[24383] in bugtraq
RE: Whose X do I need to X to get on CERT?
daemon@ATHENA.MIT.EDU (Jonathan G. Lampe)
Fri Feb 22 18:11:09 2002
Message-Id: <5.1.0.14.0.20020221144940.026fc008@mail.stdnet.com>
Date: Thu, 21 Feb 2002 15:38:16 -0600
To: bugtraq@securityfocus.com
From: "Jonathan G. Lampe" <jonathan@stdnet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
FOLLOW-UP to "Whose X do I need to X to get on CERT?"
After my posting regarding my difficulties communicating a vendor statement
to CERT I received a lot of good information from a variety of sources. To
make a long story short, CERT posted my vendor statement after the
following steps:
1) I chatted with a CERT rep, identifying myself and my company.
2) I emailed a public PGP certificate to the attention of the same CERT rep
at cert@cert.org. (CERT stored my public key away and set it up as a
trusted vendor certificate.)
3) I acquired CERT's public PGP
key. (https://www.cert.org/pgp/cert_pgp_key.asc)
4) I signed my vendor statement with my private key and CERT's public key
and emailed it to cert@cert.org, with a subject containing the VU# of my
issue.
5) CERT posted the vendor statement rather quickly.
I still think www.CERT.org could use a "Vendor 101" section (maybe in the
FAQ) which walks new and/or infrequent vendors through steps 1 and
2. (Here's the email address to which you should send your public key
[cert@cert.org with a special subject?] , X will call you back in Y hours
to confirm your identity, etc.) For the moment I think the thing to do
is just to call them and ask if you can submit your PGP key and become a
known vendor.
Just my $.02.
- Jonathan Lampe
P.S. CERT told me they ONLY accept PGP-signed vendor statements via
email. (Makes a lot of sense to me.) However I doubt that as an
unregistered vendor, simply sending CERT a signed statement and a copy of
your key would be good enough by itself; CERT still would need to confirm
your identity somehow, even if its just a phone call.
P.P.S. (Thanks to Matt, Ian, Keith, Marty, Ed, Marko, Ken and anyone else I
forgot!)
