[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Candidate numbering scheme
- To: cve-review@linus.mitre.org
- Subject: Re: Candidate numbering scheme
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Thu, 13 May 1999 17:35:17 -0400 (EDT)
I think there are a few risks with the numbering scheme that Russ advocates (namely, CVE numbers being based on the candidate numbers), though I recognize that it does solve some limitations of the current approach. First of all, I'm concerned that the inclusion of an ID within the CVE name itself could be abused in some cases, or at least misunderstood. The *proposer* of a candidate vulnerability is not necessarily the discoverer of that vulnerability. An "outsider" may confuse the difference and make invalid assumptions. There is also the risk of indirectly encouraging "competition" to see who can propose the most accepted candidates. A simple CVE-nnnn would remove that concern. I also agree with Dave's concern about numbers becoming "memorable." While certainly everybody knows "Smurf," it may become nearly as well known by a name such as CVE-00513. In my experience with earlier development of the CVE, certain numbers became well-known to me. There is a third problem which I believe is the most significant. Multiple candidates will be proposed that wind up being part of the same CVE vulnerability (let's say they are duplicates, or they're both subsumed by them), or split into multiple CVE vulnerabilities. There won't be a one-to-one relationship between the candidate number and the CVE number, so the CAN- portion will be different than the CVE- portion. This would require a "lookup" capability to go from the candidate number to the real associated number. I.e., we would *still* have to maintain a mapping from candidate numbers to the CVE numbers. None of these problems is significant if the candidate number is never really public, and only for use within the Input Forum. They might be relatively minor compared with some of the benefits, e.g. "early tracking" of new vulnerability information, and allowing Input Forum members (e.g. vendors) to use candidate numbers in advisories that they post for new vulnerabilities. The question is: how important is it to the members of this group that we should have such "external candidate numbers"? Russ' perspective is clear since he is concerned with numbering vulnerabilities as early as possible, and I believe Andre would agree since he expressed concerns with getting numbers for advisories for new vulnerabilities. A second question is: assuming we have external candidate numbers, do they *have* to be the same as the CVE number? To reduce confusion, sure, but there won't always be a one-to-one relationship as I indicated earlier. I think that such a radical change to the CVE name requires a decision before release. Any commitments we make to a numbering scheme will have to be adhered to once the CVE is public. - Steve
- Follow-Ups:
- Re: Candidate numbering scheme
- From: Bill Hill <bill@mitre.org>
- Re: Candidate numbering scheme
- Prev by Date: Re: Candidate numbering scheme
- Next by Date: RE: Methods for validating the current CVE
- Prev by thread: Re: Candidate numbering scheme
- Next by thread: Re: Candidate numbering scheme
- Index(es):
