Re: CVE ID Syntax Vote - results and next steps

[<Kent_Landfield@McAfee.com>]

Can we have a quick poll on the combined set of existing options and the ones Art has listed below?  I'd think a re-whittling of the choices may get us to a better place to conduct a vote. 

• Do you desire a static length of the CVE Ids?  --Yes — No
• If so, what length do you feel would be acceptable to you? -- 6 — 7 — 12 — More? -- Something else?

Here are options that combines what Art listed as well as the original two options. The original Option C has been dropped from this poll as a result of the initial vote.

 OPTION A: Year + 6 digits, with leading 0's

OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999

OPTION D: Year+ 7 digits with leading 0's

OPTION E: Year + 12 digits with no leading zeros.

OPTION F: Year + 12 digits with no leading zeros, starting at 1000 for each year.

OPTION G: Year + Infinite digits with no leading zeros, starting at 1000 for each year.

Just want to take a pulse as to where we are…

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: Art Manion <amanion@cert.org>
Date: Thursday, April 18, 2013 11:19 PM
To: "Booth, Harold" <harold.booth@nist.gov>
Cc: "cve-editorial-board-list@lists.mitre.org" <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE ID Syntax Vote - results and next steps

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

On 2013-04-18 22:34, Booth, Harold wrote:

| I would also add that with an Option B with no leading zeros,

| including less than four digits, a transition of sorts is available

| for the first year (or more) if CVE identifiers started at 1000.

| Until the 9000'th CVE tools would successfully chug along giving

| everyone a bit more transition time. This could allow even more

| time depending on the eventual number of CVEs created. Whereas with

| an Option A with padding there is no such transition, and whatever

| number of digits are agreed to are included in every CVE from the

| beginning (in 2014?).

For the sake of further discussion, by no means an official set of

choices...

Option D:  Seven numeric characters with leading zeros.

Option E:  Twelve numeric characters, no leading zeros.

Option F:  Twelve numeric characters, no leading zeros, starting at

1000 for each year.

Option G:  Infinite numeric characters, no leading zeros, starting at

1000 for each year.

I picked 12 because someone suggested 10+.  I'm also saying "numeric

characters" to raise the issue of treating everything after "CVE" or

"CVE-YYYY" as a string.  Not sure that capping it makes much difference.

Not sure this covers all the recently discussed options.

Also not sure how to handle this situation procedurally?  Declare a

mistrial and prepare another ballot, after further discussion?

~ - Art

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.13 (Darwin)

Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFwxdoACgkQk/8FEDbCaKOPEgCgnbaNJBjQESDRgZIBfEkbwhGy

ZvkAoKAsHLKb4sYDNP+kd3buSlenErhb

=wcLt

-----END PGP SIGNATURE-----