FOLLOW-UP to "Whose X do I need to X to get on CERT?" After my posting regarding my difficulties communicating a vendor statement to CERT I received a lot of good information from a variety of sources. To make a long story short, CERT posted my vendor statement after the following steps: 1) I chatted with a CERT rep, identifying myself and my company. 2) I emailed a public PGP certificate to the attention of the same CERT rep at cert@cert.org. (CERT stored my public key away and set it up as a trusted vendor certificate.) 3) I acquired CERT's public PGP key. (https://www.cert.org/pgp/cert_pgp_key.asc) 4) I signed my vendor statement with my private key and CERT's public key and emailed it to cert@cert.org, with a subject containing the VU# of my issue. 5) CERT posted the vendor statement rather quickly. I still think www.CERT.org could use a "Vendor 101" section (maybe in the FAQ) which walks new and/or infrequent vendors through steps 1 and 2. (Here's the email address to which you should send your public key [cert@cert.org with a special subject?] , X will call you back in Y hours to confirm your identity, etc.) For the moment I think the thing to do is just to call them and ask if you can submit your PGP key and become a known vendor. Just my $.02. - Jonathan Lampe P.S. CERT told me they ONLY accept PGP-signed vendor statements via email. (Makes a lot of sense to me.) However I doubt that as an unregistered vendor, simply sending CERT a signed statement and a copy of your key would be good enough by itself; CERT still would need to confirm your identity somehow, even if its just a phone call. P.P.S. (Thanks to Matt, Ian, Keith, Marty, Ed, Marko, Ken and anyone else I forgot!)
