Thoughts on Microsoft names and drinking our own kool-aid
|
|
Wolfkiel, Joseph
|
Having successfully lived through the SCAP workshop, I want to delve into
the specific world of Microsoft. I would like to have the naming convention for Microsoft OSs adjudicated. The specific problem is that I don't believe you can arrive at the current name "windows-nt:XP" by following the guidance for naming in the specification. I think you will also run into the same problem for Windows 2000, Windows XP 64 bit, and possibly other OS names. According to technet, it looks like there are two possible names you could use to start a Microsoft CPE name -- the advertised name or the registered name. The advertised name would give you a CPE name of cpe:/o:microsoft:win:xp The registered (how the OS identifies itself in the registry) name "Microsoft Windows NT Workstation 5.1" may result in multiple CPE names, depending on how you parse it: "cpe:/o:microsoft:win:nt:workstation:5.1" or "cpe:/o:microsoft:windows_nt_workstation:5.1". I note that none of these 3 cases give you "cpe:/o:microsoft:win-nt:xp", nor could I figure out how someone who wasn't closely monitoring the CPE discussion list would arrive at this name. I find it interesting to note that you can't arrive at a name that associates nt with xp without mixing the advertised name with the registered name -- not something I would expect to promote. Based on these observations, and the stated goal of the spec to allow users to independently arrive at the same cpe names, I would like to officially request to have this set of names re-evaluated (and new names assigned) or to have the spec changed to reflect the names given as examples and give readers some hint about how they would arrive at those names. If possible, I would like to have this be the first round of a repeatable adjudication process. Also, since we still have the problem of matching advertised names with registered names and/or executable names, I would like to open the discussion on the value of having a community alias list. - Joe Wolfkiel ____________________________________________________________________________ ____ Supporting info. http://www.microsoft.com/technet/sms/2003/library/deployingwinxpsp2_6.mspx The value for OperatingSystemNameandVersion is listed as Microsoft Windows NT Workstation 5.1. This is what Windows XP reports to SMS when queried for the operating system. Windows XP without a service pack, Windows XP SP1, and Windows XP SP2 all report the same value. CPE Specification Product Component: The third component of a CPE Name is the product name of the platform part. Multi-word product names and designations should be spelled out in full, replacing spaces with underscores. The example below shows how this would look for the Zone Labs ZoneAlarm Internet Security Suite version 7.0. cpe:/a:zonelabs:zonealarm_internet_security_suite:7.0 Multi-word product names may be shortened when doing so would not make the CPE Name ambiguous and when the vendor has designated a particular "official" abbreviation in product descriptions. This helps keep the name more reasonable in length. For example, "Internet Explorer" should be abbreviated as "ie", and "Java Runtime Environment" should be abbreviated as "jre". A list of community product name abbreviations will be maintained at the CPE web site. Product Name CPE Abbreviation Internet Explorer ie Java Runtime Environment jre As with the vendor component, if a product has a name change, existing CPE Names should not be modified. Rather, new names that are created with a new version of the product should use the new product name. Version Component: The forth component of a CPE Name is the version of the platform part. The version should be represented in the same format as seen within the product. For example, use periods, dashes, etc. as the delimiter in the same way as the product. The following example denotes Microsoft Windows 2000 cpe:/o:microsoft:windows-nt:2000 The following example denotes Adobe Reader version 8.1 cpe:/a:adobe:reader:8.1 Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office NSA/I71 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Friday, September 14, 2007 4:05 PM To: [hidden email] Subject: [CPE-DISCUSSION-LIST] Official Release of CPE 2.0 I am pleased to announce the official release of CPE 2.0. The specification is available on the CPE Wed Site at: http://cpe.mitre.org/files/cpe-specification_2.0.pdf The Official CPE Dictionary has also been released. Currently it only contains names for Microsoft and Red Hat. Over the coming weeks we plan on expanding this to cover more names. We will keep everyone update with regards to our process. Please see the CPE Web Site at: http://cpe.mitre.org/dictionary.html Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
