On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > I'm not sure an incident report is necessary. The CCADB policy allows both > to be provided, and the mechanisms that CCADB uses (both for CAs and for > Root Stores) permit a host of expressiveness (and further changes are being > made).
I guess we're working on different meanings for "provide", in this sentence of the CCADB policy: > CAs must provide English versions of any Certificate Policy, Certification > Practice Statement and Audit documents which are not originally in English The way I was looking at it was that a CPS is "provided" to the CCADB by linking to it. If a translated CPS exists, but it isn't linked to from the CCADB (or, as far as I can tell, anywhere sensible on the CA's site), can it really be said to have been "provided"? Especially when (as is the case for DFN-Verein) the cert itself doesn't include cPSuri, indicating where the CPS repository even is? Perhaps the CCADB needs to be augmented, to specifically include an "English language version" of CP/CPS/Audit statements? > This is something that the proposed Browser Alignment ballots in the CA/B > Forum, > https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment > , > would address. It incorporates the Mozilla Policy, Microsoft Policy, and > CCADB policy within the BRs itself. > > In that branch, see the revised Section 8.6 As far as I can see, s8.6 only discussed audit reports, not CP/CPS. Which is fine and necessary, but when I'm trying to figure out where to send "y'all have a pile of certs that need revoking because your customers leave their keys on pastebin" e-mails, a CPS that I can read is what I need. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
