[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Change - Voting Ballot INFO#679180

Hash: SHA1

On 2013-04-01 16:58, cve-id-change@mitre.org wrote:

Voting for CERT/CC:


OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999

| REASONS (first choice):

Flexible, option B could actually support the other two options (with
the minor exception of the leading zeros in option A. With no
expectation of significant near-term change in CVE operation (other
than the CVE10K problem, which is solved by all three options), our
initial first choice was option A, just increasing the space using the
current syntax. Trying to look ahead, it seems possible that significant
growth in the number of CNAs or the number of reservations (whether or
not the IDs are ever actually assigned, the reservation alone will
consume IDs) could approach the limits of option A. Additional benefit
that there is no effective change in format until IDs > 10K are reserved
or assigned.


OPTION C: Year + arbitrary digits + check digit

Check digit is unnecessary, CVE ID operations are most often string
matching (searching), there's no strong reason to differentiate between
a failed match and an invalid (failed check) ID.  If desired in the
future, could be implemented within option B's format.

| REASONS (second choice):


OPTION A: Year + 6 digits, with leading 0's

| REASONS (last choice):

Was initially our first choice, seeing no near-term change in CVE
coverage scope or abstraction.  However due to the (even small)
possibility of expanded reservations (see above), we're concerned about
the space limit (the CVE1M problem).

Additional comments:

We strongly suggest that code designed to handle CVE IDs treat
everything after "CVE" as a string, or at least everything after
"CVE-YYYY" as a string.


~  - Art

~             Art Manion  --  CERT Coordination Center
~    <http://www.cert.org/>   <cert@cert.org>   +1 412-268-7090
~        2F15 E075 20A3 7B3D 88FE  7C1B 93FF 0510 36C2 68A3

Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Page Last Updated or Reviewed: October 03, 2014