[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Second round of discussion and voting for new CVE ID Syntax

Hi Steve,

I have no problem with the options and dates as described. I do have a problem with MITRE deciding the outcome in the event of yet another tie.  The fact that we would have gone through two separate votes to arrive at a situation where MITRE decides would be lost on many not familiar the history of the votes.  It could easily become viewed as MITRE making the decision in MITRE's best interest. Yes, I know the reality but unless the back story was widely broadcast in depth via the press and rags, people will make up their own reasons why it arrived at what it did.  As planned, when the outcome is decided by the Board, MITRE will be able to say, the CVE Editorial Board decided this for the effort.  If MITRE decides, I can hear a "Yes, MITRE was the one that made the final decision, but" People rarely listen to what follows the "but".

This really should be a Board decision since we are on the Board to help direct the effort and to give feedback on what is important to our customers and our organizations. We need to be able to do what we are here for.

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: <Boyle>, "Stephen V." <sboyle@mitre.org>
Date: Tuesday, April 30, 2013 12:41 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Cc: "Boyle, Stephen V." <sboyle@mitre.org>
Subject: Second round of discussion and voting for new CVE ID Syntax

We appreciate the attention and involvement of the Board in the ongoing discussion of the CVE ID Syntax change. Our next tasks are to converge on options and hold a second vote. After digesting the results of the vote and the discussions of the last couple of weeks, we would like to propose the following way forward for the Boards review.


We suggest a second vote, considering only the following two options:


OPTION A': Year + 8 digits, padded with leading 0's

  Examples: CVE-2014-00000001, CVE-2014-00000999, CVE-2014-00001234,

                   CVE-2014-00009999, CVE-2014-00010000, CVE-2014-00123456,

                   CVE-2014-01234567, CVE-2014-12345678


Given the discussion and concerns about the length of the number field of Option A, we have chosen 8 digits as a compromise among the various field lengths suggested. We believe 8 digits is a reasonable compromise and addresses the positive and negative discussion points raised regarding various lengths. We recognize that 8 digits is not exactly what everyone suggested, but we are offering it for consideration as something proponents of the fixed-length option could live with.


OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999

  Examples: CVE-2014-0001, CVE-2014-0999, CVE-2014-1234,

    CVE-2014-9999, CVE-2014-10000, CVE-2014-54321, CVE-2014-99999,

    CVE-2014-100000, CVE-2014-123456, CVE-2014-999999, CVE-2014-1234567


Option B is unchanged from the original proposal and vote.


We realize that people will want to digest and possibly discuss these options. Again, we are looking to converge on two "votable" options so we can make a decision and move forward. One way to approach this could be for each voting member to consider the options as presented (with no further modifications), and decide if either is a choice you can "live with." None of this should in any way be read or understood as precluding or otherwise restricting comment and discussion, simply as a possible path to convergence.


For this round, we suggest a brief comment and discussion period with a slightly more restricted audience. We believe that an abbreviated comment period is appropriate since the topic has been an active, ongoing discussion on the Board list and that many well-thought out points, comments, and suggestions have been made. We do not feel it is necessary to open up comments to the general public as we did with the first round. We believe that anyone who is not on the Board mailing list but is interested in following the ID Syntax change discussion will have already subscribed to the public CVE-ID-Syntax-Discuss mailing list. If you wish to subscribe:


- Send email to listserv@lists.mitre.org

- In the body of the email, type:

        subscribe CVE-ID-SYNTAX-DISCUSS-LIST


If you wish to have your name included in your subscription, or if you have trouble subscribing using the above form, please use the alternate Subscribe line:

        subscribe CVE-ID-SYNTAX-DISCUSS-LIST <your name>

        without the <and >


It should be noted that some Board members have already opted in to the CVE ID Syntax Discuss list; others may choose to do so if they want to see comments and discussion not posted to the Board mailing list. As an aside, we discussed and rejected the idea of auto-forwarding the CVE-ID-Syntax-Discuss list to the Board mailing list, reasoning that:

1)            We do not want to decide on your behalf what hits your inbox

2)            We archive Board discussions as part of the CVE web site and do not believe it is appropriate to extend what we archive


Finally, a suggestion was made earlier that in the event of a tie vote MITRE should break the tie. We would like feedback from the Board on this during the comment period. Regardless of whether the Board chooses to have MITRE break a possible tie, MITRE will vote very early in the voting period so other voting Board members know our preference.


We propose the following schedule:


- Wednesday, 1 May 2013, 12:01 AM - Discussion period opens to the CVE Editorial Board and CVE ID Syntax Discuss mailing lists

- Tuesday, 7 May 2013, 11:59 PM - Discussion period closes


- Wednesday, 8 May 2013, 12:01 AM - Second official voting period begins

- Wednesday, 22 May 2013, 11:59 PM - Second official voting period ends


All other rules and guidelines from the first voting period remain in place for the second round, such as the requirement to receive votes from a majority of the eligible voting members/organizations and the selection being made based on a simple majority of the votes cast. The rules for the vote will be reprised to this list prior to the voting period.


Please let us know your thoughts regarding the above proposal. Again, while we recognize the many legitimate and well-founded reasons for options other than the two now being offered, we need to quickly converge on the candidate options and make a selection while ensuring a fair, open, and thoughtful process.


Steve Boyle


Page Last Updated or Reviewed: October 03, 2014