||||||||||||||||
Ken Lassesen-3
|
Very well done example Joe,
I think we should also suggest a FLOW CHART on the naming process to be followed, for example, in Windows for applications that installs and appear in Add/Remove Applications, then .... The goal is, as you so well demonstrated, a **repeatable** process that should come to the same results. Ken Lassesen, Office 206-734-4718 Home: 360-297-4717 Cell: 360-509-2402 Skype: Ken.Lassesen IM: [hidden email] CONFIDENTIALITY NOTICE The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message. -----Original Message----- From: Wolfkiel, Joseph [mailto:[hidden email]] Sent: Monday, September 24, 2007 7:32 AM To: [hidden email] Subject: [CPE-DISCUSSION-LIST] Thoughts on Microsoft names and drinking our own kool-aid Having successfully lived through the SCAP workshop, I want to delve into the specific world of Microsoft. I would like to have the naming convention for Microsoft OSs adjudicated. The specific problem is that I don't believe you can arrive at the current name "windows-nt:XP" by following the guidance for naming in the specification. I think you will also run into the same problem for Windows 2000, Windows XP 64 bit, and possibly other OS names. According to technet, it looks like there are two possible names you could use to start a Microsoft CPE name -- the advertised name or the registered name. The advertised name would give you a CPE name of cpe:/o:microsoft:win:xp The registered (how the OS identifies itself in the registry) name "Microsoft Windows NT Workstation 5.1" may result in multiple CPE names, depending on how you parse it: "cpe:/o:microsoft:win:nt:workstation:5.1" or "cpe:/o:microsoft:windows_nt_workstation:5.1". I note that none of these 3 cases give you "cpe:/o:microsoft:win-nt:xp", nor could I figure out how someone who wasn't closely monitoring the CPE discussion list would arrive at this name. I find it interesting to note that you can't arrive at a name that associates nt with xp without mixing the advertised name with the registered name -- not something I would expect to promote. Based on these observations, and the stated goal of the spec to allow users to independently arrive at the same cpe names, I would like to officially request to have this set of names re-evaluated (and new names assigned) or to have the spec changed to reflect the names given as examples and give readers some hint about how they would arrive at those names. If possible, I would like to have this be the first round of a repeatable adjudication process. Also, since we still have the problem of matching advertised names with registered names and/or executable names, I would like to open the discussion on the value of having a community alias list. - Joe Wolfkiel ________________________________________________________________________ ____ ____ Supporting info. http://www.microsoft.com/technet/sms/2003/library/deployingwinxpsp2_6.ms px The value for OperatingSystemNameandVersion is listed as Microsoft Windows NT Workstation 5.1. This is what Windows XP reports to SMS when queried for the operating system. Windows XP without a service pack, Windows XP SP1, and Windows XP SP2 all report the same value. CPE Specification Product Component: The third component of a CPE Name is the product name of the platform part. Multi-word product names and designations should be spelled out in full, replacing spaces with underscores. The example below shows how this would look for the Zone Labs ZoneAlarm Internet Security Suite version 7.0. cpe:/a:zonelabs:zonealarm_internet_security_suite:7.0 Multi-word product names may be shortened when doing so would not make the CPE Name ambiguous and when the vendor has designated a particular "official" abbreviation in product descriptions. This helps keep the name more reasonable in length. For example, "Internet Explorer" should be abbreviated as "ie", and "Java Runtime Environment" should be abbreviated as "jre". A list of community product name abbreviations will be maintained at the CPE web site. Product Name CPE Abbreviation Internet Explorer ie Java Runtime Environment jre As with the vendor component, if a product has a name change, existing CPE Names should not be modified. Rather, new names that are created with a new version of the product should use the new product name. Version Component: The forth component of a CPE Name is the version of the platform part. The version should be represented in the same format as seen within the product. For example, use periods, dashes, etc. as the delimiter in the same way as