Partition CVE ID assignments by CNA

Motivated by emergency contingency planning last week, this issue is to discuss the possibility of and options for changing how CVE IDs are assigned (or more correctly, reserved) by CNAs.

One option is to partition assignment by CNA, in a way that guarantees unique assignments between CNAs and removes the need for a central assignment service.

This design would require that CNAs (GNAs in the GCVE model) are registered sufficiently (to receive a partition of IDs) and rules to manage CNA changes (names, mergers, acquisitions, deprecation, etc.). There may be additional requirements. CNAs would be responsible for unique assignments within their space (and the year portion).

My individual idea is similar to [GCVE](https://gcve.eu/faq/) but keeping the curent [CVE ID syntax](https://github.com/CVEProject/cve-schema/blob/a29f28e5d48383cc5e179f9c6655ac49e8ffe1f9/schema/CVE_Record_Format.json#L54). For example:

```
CVE-YYYY-1234567890123456789
       A ^^^
       B    ^^^^
       C        ^^^^^^^^^^^^

A: (3)  reserved for Program use
B: (4)  CNA ID, or "1000 CNAs should be enough for anyone"
C: (12) assignments within CNA partition
```

Note the [GCVE](https://gcve.eu/faq/) approach:

> A: A GCVE ID uses a four-part format: `GCVE-<GNA ID>-<YEAR>-<UNIQUE ID>`.

Also similar to [VIN](https://en.wikipedia.org/wiki/Vehicle_identification_number).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Partition CVE ID assignments by CNA #15

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Partition CVE ID assignments by CNA #15

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions