-----BEGIN PGP SIGNED MESSAGE-----
On 2013-04-18 12:43 , security curmudgeon wrote:
Could McAfee, or anyone who voted for 'B' due to the 'future
proofing' concern please address the repeated comments about how
that is absurd?
In case you missed it in Steve Christey's CVE vote email:
It should be noted that the team feels that any circumstance(s)
that would require the issuance of (on average) over 2,700 CVE IDs
per day (999,999 IDs per year) would reflect a fundamental change
in the meaning and usage of CVE IDs. Put another way, the "CVE"
that requires the issuance of over 2,700 IDs would not be the CVE
As Carsten Eiram from RBS noted:
1) A purely theoretical explosion in vulnerability reports and
coverage (keeping in mind that MITRE currently has trouble keeping
up with the existing trend and don't guarantee all vulnerabilities
will be assigned CVEs). A change from 8K-10K vulnerabilities
reported per year to > 1 million is simply unrealistic. Even if
someone starts auditing a ton of projects with automated code
scanning tools and without any manual follow-up analysis just dumps
the results on some mailing list, we would be hard-pressed to
exhaust 6 digits. We would be discussing resource problems long
before hitting those numbers, as neither CVE nor any CVE processors
will be able to keep up with such a load.
I don't predict significant changes to CVE's scope and level of
abstraction that would directly result in 1M per year IDs. My initial
thought was therefore to vote for A.
What caused me to reconsider was the idea of more and more active
CNAs. Now, MITRE is careful to hand out modest allocations of IDs,
generally sequentially, to dozens(?) of CNAs. I don't think there's
What I wanted to future-proof is the world with more CNAs (100s?) with
more assignment authority (like a modulo slice or big sequential block
of the year's CVE ID space). In this world, there still may still not
be more than 1M CVE IDs published per year, but there may be more than
1M CVE IDs allocated to CNAs. Allocation != publication.
Now, I don't see any strong indicators of this particular new world.
But it seemed reasonable enough to want to plan in advance for.
Another future scale issue: Automated ways to find vulnerabilities
could overwhelm the current 10K/year human-scale size of the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
-----END PGP SIGNATURE-----