再保险:候选人编号方案

我同意史蒂夫的点。我一直倡导的简约主义核心CVE而言,但是我可以看到很多价值能够候选人之间的映射信息/ etc /线程。CVE。在我看来(Steve提到所有的原因),提出候选人编号系统仍然要求CVE维护引用候选人数量在某些情况下。我建议添加这个信息作为一个显式引用(s)。不知道这将意味着CMEX,或CVE适当。我强烈建议保持这个或任何类型的数据的CVE编号本身。在我们的许多设计讨论我们一直想把“东西”,我们总是发现它引入了不必要的并发症,不一致,等等。我们总是(至少目前为止:-)发现更好的方法来处理这个问题,我认为我们的关注保持CVE编号和数据简单和“纯”帮助使我们已经很大的进展,并将帮助我们真正推动。当然,这是所有IMHO: -)法案“Steven m . Christey”写道:<剪> > >第三个问题,我认为是最重要的。>多个候选人将提议最终被相同的一部分> CVE漏洞(假设他们是重复的,或者他们都>被归入),或分成多个CVE漏洞。 There > won't be a one-to-one relationship between the candidate number and > the CVE number, so the CAN- portion will be different than the CVE- > portion. This would require a "lookup" capability to go from the > candidate number to the real associated number. I.e., we would > *still* have to maintain a mapping from candidate numbers to the CVE > numbers. > > None of these problems is significant if the candidate number is never > really public, and only for use within the Input Forum. They might be > relatively minor compared with some of the benefits, e.g. "early > tracking" of new vulnerability information, and allowing Input Forum > members (e.g. vendors) to use candidate numbers in advisories that > they post for new vulnerabilities. > > The question is: how important is it to the members of this group that > we should have such "external candidate numbers"? Russ' perspective > is clear since he is concerned with numbering vulnerabilities as early > as possible, and I believe Andre would agree since he expressed > concerns with getting numbers for advisories for new vulnerabilities. > A second question is: assuming we have external candidate numbers, do > they *have* to be the same as the CVE number? To reduce confusion, > sure, but there won't always be a one-to-one relationship as I > indicated earlier. > > I think that such a radical change to the CVE name requires a decision > before release. Any commitments we make to a numbering scheme will > have to be adhered to once the CVE is public. > > - Steve -- ---------------------------------------------------------------------- William Hill V:703-883-6416 INFOSEC Engineer F:703-883-1397 The MITRE Corporation bill@mitre.org 1820 Dolley Madison Blvd. M/S W422 whhill@acm.org McLean, VA 22102-3481