eddie-knight
commented
1 week ago Considering that we're still pending an ID redesign, I think this is mostly a moot point. Removing the concept of a reserved range is quite fine
Closed david-a-wheeler closed 2 days ago
eddie-knight
commented
1 week ago Considering that we're still pending an ID redesign, I think this is mostly a moot point. Removing the concept of a reserved range is quite fine
david-a-wheeler
commented
1 week ago I think using numbers as IDs is a bad idea for requirements. Numbers have no meaning. If you make a mistake in a mapping, you typically won't notice. If all you have is the id, you have no idea what it's about. If you delete one, everyone asks why there's a missing one, which isn't the point.
In contrast, if you see requirement "OSPS-MFA" you can probably guess what it means.
eddie-knight
commented
1 week ago @SecurityCRob This one should be good to merge, as we're all in agreement that the ID pattern is going to be redesigned
SecurityCRob
commented
2 days ago I think using numbers as IDs is a bad idea for requirements. Numbers have no meaning. If you make a mistake in a mapping, you typically won't notice. If all you have is the id, you have no idea what it's about. If you delete one, everyone asks why there's a missing one, which isn't the point.
In contrast, if you see requirement "OSPS-MFA" you can probably guess what it means.
STRONGLY disagree about the complete removal of numbering. 800-53, NIST SSDF, CSF, BSI's CRA Guidance, etc. all use alpha-numeric identifiers in their schemes. Shortening the names of 50ish requirements does not yield a meaningful identifier. Someone may have no context or background on what "MFA" is, but is able to grok "2FA" or "Mutifactor" better?
eddie-knight
commented
2 days ago Since the conversation has drifted into overlap with #42, I'm going to close this PR. We can figure out how to replace the current numbering format in that issue, or in a future working session.
The ranges, as listed, are no longer valid today. Can we create new ranges and adjust the identifiers accordingly? We have 5 high-level categories, could each group be placed in a range of 20 #s, giving us the option of 100 total criteria? Today Badges has ~137 criteria, if we pad for future requirements, we could use sets of 30 ids for each category, giving us room to match BPB and have room to expand further.