|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Candidate numbering scheme
> -----Original Message----- > From: Gene Spafford [mailto:spaf@cs.purdue.edu] > Sent: Monday, May 17, 1999 11:58 AM > To: Steven M. Christey > Cc: cve-review@linus.mitre.org > Subject: Re: Candidate numbering scheme > > > At 1:22 PM -0400 5/17/99, Steven M. Christey wrote: > >Spaf said: > > > > >Why not make every candidate number something like > "Temp-99-01" where I like having the "Temp-" in front. It implies that is a temporary number. Do we need to have something in it that shows that it is a CVE temporary number? > > >we simply count from the beginning of the year? > > > >This approach would require a central "number assignment" > mechanism to > >different entities from using duplicate numbers, and could > be somewhat > >problematic or expensive to implement if the assignment is open to > >everybody, not just the input forum. > > This could easily be automated. Set up a program that assigns the > next number in line in response to email from one of the "authorized" Must it be from an Authorized reporter? What about vulnerabilities discovered by non-participants. > reporters. This could also be done from a WWW page that requires > password access, or SSL-enabled access. We don't care about numbers > assigned and dropped, or the same vulnerability given two different > numbers by two different people. This is, after all, simply an > attempt to assign unique temporary numbers for evaluation. > > And, this method helps encourage people not to refer to the temporary > numbers for long. > > > > >Gene, are you advocating using the candidate numbering scheme in > >public? And if so, do you believe that temp-99-01 really > doesn't have > >a chance to become a de facto standard? I think that the > first number > >to be referenced could become the one that is most commonly > used, even > >if it has a "temp" name in it. However, as long as "highly visible" > >players use the CVE name (i.e. database owners, advisory writers, > >etc.), then I suppose it becomes less of a problem. > > See my comments above. I think that it is worth trying using > something like this. If we spend too much time debating the exact > syntax and mechanics, we will never get a system out there to try! > > --spaf >
|
||||
