[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Vote - results and next steps



On Thu, Apr 25, 2013 at 03:24:20PM +0000, Kent_Landfield@McAfee.com wrote:

|   * Any comment on Adam?s suggestion of trailing zeros? It would be confusing
|     as indicated in Harold's answer and I see more problems than value.

Let me withdraw the suggestion.

(After discussion with Andy offlist, I realize that my suggestion is
properly an issuance suggestion, not a format suggestion.  If we issue
1000 before 0001, then scanning may be easier.  Also, it was intended
to be in a fixed-length context.  As long as lengths are fixed, we
never need to distinguish between 1000 being a 1 with trailing zeros.)


Adam


|    
|     While I believe I understand what is being asked based on prior context in
|     the conversation I would like to verify my assumptions.
| 
|     By static length I am assuming that a maximum length will be specified as
|     opposed to unlimited length as the previous options B and C indicated. I
|     would like to see the question of padding with zeros separated from the
|     length question.
| 
|      
| 
|     I would also like to suggest we may want to use different wording for these
|     choices in the future since it is possible to interpret static length to
|     indicate an identifier with the same number of digits at all times, likely
|     padded with zeros, while variable length could be interpreted to indicate
|     an identifier that is not padded and just contains the significant digits.
| 
|       * Do you desire a static length of the CVE Ids? 
| 
|     Yes, a specified maximum length is much easier to write parsing and
|     validation logic for and at the end of the day everyone will have to decide
|     on some sort of cut-off.
| 
|      
| 
|     I have no strong opinions on whether or not the identifier should be padded
|     other than to note that an identifier without padding leaves open the
|     possibility of an extended transition time while an identifier with padding
|     will require an abrupt switch. Unless there is a strong reason for a padded
|     identifier (and I would be interested in hearing about any that exist) I
|     would think the benefits of a longer transition period would tilt in favor
|     of no padding.
| 
|       * If so, what length do you feel would be acceptable to you?
|       * -- 6 ? 7 ? 12 ? More? -- Something else?
| 
|     I believe 9 digits would be sufficient. It?s not so many digits that it
|     would be overwhelming but leaves flexibility for accommodating some of the
|     scenarios Steve hints at below.
| 
|      
| 
|     - Any comment on Adam?s suggestion of trailing zeros?
| 
|      
| 
|     It is ambiguous for numbers divisible by ten, for example imagine if CVE
|     today had trailing instead of leading zeros and we had the following
|     number:
| 
|     1000
| 
|      
| 
|     Is this a 1 with three trailing zeros? A 10 with two trailing zeros? A 100
|     with one trailing zero? or 1000 with no trailing zeros?
|


Page Last Updated or Reviewed: October 03, 2014