在 2016年10月27日星期四 UTC+8上午8:09:06,Peter Kurrasch写道: > I think these are both good points and my recommendation is that Mozilla deny > GDCA's request for inclusion. > > > We should not have to explain something as basic as document versioning and > version control. If GDCA can not demonstrate sufficient controls over their > documentation, there is no reason for the Internet community to place > confidence in any of the other versioning systems that are needed to operate > a CA. > > > Question: Are auditors expected to review translations of CP or CPS docs and > verify consistency between them? > > > > > > > > > > > > From: Jakob Bohm > Sent: Saturday, October 22, 2016 9:07 AM > To: [email protected] > Subject: Re: Guang Dong Certificate Authority (GDCA) root inclusion request > > > On 21/10/2016 10:38, Han Yuwei wrote: > > > > I think this is a major mistake and a investgation should be conducted for > > CPS is a critical document about CA. This is not just a translation problem > > but a version control problem. Sometimes it can be lying. > > > > Let me try to be more specific: > > When publishing a document called CPS version 4.3 the document with > that number must have the same contents in all languages that have a > document with that name and version number. > > When making any change, even just correcting a mistyped URL, the > document becomes a new document version which should have a new and > larger number than the number of the document before the change. > Thus when a published document refers to a broken URL on your own > server, it is often cheaper to repair the server than to publish a new > document version. Some of the oldest CAs have been proudly > publishing their various important files at multiple URLs corresponding > to whatever was mentioned in old CP and CPS documents etc., only > shutting down those URLs years after the corresponding CA roots were > shut down. > > There can also be a "draft" document which has no number and which > contains the changes that will go into the next numbered edition. Such > a "draft" would have no official significance, as it has not been > officially "published". For a well-planned change, the final "draft" > would be translated and checked into the relevant languages (e.g. > Chinese with mainland writing system, Chinese with Hong Kong and Macao > Special Administrative Regions old writing system, English), before > simultaneously publishing the matching documents with the same number > on the same day. > > There are infinitely many version numbers in the universe to choose > from. There are also computer programs that can generate new version > numbers every time a draft is changed, but computers cannot decide when > a version is good enough in all languages to make an official > publication, and the computer generated version numbers are often > impractical for publication because they count all the small steps that > were not published. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
We’d like to explain a few points. 1. We have already implemented version control on Chinese version CP/CPS, the revision and release of CP/CPS are reviewed and approved by the security policy committee (see section 1.5 in CP/CPS). The Chinese version CP/CPS is also reviewed by our auditor. 2. The Chinese version CP/CPS is the formal documents we published in our Website. In the initial phase of "Bug 1128392", we have summited the Chinese version CP/CPS to Mozilla, and Mozilla release a basic review list in file "1128392-CAInformation.pdf" which contains instructions for us to summit some chapters of the CP/CPS in English version. We are not able to provide an accurate English version CP/CPS, but we will do our best to finish this translations and upload for reviewing process. We will upload the new English version CP/CPS for reference ASAP. However the English version CP/CPS should not be considered as formal documents. In case of any discrepancy between two versions, the Chinese version shall prevail. 3. Our auditor only reviews the Chinese version CP/CPS. It is not their responsibility to confirm the translated English versions. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
