mailing list archives
RE: Whose X do I need to X to get on CERT?
From: "Jonathan G. Lampe" <jonathan () stdnet com>
Date: Thu, 21 Feb 2002 15:38:16 -0600
FOLLOW-UP to "Whose X do I need to X to get on CERT?"
After my posting regarding my difficulties communicating a vendor statement
to CERT I received a lot of good information from a variety of sources. To
make a long story short, CERT posted my vendor statement after the
1) I chatted with a CERT rep, identifying myself and my company.
2) I emailed a public PGP certificate to the attention of the same CERT rep
at cert () cert org (CERT stored my public key away and set it up as a
trusted vendor certificate.)
3) I acquired CERT's public PGP
4) I signed my vendor statement with my private key and CERT's public key
and emailed it to cert () cert org, with a subject containing the VU# of my
5) CERT posted the vendor statement rather quickly.
I still think www.CERT.org could use a "Vendor 101" section (maybe in the
FAQ) which walks new and/or infrequent vendors through steps 1 and
2. (Here's the email address to which you should send your public key
[cert () cert org with a special subject?] , X will call you back in Y hours
to confirm your identity, etc.) For the moment I think the thing to do
is just to call them and ask if you can submit your PGP key and become a
Just my $.02.
- Jonathan Lampe
P.S. CERT told me they ONLY accept PGP-signed vendor statements via
email. (Makes a lot of sense to me.) However I doubt that as an
unregistered vendor, simply sending CERT a signed statement and a copy of
your key would be good enough by itself; CERT still would need to confirm
your identity somehow, even if its just a phone call.
P.P.S. (Thanks to Matt, Ian, Keith, Marty, Ed, Marko, Ken and anyone else I