[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE ID Syntax vote
- To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: CVE ID Syntax vote
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Date: Thu, 11 Apr 2013 09:49:25 -0400
- Delivery-Date: Thu Apr 11 09:51:52 2013
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
===================================================== VOTING BALLOT ===================================================== Enter your votes as specified in the preceding "Instructions" and "Filling out the ballot" sections. FIRST CHOICE: Option B REASONS (first choice): When balancing practicality with the optimal choice, this one is preferred because it's the least disruptive, and won't obsolete or require changes to previous work and publications. It is also guaranteed to never need changing again. I'd like it even better with an *optional* integrity check (e.g., optional digit). ***************************************************** SECOND CHOICE: Option A REASONS (second choice): The change in format would require revising previously published documents, and obsolete those that can't be changed (e.g., academic publications). The transformation is trivial (more so than option C), but still makes references to old CVE IDs incorrect. Otherwise it would have been an OK choice if it had been selected from the very start of the CVE. ***************************************************** LAST CHOICE: Option C REASONS (last choice): Presumably all the old CVEs will need to have a check digit added, which will invalidate documents and be disruptive to software and databases. If not, then software will have to accommodate both the old and new formats, which is unnecessary complexity. There aren't enough digits in CVE numbers to make the check digit useful enough when balanced against the increased overhead. This balance point may vary between organizations, so flexibility in using the CVE may please more people (see below). For those who desire it, the check digit can be handled separately as a separate field from the identifier. There is no need to make it a part of the identifier itself. Any number of other integrity checks can also be handled separately, so NOT using option C keeps the CVE more flexible. This would work with both options A and B, while pleasing somewhat proponents of option C. Just to be clear, I like the idea of an integrity check being available, but I don't like it as a mandatory part of the CVE ID.
- Prev by Date: voting response
- Next by Date: CVE voting ballot
- Prev by thread: voting response
- Next by thread: CVE voting ballot
- Index(es):
