[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE ID Syntax vote


Enter your votes as specified in the preceding "Instructions" and
"Filling out the ballot" sections.

Option B 

REASONS (first choice):
When balancing practicality with the optimal choice, this one is preferred
because it's the least disruptive, and won't obsolete or require changes to
previous work and publications.  It is also guaranteed to never need changing
again.  I'd like it even better with an *optional* integrity check (e.g.,
optional digit).


Option A

REASONS (second choice):
The change in format would require revising previously published documents, and 
obsolete those that can't be changed (e.g., academic publications).
The transformation is trivial (more so than option C), but still makes
references to old CVE IDs incorrect.  Otherwise it would have been an OK choice
if it had been selected from the very start of the CVE.


Option C

REASONS (last choice):
Presumably all the old CVEs will need to have a check digit added, which will
invalidate documents and be disruptive to software and databases. If not,
then software will have to accommodate both the old and new formats, which is
unnecessary complexity.  

There aren't enough digits in CVE numbers to make the check digit useful
enough when balanced against the increased overhead.  This balance point may
vary between organizations, so flexibility in using the CVE may please more
people (see below).

For those who desire it, the check digit can be handled separately as a separate
field from the identifier.  There is no need to make it a part of the
identifier itself.  Any number of other integrity checks can also be handled
separately, so NOT using option C keeps the CVE more flexible.  This would
work with both options A and B, while pleasing somewhat proponents of option

Just to be clear, I like the idea of an integrity check being available, but I
don't like it as a mandatory part of the CVE ID.

Page Last Updated or Reviewed: October 03, 2014