CVEProject / Board-Discussions

10 stars 15 forks source link

Provide CNA membership oracle #17

Open zmanion opened 1 year ago

zmanion commented 1 year ago

Discussed at the Summit on 2023-03-22:

Given an email address, return either 1.) just a boolean that the account is an active user at a known CNA or 2.) the shortname of the CNA.

Should such a query be restricted to certain RSUS roles? Available to the anyone?

Any risk in anyone being able to guess an email address then find out the CNA shortname?

CC @todb

zmanion commented 1 year ago

Restrict query to someone with a working API key?

todb commented 1 year ago

Note, this is the "strict" version of an Oracle, in that it doesn't return an email address -- you must provide one and get the appropriate answer.

I think that if you know an email address, you probably already have a guess at the CNA shortname. Though, I suppose, you could learn (or guess) an email address in the context of "Oh so and so said they were a CNA, but didn't say where." This is almost always going to be because of a communication failure, and not intentional secrecy. I don't see a problem with providing shortname as a yes, blank if no.

BTW some people (I can think of two, there are probably more) are involved in multiple CNAs. So if the answer is shortname, it'll need to be an array.

todb commented 1 year ago

The other use case for an oracle would be "Who is the CNA at example.com?" Answer: alice@example.com

This is far more invasive. It would almost have to be opt-out by default, and opt-out-able at any time, for GDPR reasons (I'm, unfortunately, not a lawyer). It also goes beyond what is provided on the public https://www.cve.org/PartnerInformation/ListofPartners registry, which is filled with non-human email addresses.

todb commented 1 year ago

Anyway, you could securify the thing by rate limiting, requiring an active CNA API key, all that.