Re: Candidate numbering scheme
At 1:22 PM -0400 5/17/99, Steven M. Christey wrote:
> >Why not make every candidate number something like "Temp-99-01" where
> >we simply count from the beginning of the year?
>This approach would require a central "number assignment" mechanism to
>different entities from using duplicate numbers, and could be somewhat
>problematic or expensive to implement if the assignment is open to
>everybody, not just the input forum.
This could easily be automated. Set up a program that assigns the
next number in line in response to email from one of the "authorized"
reporters. This could also be done from a WWW page that requires
password access, or SSL-enabled access. We don't care about numbers
assigned and dropped, or the same vulnerability given two different
numbers by two different people. This is, after all, simply an
attempt to assign unique temporary numbers for evaluation.
And, this method helps encourage people not to refer to the temporary
numbers for long.
>Gene, are you advocating using the candidate numbering scheme in
>public? And if so, do you believe that temp-99-01 really doesn't have
>a chance to become a de facto standard? I think that the first number
>to be referenced could become the one that is most commonly used, even
>if it has a "temp" name in it. However, as long as "highly visible"
>players use the CVE name (i.e. database owners, advisory writers,
>etc.), then I suppose it becomes less of a problem.
See my comments above. I think that it is worth trying using
something like this. If we spend too much time debating the exact
syntax and mechanics, we will never get a system out there to try!