Re: CVE ID Syntax voting - vote requested
Adam Shostack, voting for Microsoft
First choice: Option C
The combination of future-proofing and addressing the risk of dropped
digits (or copy-errors) makes option C most attractive.
Second Choice: Option A
While the immediate impact of the fixed length is a disadvantage,
truncation risks from an uncertain length are also important. The
risk of future change is important, but when we reach that many
vulnerabilities, we will likely require other changes to allow us to
process vulns at that scale.
Last choice: Option B
An arbitrary length field is likely to have dropped digits, and such
integrity failures carry a propagation risk. For example, if a a
partial CVE is pasted to a web site, then CVEs could accidentally
acquire multiple meanings, and not act as a unique name for
concordance purposes. I recall clearly the days where names that were
intended as unique overlapped, and as such, am opposed to B.