[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE ID Syntax Change - Voting Ballot (Deadline April 14, 11:59 PM EDT)

I'm voting for CA Technologies (aka CA).  Ballot below.



OPTION A: Year + 6 digits, with leading 0's

  Examples: CVE-2014-000001, CVE-2014-000999, CVE-2014-001234,
  CVE-2014-009999, CVE-2014-010000, CVE-2014-054321, CVE-2014-099999,
  CVE-2014-100000, CVE-2014-123456, CVE-2014-999999

REASONS (first choice):
Simple, logical, straightforward, and easy for everybody to 
understand and transition to.  This option is most similar to the 
existing/old format too.  If we require more than a million 
identifiers in one year, we can easily expand this format by adding 
more leading zero(s).  Another of the advantages of this option is 
that it provides a known fixed length for identifiers.


OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999

  Examples: CVE-2014-0001, CVE-2014-0999, CVE-2014-1234,
  CVE-2014-9999, CVE-2014-10000, CVE-2014-54321, CVE-2014-99999,
  CVE-2014-100000, CVE-2014-123456, CVE-2014-999999, CVE-2014-1234567

REASONS (second choice):
This is the next most simple and straightforward option.  This option
is not preferred though because of the potential for truncation 


OPTION C: Year + arbitrary digits + check digit

  Examples: CVE-2014-1-8, CVE-2014-999-3, CVE-2014-1234-3,
  CVE-2014-9999-3, CVE-2014-10000-8, CVE-2014-54321-5,
  CVE-2014-123456-5, CVE-2014-999999-5, CVE-2014-1234567-4

REASONS (last choice):
This option is not recommended because it is overly complex by
introducing an unnecessary algorithm.  The check digit effectively 
addresses a problem that never existed, and instead would likely 
create problems ... such as CVE implementers/users mistaking it for 
a popular versioning scheme (as Brian Martin noted).


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations

Page Last Updated or Reviewed: October 03, 2014