming convention
and how the platform is represented in the CPE dictionary.

1) Will the CPE abbreviation list include only abbreviations used by
vendors or will it also include ad-hoc abbreviations devised by CPE
dictionary maintainers? For example, SP4 is a common designation used
by Microsoft and other vendors to denote "Service Pack 4". However,
some of the abbreviations seem less commonly used or may not reflect
vendor naming conventions. As an example, "ed" (abbrev. for Edition)
seems like more of an ad-hoc abbreviation.

2) How do we resolve abbreviation collisions? Example, vendor A uses
the abbreviation "std" to denote something other than "standard". Does
the vendor-specific "std" get added to the master CPE abbreviation
list, and if so, how do we deal with the ensuing confusion?

3) With the problem presented by 2), is there room to include
abbreviation expansion markup or ideally a fully qualified title that
conforms to the vendor's naming scheme in the XML/CPE dictionary
representation?

I make this suggestion because a lot of adopters probably have a use
for fully-qualified platform names. This means providing support
expanding abbreviations, and restoring capitalization, and other
vendor naming conventions that may be lost when a platform is
CPE-ified. The <title> field seems to partly serve this purpose but
seems limited in the following ways:
a) <title> is optional
b) It's intended to provide a "human readable" title but there is
nothing to state whether or not this title should be following the
vendor's own naming convention.

I apologize in advance if this topic has already been discussed and
hammered out. In my experience, vendors can be particular about how
their products are represented. Also, even with a common naming
scheme, the vendor's own naming convention is still an authoritative
representation that people are apt to depend upon.  


--
Dave McKinney
Symantec

keyID: E461AE4E
key fingerprint = F1FC 9073 09FA F0C7 500D  D7EB E985 FAF3 E461 AE4E

Hi Dave,

I've voiced similar concerns and suggested use of only authoritative names that
are used by the vendors.  I see no reason to be abbreviating things at an
author's discretion.

I find it a bit odd that we're using (slightly verbose) XML, yet finding it
important to abbreviate the actual content.

        -Gary-

>1) Will the CPE abbreviation list include only abbreviations used by
>vendors or will it also include ad-hoc abbreviations devised by CPE
>dictionary maintainers? For example, SP4 is a common designation used
>by Microsoft and other vendors to denote "Service Pack 4". However,
>some of the abbreviations seem less commonly used or may not reflect
>vendor naming conventions. As an example, "ed" (abbrev. for Edition)
>seems like more of an ad-hoc abbreviation.

I would say both.  The plan is to include abbreviations for common
designations used by vendors as well as common terms that seem
appropriate for abbreviations.  To make sure everyone has the latest
list of abbreviations, we stated in the spec that the official list
would be held on the CPE web site.  The idea is that if the community
wants to abbreviate and additional term in the future, we can add it to
the list on the site.


>2) How do we resolve abbreviation collisions? Example, vendor A uses
>the abbreviation "std" to denote something other than "standard". Does
>the vendor-specific "std" get added to the master CPE abbreviation
>list, and if so, how do we deal with the ensuing confusion?

The list of abbreviations on the CPE web site is the official and only
source for CPE abbreviations.  So if "std" appears in a CPE Name, then
one can look at the web site to see what that means.  Same approach for
if you want to use an abbreviation to create a new CPE Name.  If that
abbreviation exists in the official list, then it can be used in the
new name.


>3) With the problem presented by 2), is there room to include
>abbreviation expansion markup or ideally a fully qualified title that
>conforms to the vendor's naming scheme in the XML/CPE dictionary
>representation?

Yes, the CPE Dictionary includes a <title> element that is intended to
hold the Vendor's textual name as they would like users to see it.


>I make this suggestion because a lot of adopters probably have a use
>for fully-qualified platform names. This means providing support
>expanding abbreviations, and restoring capitalization, and other
>vendor naming conventions that may be lost when a platform is
>CPE-ified.

Remember that the CPE Name is only supposed to be a unique identifier.
So it is not intended to support the expansion of the name to a human
readable format.  The human readable name is meant to be held in the
<title> of the CPE Dictionary entry.


>The <title> field seems to partly serve this purpose but
>seems limited in the following ways:
>a) <title> is optional

The <title> is actually required by the CPE Dictionary schema.


>b) It's intended to provide a "human readable" title but there is
>nothing to state whether or not this title should be following the
>vendor's own naming convention.

Good point.  This is the intention of this field, to follow the
vendor's own naming convention.  In other words, the marketing name
that the vendor uses for this platform.  Ideally we would love to have
the vendors supply these strings and I hope in the future we can make
this a reality.


>I apologize in advance if this topic has already been discussed and
>hammered out. In my experience, vendors can be particular about how
>their products are represented. Also, even with a common naming
>scheme, the vendor's own naming convention is still an authoritative
>representation that people are apt to depend upon.  

I completely agree and we are constantly looking for vendor input into
their names and titles.  Red Hat has done this and has been
instrumental in supplying CPE Names for their platforms.  This has been
a HUGE help in making sure the CPE Names reflect the technical aspects
of the platforms as well as the marketing aspects of the platforms.

I hoped this has helped answered your questions.

Thanks
Drew

When I reflect on "authoritative names used by the vendors", I see the
image of Medusa in the mirror. For a EU company that uses one name in
it's home country, another name in the UK, other names in Canada,
Australia and the US..... All of them are authoritative.

Per prior email --I feel the concept of a taxonomy is inherently flawed
for technical accuracy, it's fine for general (fuzzy) cognitive
associations.


Ken Lassesen,
Office 206-734-4718 Home: 360-297-4717   Cell: 360-509-2402  Skype:
Ken.Lassesen
IM: [hidden email]  

CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by
the individual(s) or entity(ies) to whom it was addressed. Any
unauthorized review, use, disclosure, or distribution of this
communication is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and permanently
delete and destroy the original message.


-----Original Message-----
From: Gary Newman [mailto:[hidden email]]

I've voiced similar concerns and suggested use of only authoritative
names that are used by the vendors.  I see no reason to be abbreviating
things at an author's discretion.

I find it a bit odd that we're using (slightly verbose) XML, yet finding
it important to abbreviate the actual content.

        -Gary-