-----BEGIN PGP SIGNED MESSAGE-----
What caused me to reconsider was the idea of more and more active
CNAs. Now, MITRE is careful to hand out modest allocations of IDs,
generally sequentially, to dozens(?) of CNAs. I don't think there's
What I wanted to future-proof is the world with more CNAs (100s?) with
more assignment authority (like a modulo slice or big sequential block
of the year's CVE ID space). In this world, there still may still not
be more than 1M CVE IDs published per year, but there may be more than
1M CVE IDs allocated to CNAs. Allocation != publication.
Now, I don't see any strong indicators of this particular new world.
But it seemed reasonable enough to want to plan in advance for.