| I think these are both good points and my recommendation is that Mozilla deny GDCA's request for inclusion. We should not have to explain something as basic as document versioning and version control. If GDCA can not demonstrate sufficient controls over their documentation, there is no reason for the Internet community to place confidence in any of the other versioning systems that are needed to operate a CA. Question: Are auditors expected to review translations of CP or CPS docs and verify consistency between them?
On 21/10/2016 10:38, Han Yuwei wrote:
> > I think this is a major mistake and a investgation should be conducted for CPS is a critical document about CA. This is not just a translation problem but a version control problem. Sometimes it can be lying. > Let me try to be more specific: When publishing a document called CPS version 4.3 the document with that number must have the same contents in all languages that have a document with that name and version number. When making any change, even just correcting a mistyped URL, the document becomes a new document version which should have a new and larger number than the number of the document before the change. Thus when a published document refers to a broken URL on your own server, it is often cheaper to repair the server than to publish a new document version. Some of the oldest CAs have been proudly publishing their various important files at multiple URLs corresponding to whatever was mentioned in old CP and CPS documents etc., only shutting down those URLs years after the corresponding CA roots were shut down. There can also be a "draft" document which has no number and which contains the changes that will go into the next numbered edition. Such a "draft" would have no official significance, as it has not been officially "published". For a well-planned change, the final "draft" would be translated and checked into the relevant languages (e.g. Chinese with mainland writing system, Chinese with Hong Kong and Macao Special Administrative Regions old writing system, English), before simultaneously publishing the matching documents with the same number on the same day. There are infinitely many version numbers in the universe to choose from. There are also computer programs that can generate new version numbers every time a draft is changed, but computers cannot decide when a version is good enough in all languages to make an official publication, and the computer generated version numbers are often impractical for publication because they count all the small steps that were not published. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
