|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Candidate numbering scheme
I would agree, the shorter number scheme definatly makes readability smother. Craig > -----Original Message----- > From: Adam Shostack [SMTP:adam@netect.com] > Sent: Friday, May 14, 1999 7:29 AM > To: Bill Hill; cve-review@linus.mitre.org > Subject: Re: Candidate numbering scheme > > I agree with Dave that shorter numbers are more usable by people. > I'll also agree with Bill that if we have substantial discussion of a > candidate, we can point to it in the references. I think we should > move ahead to working with some of the CVE sub-lists, either the easy > or the hard ones, to get closer to release. > > Adam > > > On Fri, May 14, 1999 at 08:32:25AM -0400, Bill Hill wrote: > | I agree with Steve's points. > | > | I've been an advocate of minimalism where the core CVE is concerned, but > | I can see a lot of value in being able to map between candidate > | info/threads/etc. and the CVE. It seems to me (for all the reasons that > | Steve mentioned) that the proposed candidate numbering system still > | requires that the CVE maintain references to candidate numbers in some > | cases. > | > | I suggest adding this information as an explicit reference(s). Not sure > | if this would mean something in the CMEX, or the CVE proper. > | > | I strongly suggest keeping this or any kind of data out of the CVE > | number itself. During our many design discussions we've been tempted to > | put "stuff" in there, and we've always found it introduces unwanted > | complications, inconsistencies, etc. We've always (at least so far :-) > | found better ways of handling the problem, and I think our focus on > | keeping the CVE number and data simple and "pure" has helped make as > | much progress as we have already, and will help us really push forward. > | > | Of course, this is all IMHO :-) > | > | Bill > | > | "Steven M. Christey" wrote: > | <SNIP> > | > > | > There is a third problem which I believe is the most significant. > | > Multiple candidates will be proposed that wind up being part of the > | > same CVE vulnerability (let's say they are duplicates, or they're both > | > subsumed by them), or split into multiple CVE vulnerabilities. There > | > won't be a one-to-one relationship between the candidate number and > | > the CVE number, so the CAN- portion will be different than the CVE- > | > portion. This would require a "lookup" capability to go from the > | > candidate number to the real associated number. I.e., we would > | > *still* have to maintain a mapping from candidate numbers to the CVE > | > numbers. > | > > | > None of these problems is significant if the candidate number is never > | > really public, and only for use within the Input Forum. They might be > | > relatively minor compared with some of the benefits, e.g. "early > | > tracking" of new vulnerability information, and allowing Input Forum > | > members (e.g. vendors) to use candidate numbers in advisories that > | > they post for new vulnerabilities. > | > > | > The question is: how important is it to the members of this group that > | > we should have such "external candidate numbers"? Russ' perspective > | > is clear since he is concerned with numbering vulnerabilities as early > | > as possible, and I believe Andre would agree since he expressed > | > concerns with getting numbers for advisories for new vulnerabilities. > | > A second question is: assuming we have external candidate numbers, do > | > they *have* to be the same as the CVE number? To reduce confusion, > | > sure, but there won't always be a one-to-one relationship as I > | > indicated earlier. > | > > | > I think that such a radical change to the CVE name requires a decision > | > before release. Any commitments we make to a numbering scheme will > | > have to be adhered to once the CVE is public. > | > > | > - Steve > | > | -- > | ---------------------------------------------------------------------- > | William Hill V:703-883-6416 > | INFOSEC Engineer F:703-883-1397 > | The MITRE Corporation bill@mitre.org > | 1820 Dolley Madison Blvd. M/S W422 whhill@acm.org > | McLean, VA 22102-3481
|
||||
