[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax change - Round two vote results and comments

On Thu, 23 May 2013, Boyle, Stephen V. wrote:

: - 8 digit fixed ID field length of the revised Option A
: 
: This issue has caused us the most concern. During the voting period 
: there were several comments about the length of the revised Option A ID 
: field, including:
: 
:         - 8 digits was not reflective of pre-vote fixed length discussions
:            (Our explanation for how 8 digits came to be proposed is appended.)
: 
:         - Fewer digits may have caused more Board members to vote for Option A
: 
:         - There was not sufficient discussion of the length of the fixed field
:            prior to the vote on the reformulated Option A
: 
:         - There should be a re-vote with a further-revised Option A
: 
: As noted above, we want to make sure that the permanent selection of the 
: revised CVE ID Syntax is in accordance with the Board's consensus 
: opinion. To that end, we want to hear from the Board members, 
: particularly those with concerns about the revised Option A. Most 
: important is the question of whether you would have voted differently if 
: Option A was 7 digits, specifically, or if you would have voted 
: differently given some other number of fixed digits in the ID field you 
: would have deemed desirable.

1. Yes, we would have voted differently had it been 7 digits. While it may 
seem arbitrary between 7 and 8 digits, the primary reason for the OSF vote 
is to reduce errors when passing a CVE identifier around. We feel that 8 
will introduce too many errors, especially earlier in a year with too many 
leading zeros. Further, a 7 digit number is specifically easier to 
remember for humans due to the way we are wired [1]. Between these 
reasons, we felt that it would help reduce errors which is still a problem 
in today's vulnerability world.

(p.s. Even if no one else says this, I know from off-list discussion 
others would have voted for 'A' that did not.)

2. The question that has been put to MITRE at least once, if not more, 
that has gone unanswered is more troubling. The initial discussion called 
for 6 digits. After the vote there was additional discussion, and the 
primary concern was 'future proofing' that option. We discussed 7 digits, 
and I do not recall right off if there was discussion of 8 digits. I can 
check, but I would like to know why MITRE made an executive decision for 8 
digits when that was not clearly the concensus of the discussion. This 
type of choice seems to defeat the stated purpose of the editorial board.

Thank you.


[1] http://abcnews.go.com/Technology/brain-memory-magic-number/story?id=9189664
Page Last Updated or Reviewed: October 03, 2014