[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Vote - results and next steps



Can we have a quick poll on the combined set of existing options and the ones Art has listed below?  I'd think a re-whittling of the choices may get us to a better place to conduct a vote. 
  • Do you desire a static length of the CVE Ids?  --Yes — No
  • If so, what length do you feel would be acceptable to you? -- 6 — 7 — 12 — More? -- Something else?
Here are options that combines what Art listed as well as the original two options. The original Option C has been dropped from this poll as a result of the initial vote.

 OPTION A: Year + 6 digits, with leading 0's

OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999

OPTION D: Year+ 7 digits with leading 0's

OPTION E: Year + 12 digits with no leading zeros.

OPTION F: Year + 12 digits with no leading zeros, starting at 1000 for each year.

OPTION G: Year + Infinite digits with no leading zeros, starting at 1000 for each year.

Just want to take a pulse as to where we are…

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: Art Manion <amanion@cert.org>
Date: Thursday, April 18, 2013 11:19 PM
To: "Booth, Harold" <harold.booth@nist.gov>
Cc: "cve-editorial-board-list@lists.mitre.org" <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE ID Syntax Vote - results and next steps

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 2013-04-18 22:34, Booth, Harold wrote:

| I would also add that with an Option B with no leading zeros,
| including less than four digits, a transition of sorts is available
| for the first year (or more) if CVE identifiers started at 1000.
| Until the 9000'th CVE tools would successfully chug along giving
| everyone a bit more transition time. This could allow even more
| time depending on the eventual number of CVEs created. Whereas with
| an Option A with padding there is no such transition, and whatever
| number of digits are agreed to are included in every CVE from the
| beginning (in 2014?).

For the sake of further discussion, by no means an official set of
choices...

Option D:  Seven numeric characters with leading zeros.

Option E:  Twelve numeric characters, no leading zeros.

Option F:  Twelve numeric characters, no leading zeros, starting at
1000 for each year.

Option G:  Infinite numeric characters, no leading zeros, starting at
1000 for each year.

I picked 12 because someone suggested 10+.  I'm also saying "numeric
characters" to raise the issue of treating everything after "CVE" or
"CVE-YYYY" as a string.  Not sure that capping it makes much difference.

Not sure this covers all the recently discussed options.

Also not sure how to handle this situation procedurally?  Declare a
mistrial and prepare another ballot, after further discussion?


~ - Art
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFwxdoACgkQk/8FEDbCaKOPEgCgnbaNJBjQESDRgZIBfEkbwhGy
ZvkAoKAsHLKb4sYDNP+kd3buSlenErhb
=wcLt
-----END PGP SIGNATURE-----


Page Last Updated or Reviewed: October 03, 2014