the product. The following example denotes Microsoft Windows 2000 cpe:/o:microsoft:windows-nt:2000 The following example denotes Adobe Reader version 8.1 cpe:/a:adobe:reader:8.1 Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office NSA/I71 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Friday, September 14, 2007 4:05 PM To: [hidden email] Subject: [CPE-DISCUSSION-LIST] Official Release of CPE 2.0 I am pleased to announce the official release of CPE 2.0. The specification is available on the CPE Wed Site at: http://cpe.mitre.org/files/cpe-specification_2.0.pdf The Official CPE Dictionary has also been released. Currently it only contains names for Microsoft and Red Hat. Over the coming weeks we plan on expanding this to cover more names. We will keep everyone update with regards to our process. Please see the CPE Web Site at: http://cpe.mitre.org/dictionary.html Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
||||||||||||||||
Andrew Buttner
|
In reply to this post
by Wolfkiel, Joseph
>According to technet, it looks like there are two possible
>names you could use to start a Microsoft CPE name -- the >advertised name or the registered name. For the purposes of CPE I think the registered name would be the best one to use if possible. The advertised name could be held in the CPE Dictionary using the <title> element. >The registered (how the OS identifies itself in the >registry) name "Microsoft Windows NT Workstation 5.1" may >result in multiple CPE names, depending on how you parse it: >"cpe:/o:microsoft:win:nt:workstation:5.1" or >"cpe:/o:microsoft:windows_nt_workstation:5.1". Wouldn't cpe:/o:microsoft:windows-nt:5.1::workstation also be a possibility? With "Microsoft" being the vendor, "Windows NT" being the product, "Workstation" being the edition, and "5.1" being the version. I do think you bring up an inconsistency with the Microsoft OS names that is also found in other CPE Names in the dictionary. This is that the version number is sometimes replaced with a marketing term for the version. e.g.. XP, 2000, Vista, etc. We see this in Microsoft Office and other applications that follow the version naming convention. The CPE Specification does not give any insight as to when to use the version number verses this marketing term. I would love to hear more opions from the community on this. Should we always use the number? Should we try to come up with a set of rules about when to use the number and when to use the marketing term? Or should we just leave it arbitrary and allow those creating CPE Names to use their best judgment and know that this is an area of the spec that needs to be solidified in the future? >Also, since we still have the problem of matching advertised names with >registered names and/or executable names, I would like to open the >discussion on the value of having a community alias list. If we only need to associate each CPE Name with one given advertised name, then we can use the <title> element in the CPE Dictionary. If there is a need to associate each CPE Name with more than one advertised name, then what about adding another element to the <cpe_item>? Maybe an <advertised_name> element? This could be an unbounded element that could occur many times. Thanks Drew |
||||||||||||||||
Gary Newman-2
|
In reply to this post
by Wolfkiel, Joseph
Hi Joe,
The technet article you've cited is very loosely saying that Windows XP reports "Microsoft Windows NT Workstation 5.1" to the SMS client. I'm not aware of any registry value similar to a string like that. The SMS client is most likely creating that string by pulling together other data that's not all in the registry (e.g. API calls). I'd suggest that we not consider names created by the SMS client as a vendor Registered Name. Windows XP doesn't refer to itself as Windows NT anywhere that I know of (ignoring the registry keys below, as they also can appear on Windows 95 computers). However, the Windows XP registry does have the string "Microsoft Windows XP" in the registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName That said, it's fair to note that Microsoft has the OS identify itself as compatible with the Windows NT "family" with the GetVersion API call http://msdn2.microsoft.com/en-us/library/ms724439.aspx that returns 0 in the high order bit for NT family and 1 for 9x family. It's not clear to me whether compatibility with the NT family implies a taxonomy appropriate for CPE use. -Gary- > [snip] > Supporting info. > > http://www.microsoft.com/technet/sms/2003/library/deployingwinxpsp2_6.mspx > The value for OperatingSystemNameandVersion is listed as Microsoft Windows > NT Workstation 5.1. This is what Windows XP reports to SMS when queried for > the operating system. Windows XP without a service pack, Windows XP SP1, and > Windows XP SP2 all report the same value. |
||||||||||||||||
|
Wolfkiel, Joseph
|
In reply to this post
by Wolfkiel, Joseph
We've been having discussions on this thread for a week now, and I have yet
to see a case that supports naming Microsoft products 'win-nt:xp', 'win-nt:2000', or 'win-nt:nt'. Based on the cases I've seen, I am requesting the MS OS naming convention be 'windows_xp', 'windows_nt', 'windows_2000', etc. This seems to most closely follow the CPE spec and can be arrived at both by reading the advertising and, in many cases, by checking one or more registry settings. Since we don't have a defined governance process, I suggest the forum moderator put together a list of alternatives and submit it for a community vote. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office NSA/I71 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Wolfkiel, Joseph Sent: Monday, September 24, 2007 10:32 AM To: 'CPE Community Forum' Cc: Lowenthal (E-mail) Subject: Thoughts on Microsoft names and drinking our own kool-aid Having successfully lived through the SCAP workshop, I want to delve into the specific world of Microsoft. I would like to have the naming convention for Microsoft OSs adjudicated. The specific problem is that I don't believe you can arrive at the current name "windows-nt:XP" by following the guidance for naming in the specification. I think you will also run into the same problem for Windows 2000, Windows XP 64 bit, and possibly other OS names. According to technet, it looks like there are two possible names you could use to start a Microsoft CPE name -- the advertised name or the registered name. The advertised name would give you a CPE name of cpe:/o:microsoft:win:xp The registered (how the OS identifies itself in the registry) name "Microsoft Windows NT Workstation 5.1" may result in multiple CPE names, depending on how you parse it: "cpe:/o:microsoft:win:nt:workstation:5.1" or "cpe:/o:microsoft:windows_nt_workstation:5.1". I note that none of these 3 cases give you "cpe:/o:microsoft:win-nt:xp", nor could I figure out how someone who wasn't closely monitoring the CPE discussion list would arrive at this name. I find it interesting to note that you can't arrive at a name that associates nt with xp without mixing the advertised name with the registered name -- not something I would expect to promote. Based on these observations, and the stated goal of the spec to allow users to independently arrive at the same cpe names, I would like to officially request to have this set of names re-evaluated (and new names assigned) or to have the spec changed to reflect the names given as examples and give readers some hint about how they would arrive at those names. If possible, I would like to have this be the first round of a repeatable adjudication process. Also, since we still have the problem of matching advertised names with registered names and/or executable names, I would like to open the discussion on the value of having a community alias list. - Joe Wolfkiel ____________________________________________________________________________ ____ Supporting info. http://www.microsoft.com/technet/sms/2003/library/deployingwinxpsp2_6.mspx The value for OperatingSystemNameandVersion is listed as Microsoft Windows NT Workstation 5.1. This is what Windows XP reports to SMS when queried for the operating system. Windows XP without a service pack, Windows XP SP1, and Windows XP SP2 all report the same value. CPE Specification Product Component: The third component of a CPE Name is the product name of the platform part. Multi-word product names and designations should be spelled out in full, replacing spaces with underscores. The example below shows how this would look for the Zone Labs ZoneAlarm Internet Security Suite version 7.0. cpe:/a:zonelabs:zonealarm_internet_security_suite:7.0 Multi-word product names may be shortened when doing so would not make the CPE Name ambiguous and when the vendor has designated a particular "official" abbreviation in product descriptions. This helps keep the name more reasonable in length. For example, "Internet Explorer" should be abbreviated as "ie", and "Java Runtime Environment" should be abbreviated as "jre". A list of community product name abbreviations will be maintained at the CPE web site. Product Name CPE Abbreviation Internet Explorer ie Java Runtime Environment jre As with the vendor component, if a product has a name change, existing CPE Names should not be modified. Rather, new names that are created with a new version of the product should use the new product name. Version Component: