Re: Candidate numbering scheme

[Adam Shostack <adam@netect.com>]

On Thu, May 13, 1999 at 03:40:58PM -0400, Steven M. Christey wrote:
| 
| All:
| 
| We seemed pretty much agreed that there should be a separate numbering
| scheme for "candidate" vulnerabilities that are proposed to the input
| forum.  We might be able to have a mailing list which utilizes some
| sort of ticketing system, but that would make it difficult to identify
| multiple vulnerabilities in the same email.  I propose a numbering
| scheme such as:
| 
| 	CAN-<id>-YYYYMMDDn
| where <id> is an "official" ID that identifies the proposer, YYYYMMDD
| is the year/month/date, and "n" separates multiple vulnerabilities
| that the proposer um, proposes on the same date.  The benefit of the
| date in the ID is that we can immediately see which candidates are
| getting "old."  In the short term, the proposer could take the
| responsibility for ensuring that their number is unique, and the
| encoded date helps that.

If N will become the CVE-N, I think this will work fine.  Otherwise,
we need to add references to CAN-NETECT-19990514A to CVE-00666 to
reference the discussion that lead to its acceptance.  

Adam

| In the longer term, it may be better to have an external mechanism
| that proposers can access to get more arbitrary numbers that are
| guaranteed to be unique.  I believe that Russ and Adam may have some
| ideas on such a mechanism.
| 
| - Steve