[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Candidate numbering scheme





> -----Original Message-----
> From: Gene Spafford [mailto:spaf@cs.purdue.edu]
> Sent: Monday, May 17, 1999 11:58 AM
> To: Steven M. Christey
> Cc: cve-review@linus.mitre.org
> Subject: Re: Candidate numbering scheme
> 
> 
> At 1:22 PM -0400 5/17/99, Steven M. Christey wrote:
> >Spaf said:
> >
> > >Why not make every candidate number something like 
> "Temp-99-01" where

I like having the "Temp-" in front. It implies that is a temporary number.
Do we need to have something in it that shows that it is a CVE temporary
number?

> > >we simply count from the beginning of the year?
> >
> >This approach would require a central "number assignment" 
> mechanism to
> >different entities from using duplicate numbers, and could 
> be somewhat
> >problematic or expensive to implement if the assignment is open to
> >everybody, not just the input forum.
> 
> This could easily be automated.   Set up a program that assigns the 
> next number in line in response to email from one of the "authorized" 

Must it be from an Authorized reporter? What about vulnerabilities
discovered by non-participants.

> reporters.    This could also be done from a WWW page that requires 
> password access, or SSL-enabled access.  We don't care about numbers 
> assigned and dropped, or the same vulnerability given two different 
> numbers by two different people.   This is, after all, simply an 
> attempt to assign unique temporary numbers for evaluation.
> 
> And, this method helps encourage people not to refer to the temporary 
> numbers for long.
> 
> >
> >Gene, are you advocating using the candidate numbering scheme in
> >public?  And if so, do you believe that temp-99-01 really 
> doesn't have
> >a chance to become a de facto standard?  I think that the 
> first number
> >to be referenced could become the one that is most commonly 
> used, even
> >if it has a "temp" name in it.  However, as long as "highly visible"
> >players use the CVE name (i.e. database owners, advisory writers,
> >etc.), then I suppose it becomes less of a problem.
> 
> See my comments above.   I think that it is worth trying using 
> something like this.   If we spend too much time debating the exact 
> syntax and mechanics, we will never get a system out there to try!
> 
> --spaf
> 

Page Last Updated or Reviewed: May 22, 2007