[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Change - Second Round Voting Ballot - CERT [INFO#679180]

Hash: SHA1

CERT/CC's vote and additional comments.

> ===================================================== VOTING
> BALLOT =====================================================
> *****************************************************

Option B.

> REASONS (first choice):

Same rationale as last vote:

>> Flexible, option B could actually support the other two options 
>> (with the minor exception of the leading zeros in option A. With
>> no expectation of significant near-term change in CVE operation
>> (other than the CVE10K problem, which is solved by all three
>> options), our initial first choice was option A, just increasing
>> the space using the current syntax. Trying to look ahead, it
>> seems possible that significant growth in the number of CNAs or
>> the number of reservations (whether or not the IDs are ever
>> actually assigned, the reservation alone will consume IDs) could
>> approach the limits of option A. Additional benefit that there is
>> no effective change in format until IDs > 10K are reserved or
>> assigned.

> *****************************************************

Option A.

> REASONS (second choice):

There are only two options.

Also, Option A with 8 fixed digits is worse than the original option A
(6 fixed digits), if only for readability.  I admit the irony of
CERT's original vote, expressing concern that 6 fixed digits may not
be sufficient, however handling expansion is better solved by Option B
and 8 fixed digits is likely to result in printing and reading lots of
0s with no clear benefit (other than maybe truncation detection).

Additional comments:

I agree with the sentiment expressed by some other board members that
the voting process has resulted in a "lesser of two evils" choice.

I'm not sure how the new Option A' was determined, but I recall
discussion of 7 fixed digits (to appease those like me who were
concerned with 6 digits), not 8.  There was also discussion of an
Option B with no *trailing* zeros (the author might have meant
"leading"?), and suggestions to start counting at 1000 each year to
help transition the existing 4 fixed digit format.

I am however comfortable enough with Option B, do not like the current
Option A', am not aware of a significantly better alternative (given
the unclear future of CVE expansion), and am willing to accept that
the discussion and voting are a reasonably good group decision making
process (some form of representative democracy).

 - Art

Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Page Last Updated or Reviewed: October 03, 2014