RE: Candidate numbering scheme
> -----Original Message-----
> From: Gene Spafford [mailto:email@example.com]
> Sent: Monday, May 17, 1999 11:58 AM
> To: Steven M. Christey
> Cc: firstname.lastname@example.org
> Subject: Re: Candidate numbering scheme
> At 1:22 PM -0400 5/17/99, Steven M. Christey wrote:
> >Spaf said:
> > >Why not make every candidate number something like
> "Temp-99-01" where
I like having the "Temp-" in front. It implies that is a temporary number.
Do we need to have something in it that shows that it is a CVE temporary
> > >we simply count from the beginning of the year?
> >This approach would require a central "number assignment"
> mechanism to
> >different entities from using duplicate numbers, and could
> be somewhat
> >problematic or expensive to implement if the assignment is open to
> >everybody, not just the input forum.
> This could easily be automated. Set up a program that assigns the
> next number in line in response to email from one of the "authorized"
Must it be from an Authorized reporter? What about vulnerabilities
discovered by non-participants.
> reporters. This could also be done from a WWW page that requires
> password access, or SSL-enabled access. We don't care about numbers
> assigned and dropped, or the same vulnerability given two different
> numbers by two different people. This is, after all, simply an
> attempt to assign unique temporary numbers for evaluation.
> And, this method helps encourage people not to refer to the temporary
> numbers for long.
> >Gene, are you advocating using the candidate numbering scheme in
> >public? And if so, do you believe that temp-99-01 really
> doesn't have
> >a chance to become a de facto standard? I think that the
> first number
> >to be referenced could become the one that is most commonly
> used, even
> >if it has a "temp" name in it. However, as long as "highly visible"
> >players use the CVE name (i.e. database owners, advisory writers,
> >etc.), then I suppose it becomes less of a problem.
> See my comments above. I think that it is worth trying using
> something like this. If we spend too much time debating the exact
> syntax and mechanics, we will never get a system out there to try!