[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax voting - vote requested

Adam Shostack, voting for Microsoft

First choice: Option C
The combination of future-proofing and addressing the risk of dropped
digits (or copy-errors) makes option C most attractive.


Second Choice: Option A

While the immediate impact of the fixed length is a disadvantage,
truncation risks from an uncertain length are also important.  The
risk of future change is important, but when we reach that many
vulnerabilities, we will likely require other changes to allow us to
process vulns at that scale.

Last choice: Option B

An arbitrary length field is likely to have dropped digits, and such
integrity failures carry a propagation risk.  For example, if a a
partial CVE is pasted to a web site, then CVEs could accidentally
acquire multiple meanings, and not act as a unique name for
concordance purposes.  I recall clearly the days where names that were
intended as unique overlapped, and as such, am opposed to B.
Page Last Updated or Reviewed: October 03, 2014