Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Whose X do I need to X to get on CERT?
From: "Jonathan G. Lampe" <jonathan () stdnet com>
Date: Thu, 21 Feb 2002 15:38:16 -0600

FOLLOW-UP to "Whose X do I need to X to get on CERT?"

After my posting regarding my difficulties communicating a vendor statement to CERT I received a lot of good information from a variety of sources. To make a long story short, CERT posted my vendor statement after the following steps:

1) I chatted with a CERT rep, identifying myself and my company.

2) I emailed a public PGP certificate to the attention of the same CERT rep at cert () cert org (CERT stored my public key away and set it up as a trusted vendor certificate.)

3) I acquired CERT's public PGP key. (https://www.cert.org/pgp/cert_pgp_key.asc)

4) I signed my vendor statement with my private key and CERT's public key and emailed it to cert () cert org, with a subject containing the VU# of my issue.

5) CERT posted the vendor statement rather quickly.

I still think www.CERT.org could use a "Vendor 101" section (maybe in the FAQ) which walks new and/or infrequent vendors through steps 1 and 2. (Here's the email address to which you should send your public key [cert () cert org with a special subject?] , X will call you back in Y hours to confirm your identity, etc.) For the moment I think the thing to do is just to call them and ask if you can submit your PGP key and become a known vendor.

Just my $.02.

- Jonathan Lampe

P.S. CERT told me they ONLY accept PGP-signed vendor statements via email. (Makes a lot of sense to me.) However I doubt that as an unregistered vendor, simply sending CERT a signed statement and a copy of your key would be good enough by itself; CERT still would need to confirm your identity somehow, even if its just a phone call.

P.P.S. (Thanks to Matt, Ian, Keith, Marty, Ed, Marko, Ken and anyone else I forgot!)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]