That assumes that already issued CVEs would not be revised to conform to the
new format. My understanding of the proposals so far is that as soon as a new
option will be adopted, all previously issued CVEs would be changed to the new
My understanding was actually the opposite. Some of the initial, new CVE identifier format suggestions were radically different than the existing format, so I did not expect that we would be revising older CVEs to conform to the new format. IIRC we briefly touched this on the board meeting at RSAC, and the plan was to roll out the new format in 2014 and going forward only. Can anyone else attending please chime in?
That aspect is certainly important to align as well: Do we update old identifiers or leave as is? Since this new format is intended to fix a potential 10K problem, which is not relevant for past years, I don't find it necessary nor providing value to require older CVEs to be updated.
One question that I raised at the board meeting was: "What if we breach the 10K barrier already in 2013?" In that case we could potentially have to update 2013 identifiers, unless we find a different way of addressing that issue. Steve Christey noted it and promised to look into backup plans in case the trend suddenly indicates that that may happen.