Harold Booth wrote:
> Would re-opening of the identifier discussion delay implementation until 2015?
Thanks, Harold – that’s a great question and one that should have been explicitly addressed in yesterday’s email. Here’s what should have been said ;-)
We cannot delay implementation of an ID Syntax that will handle more 9,999 until 2015.
As of the NVD update of Friday, May 31 15:33:42 EDT 2013, the numerically highest 2013 CVE identifier in NVD is CVE-2013-3721, While this doesn’t mean that 3,721 CVEs have been published this year to date, it does mean that at least 3,721 CVE identifiers have been assigned or otherwise made available. Theoretically (and very, very roughly) this could put CVE on track for issuing something in the neighborhood of 9,000 identifiers in calendar year 2013. Note that 9,000 CVE IDs may be more or less than the actual number of identifiers assigned or given out this year, but it’s useful for at least a ballpark estimate of the current, nominal rate of assignment.
Given the above, and given expected changes in CVE analyst staffing, we are convinced we will hit 9,999 CVEs in calendar 2014, probably well before the end of the year and possibly as early as July or August. Given that, we cannot delay implementation of an ID Syntax that can handle > 9,999 identifiers until 2015.
Thanks again, Harold, for highlighting this.
Would re-opening of the identifier discussion delay implementation until 2015? If not, I have some concerns about all implementers being able to implement a choice that upon first use would immediately require some sort of code change for anyone currently implementing a strict interpretation of the current format.
If there are entities that feel additional discussion is imperative, I don’t wish to stand in the way, but I would also urge that we not let “the perfect be the enemy of the good”.
As everyone reading this list knows, we recently closed the second voting period for a new CVE ID Syntax. As always, MITRE is committed to the open and transparent conduct of Board activities and we will address at any time questions, concerns, or comments raised by any member of the CVE Editorial Board.
However, as we noted in our email of 23 May, there were concerns noted by Board members about the conduct of the discussion and the specification of the length for the fixed-length option. In addition, there was a specific suggestion for a revote with a modified Option A. (See email from Ken Williams to the Editorial Board list of 5/17/2013, 8:24 AM EDT.) Because of the concerns raised and, most importantly, because of the gravity of the CVE ID Syntax change, it is critical to ensure that any questions or concerns raised by, or that otherwise exist in the minds of, Board members be given full voice.
At this time, we consider the call for a revote to be a motion to rescind the second round vote.
The purpose of rescinding the vote would be so that we can more fully explore the voting options and the concerns of Board members, recognizing that such an action would necessarily reduce the time available for implementers to develop and test software to support a different CVE ID syntax. If the motion to rescind the vote is seconded or otherwise affirmed by any eligible voting member of the CVE Editorial Board (other than Ken Williams, obviously), here is how we propose to proceed.
Conduct of a vote to rescind and follow on actions
- The period in which a second for the motion to rescind will be allowed is from today through Wednesday, June 5th 2013 at 11:59 PM EDT. If no second or other call for a revote is received during that period, the second round vote will be declared valid and we will proceed with the work to implement Option B as the new CVE ID Syntax for 2014.
- On receipt of a second to the motion to rescind, the question will be put to a vote by the Editorial Board.
- The period for a vote to rescind the second round selection vote will be from Monday, June 10th 2013 at 12:01 AM EDT through Monday, June 17th 2013 at 11:59 PM EDT.
- If any Board member so chooses, the period between now and the opening of the possible vote on the motion to rescind can be used for discussion on the Board list.
- A vote on the option to rescind the second round vote will explicitly *not* be to choose between options for the new ID Syntax. It will only be a vote on the question of whether or not to rescind the second round vote to allow for more discussion and another vote to select the ID Syntax.
- The rules for a vote to rescind would be:
- Votes from a simple majority of the 23 eligible voting members must be received to consider the vote valid
- A simple majority of the valid votes cast is required to carry the motion to rescind the second round vote
- Votes must be received to the Editorial Board mailing list within a specified voting period to be considered valid.
- The first vote cast by any individual or organization is to be considered the valid vote.
- If the vote on the motion to rescind is invalid (e.g., an insufficient number of votes is received during the voting period, formal abstentions, etc.), the motion to rescind will be considered to have failed and we will proceed with the work to implement Option B from the second round vote.
- If the vote on the motion to rescind is valid and the motion *does not* carry, then the second round vote will be deemed valid and we will proceed according to the results of that vote.
If the vote on the motion to rescind is valid and the motion *does* carry, then we will open a new discussion period, followed by a new voting period, according to the following goals and timetable:
- We propose a two-week discussion period to allow all views to be fully discussed and, if necessary, changes to the most-recently proposed ID Syntax choices to be formulated.
- We will then call for a "validation" vote in which the Board will confirm or deny the two options to be presented for the selection vote. We feel this is necessary because in both previous rounds of voting on the options, concerns were raised during the voting periods that might have otherwise been expected to surface during the discussion periods. The additional "validation" vote on the specific options will be to guarantee that MITRE has correctly interpreted the consensus wishes of the Board prior to opening the voting period for the selection of the new CVE ID Syntax.
- The new discussion period would open Wednesday, June 19th 2013 at 12:01 AM EDT, and close on Wednesday, July 3rd 2013 at 11:59 PM EDT.
- The Validation vote would open on Wednesday, July 10th 2013 at 12:01 AM EDT and close on Wednesday, July 24th 2013 at 11:59 PM EDT.
- If the validation vote passes, i.e., if the Board affirms the two options to be offered for the selection vote, the selection voting period will open on Monday, July 29th 2013 at 12:01 AM EDT and will close on Monday, August 12th 2013 at 11:59 PM EDT.
- 05/30/13 - Immediately (Thursday) - Period for a possible second to a motion to rescind the second round selection vote opens
- 06/05/13 - 11:59 PM EDT (Wednesday) - Period for a possible second to the motion to rescind the second round vote closes
If a second is made to the motion to rescind:
- 06/10/13 - 12:01 AM EDT (Monday) - Voting on motion to rescind second round vote opens
- 06/17/13 - 11:59 PM EDT (Monday) - Voting on motion to rescind second round vote closes
If the motion to rescind the second round vote carries:
- 06/19/13 - 12:01 AM EDT (Wednesday) - Discussion period on CVE ID Syntax options opens
- 07/03/13 - 11:59 PM EDT (Wednesday) - Discussion period on CVE ID Syntax options closes
- 07/10/13 - 12:01 AM EDT (Wednesday) - Validation vote on proposed ID Syntax choices opens
- 07/24/13 - 11:59 PM EDT (Wednesday) - Validation vote on proposed ID Syntax choices closes
If the validation vote passes, i.e., if the Board affirms the two options to be offered for the selection vote:
- 07/29/13 - 12:01 AM EDT (Monday) - ID Syntax selection voting period opens
- 08/12/13 - 11:59 PM EDT (Monday) - ID Syntax selection voting period closes
As of now, the period during which a second or other affirmation of the motion to rescind the second round vote is open.