RE: Policy Update Proposal: Require full CP/CPS in English
Dear Ryan, You have right. For audit or inclusion maybe its needed. I am 100% sure, that only users with auditor attitude are reading our CP or CPSes, none of the customers. regards. Viktor Varga Netlock -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+varga.viktor=netlock...@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Tuesday, March 1, 2016 11:10 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Policy Update Proposal: Require full CP/CPS in English On Tuesday, March 1, 2016 at 1:34:49 PM UTC-8, Varga Viktor wrote: > I just want to ask you, is not the PDS is enough for this? > > 119411-1 (319411-1) says you need publish PKI Disclosure Staetement > (PDS) > 119411-2 (319411-2) refences for certificate profiles the 119412-5 > > The 119412-5 (319412-5) says in section 5 Requirements on QCStatements in EU > qualified certificates in the last row of the table, that you need to have > minimum one ereference to an english PDS. > > So for qualified certificates are mandatory why dont extend it for all root > certs and usages? > > I think nearly nobody reads trough a CP or CPS, but the PDS gives reasonably > view for a customer, and most of the CAs already have it in english. For matters of inclusion, renewals, or violations, we absolutely read through the CP and CPS quite thoroughly, as these practices are all of direct relevance to the broader Internet community. To that end, a PDS is frequently insufficient, and only relevant to qualified certificates, which are themselves not something worth emulating :) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy Update Proposal: Require full CP/CPS in English
On Tuesday, March 1, 2016 at 1:34:49 PM UTC-8, Varga Viktor wrote: > I just want to ask you, is not the PDS is enough for this? > > 119411-1 (319411-1) says you need publish PKI Disclosure Staetement (PDS) > 119411-2 (319411-2) refences for certificate profiles the 119412-5 > > The 119412-5 (319412-5) says in section 5 Requirements on QCStatements in EU > qualified certificates in the last row of the table, that you need to have > minimum one ereference to an english PDS. > > So for qualified certificates are mandatory why dont extend it for all root > certs and usages? > > I think nearly nobody reads trough a CP or CPS, but the PDS gives reasonably > view for a customer, and most of the CAs already have it in english. For matters of inclusion, renewals, or violations, we absolutely read through the CP and CPS quite thoroughly, as these practices are all of direct relevance to the broader Internet community. To that end, a PDS is frequently insufficient, and only relevant to qualified certificates, which are themselves not something worth emulating :) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy Update Proposal: Require full CP/CPS in English
I just want to ask you, is not the PDS is enough for this? 119411-1 (319411-1) says you need publish PKI Disclosure Staetement (PDS) 119411-2 (319411-2) refences for certificate profiles the 119412-5 The 119412-5 (319412-5) says in section 5 Requirements on QCStatements in EU qualified certificates in the last row of the table, that you need to have minimum one ereference to an english PDS. So for qualified certificates are mandatory why dont extend it for all root certs and usages? I think nearly nobody reads trough a CP or CPS, but the PDS gives reasonably view for a customer, and most of the CAs already have it in english. regards. Viktor Varga ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy Update Proposal: Require full CP/CPS in English
On Fri, Nov 20, 2015 at 8:12 AM, Richard Barneswrote: > On Thu, Nov 19, 2015 at 6:22 PM, Matt Palmer wrote: > > > On Thu, Nov 19, 2015 at 05:00:03PM -0800, Kathleen Wilson wrote: > > > Insert 3rd bullet point: > > > "- translate into English the Certificate Policy and Certification > > Practice > > > Statement documents pertaining to the certificates to be included and > the > > > trust bits to be enabled;" > > > > > > I will appreciate recommendations about how to improve this proposed > > update. > > > > Some wording to require CAs to acknowledge that this translation is not > > merely informative, but in fact a binding agreement with the Internet > > community, would be useful. I can easily imagine a CA claiming, in the > > event of a breach of the CPS, that the "authoritative" version, in an > > alternate language, doesn't describe things in quite the same way, and so > > isn't a breach. > > > > > Is this a reasonable requirement to add? > > > > I think it is. The working language of the technical Internet (and this > > list) > > > The latter is the important thing here: This is the community that is > evaluating and making decisions based on these documents, so the > commitments in them need to be intelligible to us. > > --Richard > > This is a hard problem, but it cuts both ways. The community that is executing the commitments also needs to have intelligible documents that can be shared and understood among all that could participate in the process of delivering and protecting certificates. For this to really work well we should attempt to have good translations in both directions, understand that this is hard. The Airline example is a good one, but these communications have a critical time constraint. e.g. I must land my plane now! With the content we are talking about its probably more important to get the content right, and understandable by all parties involved than it is to do it fast and on a time critical timeline. It might be worth identifying some sections of the operational requirements that need to have good translations in order to reduce the chances of injecting human error due to participants in the process not understanding and communicating responsibilities correctly. It's probably these human error's that we've seen show up that need to have the most attention, and we don't want the human errors to be compounded by the fact that the instructions were not in a language that was well understood. Our mozilla translation community might also be a helpful part of this as a sanity check and review to see if the language in both translations directions is effective and matching in intent. -chofmann > > > is, for better or worse, English, and ensuring that the core > > documentation of a CA's agreement with the Internet community is > consumable > > by the largest possible number of interested parties is an important > goal. > > > > - Matt > > > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Policy Update Proposal: Require full CP/CPS in English
I would like to discuss this proposal[1] next: - (D26) Add a requirement for CAs to provide English-translated versions of their complete CP / CPS I think we would have to narrow it down a bit, because some CAs have several CP/CPS documents for their various product offerings, not related to SSL or S/MIME certs. So, how about if we add a bullet point to section 6 of the Inclusion policy, which currently starts as follows. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ ~~ 6. We require that all CAs whose certificates are distributed with our software products: - provide some service relevant to typical users of our software products; - publicly disclose information about their policies and business practices (e.g., in a Certificate Policy and Certification Practice Statement); ~~ Insert 3rd bullet point: "- translate into English the Certificate Policy and Certification Practice Statement documents pertaining to the certificates to be included and the trust bits to be enabled;" I will appreciate recommendations about how to improve this proposed update. Is this a reasonable requirement to add? Are there any arguments against adding this requirement that we should consider? Thanks, Kathleen [1] https://wiki.mozilla.org/CA:CertificatePolicyV2.3 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy Update Proposal: Require full CP/CPS in English
On Thu, Nov 19, 2015 at 05:00:03PM -0800, Kathleen Wilson wrote: > Insert 3rd bullet point: > "- translate into English the Certificate Policy and Certification Practice > Statement documents pertaining to the certificates to be included and the > trust bits to be enabled;" > > I will appreciate recommendations about how to improve this proposed update. Some wording to require CAs to acknowledge that this translation is not merely informative, but in fact a binding agreement with the Internet community, would be useful. I can easily imagine a CA claiming, in the event of a breach of the CPS, that the "authoritative" version, in an alternate language, doesn't describe things in quite the same way, and so isn't a breach. > Is this a reasonable requirement to add? I think it is. The working language of the technical Internet (and this list) is, for better or worse, English, and ensuring that the core documentation of a CA's agreement with the Internet community is consumable by the largest possible number of interested parties is an important goal. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy