The CPE name structure proposed by Lt. Col Wolfkiel is largely
consistent with the naming convention used by VMS and tools currently
capable of importing scan results into VMS. In VMS we have "elements"
(Think: CPE Name) and "conditions" (Think: CPE Language) which are used
to describe assets, determine the applicability of security guidance and
vulnerability alerts, and to control the check and fix operations
performed by the Gold Disk. In practice, we use a name structure very
similar to the one proposed to effectively to accomplish our mission.
My vote is to recommend the CPE names proposed by Lt Col Wolfkiel
(restated below).
----------------------------------
Christopher Johnson , CISSP
DISA Field Security Operations
VMS/Gold Disk Development
717-267-9542 Office
717-267-9583 Fax
DSN 570
[hidden email]
----------------------------------
a) Microsoft Windows XP cpe:/o:microsoft:windows_xp
b) Microsoft Windows XP Professional cpe:/o:microsoft:windows_xp:::pro
c) Microsoft Windows XP Professional Service Pack 2
cpe:/o:microsoft:windows_xp::sp2:pro
d) Microsoft Windows (NT, 2K, XP, Vista, 2003)
Use the CPE language to "or" all of them together if the intent is to be
inclusive.
<or>
cpe:/o:microsoft:windows_nt
cpe:/o:microsoft:windows_xp
cpe:/o:microsoft:windows_vista
cpe:/o:microsoft:windows_2000
cpe:/o:microsoft:windows_server_2003
</or>
e) Microsoft Windows (3.1, 95, 98, ME, NT, 2K, XP, Vista, CE, etc.)
Use the CPE language to "or" all of them together if the intent is to be
inclusive.
<or>
cpe:/o:microsoft:windows_3.1
cpe:/o:microsoft:windows_95
cpe:/o:microsoft:windows_98
cpe:/o:microsoft:windows_me
cpe:/o:microsoft:windows_nt
cpe:/o:microsoft:windows_xp
cpe:/o:microsoft:windows_vista
cpe:/o:microsoft:windows_2000
cpe:/o:microsoft:windows_ce
</or>
Alternatively, if you mean "all microsoft operating systems", then:
cpe:/o:microsoft
f) Microsoft Windows 3.1 cpe:/o:microsoft:windows_3.1
g) Microsoft Windows CE 5.0 cpe:/o:microsoft:windows_ce_5.0
h) Microsoft Windows Mobile 2003 cpe:/o:microsoft:windows_mobile_2003
i) Microsoft Windows 98 cpe:/o:microsoft:windows_98
j) Microsoft Windows 98 Second Edition
cpe:/o:microsoft:windows_98:::second_edition
k) Microsoft Windows Server 2003 x64 Edition
cpe:/o:microsoft:windows_server_2003:::64_bit
l) Sun Microsystems Solaris cpe:/o:sun_microsystems:solaris
m) Sun Microsystems Solaris 10 cpe:/o:sun_microsystems:solaris:10
n) Red Hat Enterprise Linux 4 cpe:/o:red_hat:enterprise_linux:4
-----Original Message-----
From: Buttner, Drew [mailto:
[hidden email]]
Sent: Wednesday, October 03, 2007 3:47 PM
To:
[hidden email]
Subject: [CPE-DISCUSSION-LIST] VOTE - Microsoft Windows OS CPE Name
There are some conflicting opinions as to how the product component
should be filled in for Microsoft Windows operating systems. Currently
the most important step for the CPE Community is that a name be settled
on so we can move forward. At our telephone conference this morning
with many community members, we agreed to hold a vote to determine how
what names should be. I hope everyone will take time with their answers
and do any necessary research. Also, please vote for what you think
will be best for the CPE Community, not necessarily what will be best
for your organization.
Voting Procedure
------------------
* before voting please read the related discussion threads on the
CPE Discussion List
http://www.nabble.com/Windows-naming-in-CPE-tf4230138.html
http://www.nabble.com/Updated-CPE-Specification-2.0-Draft-tf4273599.html
http://www.nabble.com/Thoughts-on-Microsoft-names-and-drinking-our-own-kool-aid-tf4509572.html
http://www.nabble.com/Re%3A-Thoughts-on-Microsoft-names-and-drinkin-g-our-own-kool-aid-tf4518162.html
* reply to this email via the CPE Discussion List (so the entire
community sees the reply)
* only one vote per organization
* please answer all the questions for the vote to be valid
* voting closes at 7AM (EST) on Thursday October 11th
Background
------------------
* the current spec will not be changed at this time
* the naming convention is:
cpe:/o:vendor:product:version:update:edition:language
Questions
------------------
1) What should the product component be for Microsoft operating systems?
To answer this question, please give the corresponding CPE Name that you
think should be used for the following examples. Stating that a CPE
Name should not be assigned for the given platform type is a valid
response.
a) Microsoft Windows XP
b) Microsoft Windows XP Professional
c) Microsoft Windows XP Professional Service Pack 2
d) Microsoft Windows (NT, 2K, XP, Vista, 2003)
e) Microsoft Windows (3.1, 95, 98, ME, NT, 2K, XP, Vista, CE, etc.)
f) Microsoft Windows 3.1
g) Microsoft Windows CE 5.0
h) Microsoft Windows Mobile 2003
i) Microsoft Windows 98
j) Microsoft Windows 98 Second Edition
k) Microsoft Windows Server 2003 x64 Edition
l) Sun Microsystems Solaris
m) Sun Microsystems Solaris 10
n) Red Hat Enterprise Linux 4
2) Please provide as much information as you care to share about the
reason for your choices above. This will help us understand why you
chose what you chose.
---------
Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
smime.p7s (4K) 
