RE: Whose X do I need to X to get on CERT?

["Jonathan G. Lampe" <jonathan () stdnet com>]

FOLLOW-UP to "Whose X do I need to X to get on CERT?"

After my posting regarding my difficulties communicating a vendor statement 
to CERT I received a lot of good information from a variety of sources.  To 
make a long story short, CERT posted my vendor statement after the 
following steps:

1) I chatted with a CERT rep, identifying myself and my company.

2) I emailed a public PGP certificate to the attention of the same CERT rep 
at cert () cert org.  (CERT stored my public key away and set it up as a 
trusted vendor certificate.)

3) I acquired CERT's public PGP 
key.  (https://www.cert.org/pgp/cert_pgp_key.asc)

4) I signed my vendor statement with my private key and CERT's public key 
and emailed it to cert () cert org, with a subject containing the VU# of my 
issue.

5) CERT posted the vendor statement rather quickly.

I still think www.CERT.org could use a "Vendor 101" section (maybe in the 
FAQ) which walks new and/or infrequent vendors through steps 1 and 
2.  (Here's the email address to which you should send your public key 
[cert () cert org with a special subject?] ,  X will call you back in Y hours 
to confirm your identity, etc.)    For the moment I think the thing to do 
is just to call them and ask if you can submit your PGP key and become a 
known vendor.

Just my $.02.

- Jonathan Lampe

P.S. CERT told me they ONLY accept PGP-signed vendor statements via 
email.  (Makes a lot of sense to me.)  However I doubt that as an 
unregistered vendor, simply sending CERT a signed statement and a copy of 
your key would be good enough by itself; CERT still would need to confirm 
your identity somehow, even if its just a phone call.

P.P.S. (Thanks to Matt, Ian, Keith, Marty, Ed, Marko, Ken and anyone else I 
forgot!)