oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Becoming a CVE Naming Authority for your project

From: Art Manion <zmanion () protonmail com>
Date: Wed, 05 Nov 2025 16:13:32 +0000
On 2025-11-05 05:30, Peter Gutmann wrote:

The problem is that individuals can't be CNAs, which means you'd need to do
something like going through the cost and overhead of setting up a shell
corporation or similar to meet the checkbox requirement that an individual
can't be a CNA but the same individual fronted by a paper entity can.

Does anyone know what the thinking behind this is?  It excludes any OSS
project that doesn't have some entity fronting it from being a CNA.  If by
"major" you mean "lots of people involved in the project" then there are
probably entities fronting them but if you mean "lots of users and critical to
Internet operation" then see the famous xkcd cartoon, and that person can't be
a CNA.


I believe that there are no strict requirements to be a non-individual legal
entity and that in practice, a somewhat informal "project" can be a CNA.

Individuals as CNAs are rare, but here is one:

  https://www.cve.org/partnerinformation/ListofPartners

 - Art
Previous By Date Next
Previous By Thread Next

Current thread: