To close out this discussion, I've gone ahead with the proposed change, including the addition of the requirement that the English language version of the audit statement be an authoritative version:
https://github.com/mozilla/pkipolicy/commit/e4cc785367350a46fc839639a28a92bd17d542e3 - Wayne On Thu, Apr 5, 2018 at 11:12 AM, Wayne Thayer <[email protected]> wrote: > It has been pointed out to me that we should seek to create a policy that > meets our needs without imposing a requirement for auditors to adopt the > English language. For the CP/CPS, we address this concern by requiring a > translation that "...must match the current version..." > > I am of the opinion that the proposed language has the same effect. By > requiring AN authoritative English language version, we are not precluding > other authoritative versions of the audit statement. We are only requiring > that the English language version meet the definition of authoritative: > "possessing > recognized or evident authority *: *clearly accurate or knowledgeable" > > On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy < > [email protected]> wrote: > >> Then we go back to: what's the point of becoming a globally-recognized CA >> if you are not allowed by law to recognize as legal the English language >> version? >> >> Some user from the other part of the world might not know YOUR local >> language, but they are more likely to know English. >> >> A local country can simply issue legislation that XYZ Certification >> Authority with certificate public key ##########[...]#### is mandatory to >> be recognized by everyone in the country and that's that. You don't really >> need Mozilla / Microsoft / Apple to accept you as CA to operate. >> You have to earn their (and their user's) trust. One critical step to >> earning this trust is having legally-binding, easy to understand documents. >> >> ~~~~ >> Adrian R. >> >> On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus wrote: >> > I would like to suggest to add the clause "if legally allowed" at the >> end. I had some crazy discussions with colleagues in Russia and Québec >> about documents in English. > > > Rufus - do my comments above solve this problem? > > Also it should be added that the audit information must be publicly >> available in the Internet. > > > Currently, Mozilla publishes audit reports if they aren't already publicly > available on the internet - typically by asking the CA to attach them to a > bug. Does that suffice? If not, we should discuss this as a separate new > requirement. > > >> The whole sentence would be: >> > >> > "The audit information MUST be publicly available in the Internet. An >> English version MUST be provided. The English version MUST be authoritative >> if legally possible under the jurisdiction of the CAs home country." >> > >> >> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
