在 2016年10月28日星期五 UTC+8上午2:12:32,Percy写道: > On Thursday, October 27, 2016 at 3:22:03 AM UTC-7, wangs...@gmail.com wrote: > > 在 2016年10月27日星期四 UTC+8上午8:09:06,Peter Kurrasch写道: > > > I think these are both good points and my recommendation is that Mozilla > > > deny GDCA's request for inclusion. > > > > > > > > > We should not have to explain something as basic as document versioning > > > and version control. If GDCA can not demonstrate sufficient controls over > > > their documentation, there is no reason for the Internet community to > > > place confidence in any of the other versioning systems that are needed > > > to operate a CA. > > > > > > > > > Question: Are auditors expected to review translations of CP or CPS docs > > > and verify consistency between them? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Jakob Bohm > > > Sent: Saturday, October 22, 2016 9:07 AM > > > To: mozilla-dev-s...@lists.mozilla.org > > > Subject: Re: Guang Dong Certificate Authority (GDCA) root inclusion > > > request > > > > > > > > > On 21/10/2016 10:38, Han Yuwei wrote: > > > > > > > > I think this is a major mistake and a investgation should be conducted > > > > for CPS is a critical document about CA. This is not just a translation > > > > problem but a version control problem. Sometimes it can be lying. > > > > > > > > > > Let me try to be more specific: > > > > > > When publishing a document called CPS version 4.3 the document with > > > that number must have the same contents in all languages that have a > > > document with that name and version number. > > > > > > When making any change, even just correcting a mistyped URL, the > > > document becomes a new document version which should have a new and > > > larger number than the number of the document before the change. > > > Thus when a published document refers to a broken URL on your own > > > server, it is often cheaper to repair the server than to publish a new > > > document version. Some of the oldest CAs have been proudly > > > publishing their various important files at multiple URLs corresponding > > > to whatever was mentioned in old CP and CPS documents etc., only > > > shutting down those URLs years after the corresponding CA roots were > > > shut down. > > > > > > There can also be a "draft" document which has no number and which > > > contains the changes that will go into the next numbered edition. Such > > > a "draft" would have no official significance, as it has not been > > > officially "published". For a well-planned change, the final "draft" > > > would be translated and checked into the relevant languages (e.g. > > > Chinese with mainland writing system, Chinese with Hong Kong and Macao > > > Special Administrative Regions old writing system, English), before > > > simultaneously publishing the matching documents with the same number > > > on the same day. > > > > > > There are infinitely many version numbers in the universe to choose > > > from. There are also computer programs that can generate new version > > > numbers every time a draft is changed, but computers cannot decide when > > > a version is good enough in all languages to make an official > > > publication, and the computer generated version numbers are often > > > impractical for publication because they count all the small steps that > > > were not published. > > > > > > > > > Enjoy > > > > > > Jakob > > > -- > > > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > > > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > > > This public discussion message is non-binding and may contain errors. > > > WiseMo - Remote Service Management for PCs, Phones and Embedded > > > _______________________________________________ > > > dev-security-policy mailing list > > > dev-secur...@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > We’d like to explain a few points. > > > > 1. We have already implemented version control on Chinese version CP/CPS, > > the revision and release of CP/CPS are reviewed and approved by the > > security policy committee (see section 1.5 in CP/CPS). The Chinese version > > CP/CPS is also reviewed by our auditor. > > > > 2. The Chinese version CP/CPS is the formal documents we published in our > > Website. In the initial phase of "Bug 1128392", we have summited the > > Chinese version CP/CPS to Mozilla, and Mozilla release a basic review list > > in file "1128392-CAInformation.pdf" which contains instructions for us to > > summit some chapters of the CP/CPS in English version. We are not able to > > provide an accurate English version CP/CPS, but we will do our best to > > finish this translations and upload for reviewing process. We will upload > > the new English version CP/CPS for reference ASAP. However the English > > version CP/CPS should not be considered as formal documents. In case of any > > discrepancy between two versions, the Chinese version shall prevail. > > > > 3. Our auditor only reviews the Chinese version CP/CPS. It is not their > > responsibility to confirm the translated English versions. > > According to Peter, > " > I reviewed the annual audit reports linked in your email, including > the auditor's opinion and the management assertions. > > Good: > - The reports and management assertion include an English language version > - The English versions are authoritative (no qualification the Chinese > language version holds in case of conflict) > " > > This contradicts your assertion your assertion that > "We are not able to provide an accurate English version CP/CPS, but we will > do our best to finish this translations and upload for reviewing process. We > will upload the new English version CP/CPS for reference ASAP. However the > English version CP/CPS should not be considered as formal documents. In case > of any discrepancy between two versions, the Chinese version shall prevail. "
Peter's meaning is about audit report itself. I didn't see any language matter about CPS. The audit report said that its English version is authoritative not the CPS. Maybe PricewaterhouseCoopers can explain which language did they audit. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy