[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Candidate numbering scheme




I think there are a few risks with the numbering scheme that Russ
advocates (namely, CVE numbers being based on the candidate numbers),
though I recognize that it does solve some limitations of the current
approach.

First of all, I'm concerned that the inclusion of an ID within the CVE
name itself could be abused in some cases, or at least misunderstood.
The *proposer* of a candidate vulnerability is not necessarily the
discoverer of that vulnerability.  An "outsider" may confuse the
difference and make invalid assumptions.  There is also the risk of
indirectly encouraging "competition" to see who can propose the most
accepted candidates.  A simple CVE-nnnn would remove that concern.

I also agree with Dave's concern about numbers becoming "memorable."
While certainly everybody knows "Smurf," it may become nearly as well
known by a name such as CVE-00513.  In my experience with earlier
development of the CVE, certain numbers became well-known to me.

There is a third problem which I believe is the most significant.
Multiple candidates will be proposed that wind up being part of the
same CVE vulnerability (let's say they are duplicates, or they're both
subsumed by them), or split into multiple CVE vulnerabilities.  There
won't be a one-to-one relationship between the candidate number and
the CVE number, so the CAN- portion will be different than the CVE-
portion.  This would require a "lookup" capability to go from the
candidate number to the real associated number.  I.e., we would
*still* have to maintain a mapping from candidate numbers to the CVE
numbers.

None of these problems is significant if the candidate number is never
really public, and only for use within the Input Forum.  They might be
relatively minor compared with some of the benefits, e.g. "early
tracking" of new vulnerability information, and allowing Input Forum
members (e.g. vendors) to use candidate numbers in advisories that
they post for new vulnerabilities.

The question is: how important is it to the members of this group that
we should have such "external candidate numbers"?  Russ' perspective
is clear since he is concerned with numbering vulnerabilities as early
as possible, and I believe Andre would agree since he expressed
concerns with getting numbers for advisories for new vulnerabilities.
A second question is: assuming we have external candidate numbers, do
they *have* to be the same as the CVE number?  To reduce confusion,
sure, but there won't always be a one-to-one relationship as I
indicated earlier.

I think that such a radical change to the CVE name requires a decision
before release.  Any commitments we make to a numbering scheme will
have to be adhered to once the CVE is public.

- Steve

Page Last Updated or Reviewed: May 22, 2007