Re: CVE ID Syntax Change - Second Round Voting Ballot - CERT [INFO#679180]

[Art Manion <amanion@cert.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CERT/CC's vote and additional comments.

> ===================================================== VOTING
> BALLOT =====================================================
...
> *****************************************************
> 
> FIRST CHOICE:

Option B.

> REASONS (first choice):

Same rationale as last vote:

>> Flexible, option B could actually support the other two options 
>> (with the minor exception of the leading zeros in option A. With
>> no expectation of significant near-term change in CVE operation
>> (other than the CVE10K problem, which is solved by all three
>> options), our initial first choice was option A, just increasing
>> the space using the current syntax. Trying to look ahead, it
>> seems possible that significant growth in the number of CNAs or
>> the number of reservations (whether or not the IDs are ever
>> actually assigned, the reservation alone will consume IDs) could
>> approach the limits of option A. Additional benefit that there is
>> no effective change in format until IDs > 10K are reserved or
>> assigned.

> *****************************************************
> 
> SECOND CHOICE:

Option A.

> REASONS (second choice):

There are only two options.

Also, Option A with 8 fixed digits is worse than the original option A
(6 fixed digits), if only for readability.  I admit the irony of
CERT's original vote, expressing concern that 6 fixed digits may not
be sufficient, however handling expansion is better solved by Option B
and 8 fixed digits is likely to result in printing and reading lots of
0s with no clear benefit (other than maybe truncation detection).


Additional comments:

I agree with the sentiment expressed by some other board members that
the voting process has resulted in a "lesser of two evils" choice.

I'm not sure how the new Option A' was determined, but I recall
discussion of 7 fixed digits (to appease those like me who were
concerned with 6 digits), not 8.  There was also discussion of an
Option B with no *trailing* zeros (the author might have meant
"leading"?), and suggestions to start counting at 1000 each year to
help transition the existing 4 fixed digit format.

I am however comfortable enough with Option B, do not like the current
Option A', am not aware of a significantly better alternative (given
the unclear future of CVE expansion), and am willing to accept that
the discussion and voting are a reasonably good group decision making
process (some form of representative democracy).


 - Art

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGRI9QACgkQk/8FEDbCaKMEvQCgnnD9id/0hR30iqJRwxDbs/80
Dl0AmwVKVeDjiqAP3x7IWqMpxn1eSbu4
=haYd
-----END PGP SIGNATURE-----