Re: Candidate numbering scheme

[Gene Spafford <spaf@cs.purdue.edu>]

At 1:22 PM -0400 5/17/99, Steven M. Christey wrote:
>Spaf said:
>
> >Why not make every candidate number something like "Temp-99-01" where
> >we simply count from the beginning of the year?
>
>This approach would require a central "number assignment" mechanism to
>different entities from using duplicate numbers, and could be somewhat
>problematic or expensive to implement if the assignment is open to
>everybody, not just the input forum.

This could easily be automated.   Set up a program that assigns the 
next number in line in response to email from one of the "authorized" 
reporters.    This could also be done from a WWW page that requires 
password access, or SSL-enabled access.  We don't care about numbers 
assigned and dropped, or the same vulnerability given two different 
numbers by two different people.   This is, after all, simply an 
attempt to assign unique temporary numbers for evaluation.

And, this method helps encourage people not to refer to the temporary 
numbers for long.

>
>Gene, are you advocating using the candidate numbering scheme in
>public?  And if so, do you believe that temp-99-01 really doesn't have
>a chance to become a de facto standard?  I think that the first number
>to be referenced could become the one that is most commonly used, even
>if it has a "temp" name in it.  However, as long as "highly visible"
>players use the CVE name (i.e. database owners, advisory writers,
>etc.), then I suppose it becomes less of a problem.

See my comments above.   I think that it is worth trying using 
something like this.   If we spend too much time debating the exact 
syntax and mechanics, we will never get a system out there to try!

--spaf