Re: Candidate numbering scheme
On Thu, May 13, 1999 at 03:40:58PM -0400, Steven M. Christey wrote:
| We seemed pretty much agreed that there should be a separate numbering
| scheme for "candidate" vulnerabilities that are proposed to the input
| forum. We might be able to have a mailing list which utilizes some
| sort of ticketing system, but that would make it difficult to identify
| multiple vulnerabilities in the same email. I propose a numbering
| scheme such as:
| where <id> is an "official" ID that identifies the proposer, YYYYMMDD
| is the year/month/date, and "n" separates multiple vulnerabilities
| that the proposer um, proposes on the same date. The benefit of the
| date in the ID is that we can immediately see which candidates are
| getting "old." In the short term, the proposer could take the
| responsibility for ensuring that their number is unique, and the
| encoded date helps that.
If N will become the CVE-N, I think this will work fine. Otherwise,
we need to add references to CAN-NETECT-19990514A to CVE-00666 to
reference the discussion that lead to its acceptance.
| In the longer term, it may be better to have an external mechanism
| that proposers can access to get more arbitrary numbers that are
| guaranteed to be unique. I believe that Russ and Adam may have some
| ideas on such a mechanism.
| - Steve