[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE ID Syntax voting - vote requested
Adam Shostack, voting for Microsoft First choice: Option C The combination of future-proofing and addressing the risk of dropped digits (or copy-errors) makes option C most attractive. Second Choice: Option A While the immediate impact of the fixed length is a disadvantage, truncation risks from an uncertain length are also important. The risk of future change is important, but when we reach that many vulnerabilities, we will likely require other changes to allow us to process vulns at that scale. Last choice: Option B An arbitrary length field is likely to have dropped digits, and such integrity failures carry a propagation risk. For example, if a a partial CVE is pasted to a web site, then CVEs could accidentally acquire multiple meanings, and not act as a unique name for concordance purposes. I recall clearly the days where names that were intended as unique overlapped, and as such, am opposed to B.