[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Issuance Strategies Using the New ID Syntax



1) "Leading zeroes": whether or not this is done, anything less than 4 digits
will still highlight a truncation error;  that's good.  I would prefer to retain
the first 1000 IDs to extend the deadline a little.  Technically, the format
string "%04d" encodes the expected behavior; it's not very complicated, so I
find little against the idea of using the first 1000 IDs.  I think CVE IDs
should follow the practice of previous years and begin with CVE-2014-0001.  

2) Protected IDs are a clever idea and I like them for that, but they will make
the detection only a little bit easier and faster.  I'm sure that any errors
will be reported quickly enough even without them.  It could provide reassurance
to people who might be concerned about the changeover;  it's not clear to me
how much that matters.  However, it shouldn't be needed, and would only be
useful in 2014.  I think the benefit is small, at a small cost, so the
cost/benefit ratio is indeterminate. Another use might be for MITRE to gather
statistics more easily about failures to adopt the new format. I would leave
this one up to the level of interest expressed and MITRE's willingness to
manage the exception and educate people about it.  

Pascal



Page Last Updated or Reviewed: October 03, 2014