The forth component of a CPE Name is the version of the platform part. The version should be represented in the same format as seen within the product. For example, use periods, dashes, etc. as the delimiter in the same way as the product. The following example denotes Microsoft Windows 2000 cpe:/o:microsoft:windows-nt:2000 The following example denotes Adobe Reader version 8.1 cpe:/a:adobe:reader:8.1 Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office NSA/I71 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Friday, September 14, 2007 4:05 PM To: [hidden email] Subject: [CPE-DISCUSSION-LIST] Official Release of CPE 2.0 I am pleased to announce the official release of CPE 2.0. The specification is available on the CPE Wed Site at: http://cpe.mitre.org/files/cpe-specification_2.0.pdf The Official CPE Dictionary has also been released. Currently it only contains names for Microsoft and Red Hat. Over the coming weeks we plan on expanding this to cover more names. We will keep everyone update with regards to our process. Please see the CPE Web Site at: http://cpe.mitre.org/dictionary.html Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
||||||||||||||||
|
Andrew Buttner
|
I propose that we have a telephone conference to discuss the issue
below further. I will send out details for this call shortly. Please read the rest of this post. I encourage all community members to weigh in on this issue, even if you disagree with the current spec. The only way we are going to move forward is if everyone voices their opinions. Please do keep the response focused on this topic of naming Microsoft operating systems. Of course vendor (Microsoft) input would help put this issue to bed as they are the only ones that know the real answer to this question :) >We've been having discussions on this thread for a week now, >and I have yet to see a case that supports naming Microsoft >products 'win-nt:xp', 'win-nt:2000', or 'win-nt:nt'. Based >on the cases I've seen, I am requesting the MS OS naming >convention be 'windows_xp', 'windows_nt', 'windows_2000', >etc. This seems to most closely follow the CPE spec and can >be arrived at both by reading the advertising and, in many >cases, by checking one or more registry settings. The question of windows naming has been going on since March when it was first brought up on the CPE mailing list. It is a tough debate with arguments for and against any of the different methods chosen. The community itself is conflicted on what is the best approach. The original thread that also provides some great background information can be found at: http://www.nabble.com/Windows-naming-in-CPE-tf4230138.html The problem we face is the relation between the roll-up capability built into the CPE Naming structure, and the way Microsoft markets their Windows operating System. CPE has tried to create a naming structure that allows matching to be performed on names related to different levels of platform abstraction. This is use case is defined in section 2.2 of the current spec. The goal of this use case is that a name can be specified for a particular version of a product and this name can be matched to the a more general name related to all versions of the product. For example, a configuration guide can be written for "Acme BestProgram" and this guide can be known to apply to a platform that is identified to have "Acme BestProgram 2.3". This is why we build our names using the vendor:product:version:.... convention. Unfortunately with Microsoft Windows, there becomes a grey area. What is the 'product'? Is it "Windows"? Or is it "Windows XP". Looking at the internals of the operating system, and reading books and other information available about the os, it is pretty convincing that the true product is a kernel that has been updated over the years, from version 4.0 to version 5.0 to 5.1 to 5.2 and now version 6.0. The grey area is that Microsoft does not give a name to this product (at least not to the general public that I am aware of). Instead, Microsoft has named each version (NT, 2000, XP, Vista, etc). In the 1.1 spec, we used the term 'windows' as the product but it was pointed out that matching didn't work correctly since the older 9x kernel and the CE kernels were included in this term and they were not the same product. If we are to follow the defined vendor:product:version convention, then we need to create a name for the kernel of the windows operating system. Again, see the original thread from back in March. If we use the marketing name of "Window XP" as the product name, we will lose the ability to satisfy the matching use case. Thanks Drew |
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
