Meeting at RSA

A reminder for those that are going to be at the RSA Conference next
week.  The CPE community will be meeting in the lobby of the Marriott
for an informal discussion that will help guide CPE Developer Days
later this month.  If you will be in San Francisco next week please
join us!  (~1 hr)

Please see the attached pdf that has some talking points to help guide
discussion.  One request, if you think you can make it, please let me
know so I can have an idea who to wait for before starting.  I've put
the names of those I have already heard from on the pdf.  If I made a
mistake please let me know.

Thanks
Drew


PS - please don't ask the front desk for the location of the meeting
:)


---------

Andrew Buttner
The MITRE Corporation
abuttner@...
781-271-3515

Thank you to all that attended the morning discussion here at the RSA
Conference.  It was a productive hour+ that will really help us frame
CPE Developer Days later this month.  I have included notes from the
meeting in the attached pdf and I will try to post this on the
developer days page on the CPE web site.  To summarize, 3 main points
that were taken away from this discussion:

1) Better documentation is needed about how to make content decisions
and how to submit and maintain content.

2) As a community, we need to do a better job in defining how we are
using a CPE Name and what we mean when we assign a CPE Name to
something.  Without this, there are many different meanings that a user
can assume and this just creates confusion amongst the standard.

3) We need to spend some quality time at Developer Days discussing the
pros and cons of the numerical identifier approach.

Thanks again and I look forward to seeing everyone in a few weeks!

Thanks
Drew

Hi Drew et al,

> 1) Better documentation is needed about how to make content decisions
> and how to submit and maintain content.
>

Who can argue with better documentation?  I think making this process easier
should also be a goal.  The dictionary is growing rather slowly.  I think
point 3 is tied to this.

> 2) As a community, we need to do a better job in defining how we are
> using a CPE Name and what we mean when we assign a CPE Name to
> something.  Without this, there are many different meanings that a user
> can assume and this just creates confusion amongst the standard.

Is this point saying more/all entries should have an OVAL check?

> 3) We need to spend some quality time at Developer Days discussing the
> pros and cons of the numerical identifier approach.

I would like to enter GUID/UUID as another contender.  Some cons of
numerical identifiers are addressed by these more unique and less meaningful
identifiers.
 
Best regards,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

Hmmm, I like the concept of using a GUID -- I expect all of us will
mechanize our tools and offerings so the actual key would be hidden
often, and it's a more reliable identifier.

-----Original Message-----
From: Vladimir Giszpenc [mailto:vgiszpenc@...]

> 3) We need to spend some quality time at Developer Days discussing the
> pros and cons of the numerical identifier approach.

I would like to enter GUID/UUID as another contender.  Some cons of
numerical identifiers are addressed by these more unique and less
meaningful
identifiers.
 
Best regards,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959