OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: The ID generation issue

Here are my thoughts on this issue:

I don't think the current algorithm is satisfactory because it uses the 
release date as part of the ID. As a reminder here's what the schema 
says about this:

The ID element provides a mechanism to declare uniquely identifiable 
attributes for cataloging and referencing.

The provider, author and vendor IDs allow cross referencing and trust 
models to be developed based on the source of the test case.

Note: Need to define the XML:DigSig for these attributes and provide for 
a mechanism to sign an entire file (ie provide authenticity and 
integrity of the file outside of transport security).
The ID Element should be derived from the following pieces of information:

   1.  Organization Label / Name - ex: Foundstone, in the case of large
       organization it is their responsibility to maintain organization
       level uniqueness.  ... TODO:  Define legal characters.

   2.  Current date - YYYY-MM-DD TODO:
Thus a sample ID is: 2004-03-31-foundstone.com-0001

The id part after the company name should be unique within the company 
(i.e. last part of id namespace needs to be managed by the company.

What happens when there is a revision? Is the ID supposed to change to 
incorporate the date of the revision release or not? In any case, I 
don't see a strong point for having the date as part of the ID.

Furthermore, we need to consider the requirement of every EVDL part to 
have an ID of its own. Personally I would like to see something like 
this (as an ID):



  * http://www.thinkingstone.com/evdl = unique ID of the publisher
  * 123456 - instance ID (unique on the publisher level)
  * protect - EVDL part name

In fact, maybe it's probably better to use the following format:


Using an ID of this form would achieve the following:

  1. Assign a unique ID to a schema instance

  2. Allow different parts to have different IDs but
     related parts to have a common base

  3. Allow a device to retrieve an instance from a publisher's
     web site just by accessing the URL. Therefore an ID is all
     a device needs to retrieve the XML data.

Ivan Ristic (http://www.modsecurity.org)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]