[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Candidate numbering scheme





Russ wrote:
> This works well if CAN-01-1999051401 becomes CVE-01-1999051401 when and
> if its accepted as a CVE. I do not think it should get some other
> number, or else we'll have to include a reference to the CAN number in
> the CVE.

I like it.  Assuming that MITRE is assigned the id of 00
and assuming that the release date of the CVE is 23 June
(and issue that is not yet decided) we could easily convert
our current numbering scheme to the new scheme as follows
OLD       NEW
CVE-1     CVE-00-199906231
CVE-2     CVE-00-199906232
CVE-3     CVE-00-199906233
etc...

One worry: Is 2 digits enough for the editor ID? I would
suggest simply relying on the dash to seperate the field.

Yet another worry: One somewhat non-technical but very
important use of the CVE names *may* be to facilitate
human to human discussions.  To this end, talking about
CVE-2317 is much more natural than discussing good'ol
CVE-14-200309153. Ugg.

Final thought. I personally think the number scheme
issue is a sticky wicket. And I would suggest that
we need to be particularly careful to keep our eye on
the ball. To be clear, I think the ball is to get a
reasonable CVE out in the public.  Do we need to
solve this problem before public release? Is this 
a "nice to have" and not a "must have"? If it is
a "must have" then lets settle it. 


Dave

Page Last Updated or Reviewed: May 22, 2007