Hi Kathleen, On 15/11/16 00:51, Kathleen Wilson wrote: > There were some recommendations to deny this request due to the > versioning problems between the English documents and the original > documents. > > Do you all still feel that is the proper answer to this root > inclusion request?
As I understand it, what happened was as follows: * As part of their application, GDCA provided both Chinese and English versions of their CP/CPS, posted to m.d.s.policy on 3rd August: Chinese CP: http://www.gdca.com.cn/cp/cp Chinese CPS: http://www.gdca.com.cn/cps/cps English CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346 English CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749 (I don't immediately have URLs for their EV CP and CPS in Chinese or English from the original submission.) * On 26th September, it was pointed out by Andrew Whalley that the English versions had lower version numbers than the Chinese versions (CP: 1.2 vs. 1.4; CPS: 4.1 vs 4.3) * On 27th September, one day later, GDCA provided new English versions with the same version numbers as the Chinese versions: CP V1.4: https://bugzilla.mozilla.org/attachment.cgi?id=8795090 CPS V4.3: https://bugzilla.mozilla.org/attachment.cgi?id=8795091 EV CP V1.2: https://bugzilla.mozilla.org/attachment.cgi?id=8795093 EV CPS V1.3: https://bugzilla.mozilla.org/attachment.cgi?id=8795094 * It was pointed out by more than one person that there were significant content differences between the English and Chinese versions which were both labelled with the same version number * GDCA said this was due to a "poor CP/CPS English translation" and on 28th October, provided new English versions (again) with the same version numbers CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805543 CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8805545 EV CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805546 EV CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8805547 What Mozilla has to decide is whether this was incompetence or malice. Were GDCA trying to hide something? If so, their inclusion must be in doubt. If they were not trying to hide something and just need a lesson in version control, that is not necessarily something which disqualifies, although it does give one concern. Looking at the CPS (using pdf2txt and diff), the differences between the originally-submitted v4.1 and the first 4.3 are very minor. One intermediate certificate changes name throughout, as does the name of GDCA. Three certs in an appendix are replaced with others. Other than that, the only changes are these: https://gist.github.com/gerv/fc311785c49c7fdfdfba78d6d5ad4aa9 This seems like an odd change, removing specificity about how domain validation is done. This change was _added_ to the Chinese version of 3.2.5 between 4.1 and 4.2, and moved to section 3.2.7 in version 4.3. So how does going from 4.1 to 4.3 in the English version lead to it being removed? The differences between the first 4.3 and the second one are much more extensive. So I'd say the questions for GDCA are these: * When you were asked to produce a version of your CPS matching Chinese version 4.3, within a day you came up with: https://bugzilla.mozilla.org/attachment.cgi?id=8795091 That clearly doesn't match Chinese version 4.3, and yet it has "version 4.3" written in it. And the effective date marked within it is one month _earlier_ than the effective date of the Chinese 4.3. How did this happen? How did such a document come to exist with such a version number and date attached, when it is so massively different from the real 4.3, and so similar to the previous 4.1? * You say you only translated the relevant bits rather than all of it, which is why there is a discrepancy, but the diff between 4.1 and the first version of 4.3 reveals no additions, only one deletion. How does that fit? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy