subject:"Policy Update Proposal\: Require full CP\/CPS in English"

RE: Policy Update Proposal: Require full CP/CPS in English

2016-03-25 Thread Varga Viktor

Dear Ryan,

You have right. For audit or inclusion maybe its needed.

I am 100% sure, that only users with auditor attitude are reading our CP or 
CPSes, none of the customers.

regards. 
Viktor Varga
Netlock

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+varga.viktor=netlock...@lists.mozilla.org] 
On Behalf Of Ryan Sleevi
Sent: Tuesday, March 1, 2016 11:10 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Policy Update Proposal: Require full CP/CPS in English

On Tuesday, March 1, 2016 at 1:34:49 PM UTC-8, Varga Viktor wrote:
> I just want to ask you, is not the PDS is enough for this?
> 
> 119411-1 (319411-1) says you need publish PKI Disclosure Staetement 
> (PDS)
> 119411-2 (319411-2) refences for certificate profiles the 119412-5
> 
> The 119412-5 (319412-5) says in section 5 Requirements on QCStatements in EU 
> qualified certificates in the last row of the table, that you need to have 
> minimum one ereference to an english PDS.
> 
> So for qualified certificates are mandatory why dont extend it for all root 
> certs and usages?
> 
> I think nearly nobody reads trough a CP or CPS, but the PDS gives reasonably 
> view for a customer, and most of the CAs already have it in english.

For matters of inclusion, renewals, or violations, we absolutely read through 
the CP and CPS quite thoroughly, as these practices are all of direct relevance 
to the broader Internet community.

To that end, a PDS is frequently insufficient, and only relevant to qualified 
certificates, which are themselves not something worth emulating :) 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy Update Proposal: Require full CP/CPS in English

2016-03-01 Thread Ryan Sleevi

On Tuesday, March 1, 2016 at 1:34:49 PM UTC-8, Varga Viktor wrote:
> I just want to ask you, is not the PDS is enough for this?
> 
> 119411-1 (319411-1) says you need publish PKI Disclosure Staetement (PDS)
> 119411-2 (319411-2) refences for certificate profiles the 119412-5
> 
> The 119412-5 (319412-5) says in section 5 Requirements on QCStatements in EU 
> qualified certificates in the last row of the table, that you need to have 
> minimum one ereference to an english PDS.
> 
> So for qualified certificates are mandatory why dont extend it for all root 
> certs and usages?
> 
> I think nearly nobody reads trough a CP or CPS, but the PDS gives reasonably 
> view for a customer, and most of the CAs already have it in english.

For matters of inclusion, renewals, or violations, we absolutely read through 
the CP and CPS quite thoroughly, as these practices are all of direct relevance 
to the broader Internet community.

To that end, a PDS is frequently insufficient, and only relevant to qualified 
certificates, which are themselves not something worth emulating :)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy Update Proposal: Require full CP/CPS in English

2016-03-01 Thread Varga Viktor

I just want to ask you, is not the PDS is enough for this?

119411-1 (319411-1) says you need publish PKI Disclosure Staetement (PDS)
119411-2 (319411-2) refences for certificate profiles the 119412-5

The 119412-5 (319412-5) says in section 5 Requirements on QCStatements in EU 
qualified certificates in the last row of the table, that you need to have 
minimum one ereference to an english PDS.

So for qualified certificates are mandatory why dont extend it for all root 
certs and usages?

I think nearly nobody reads trough a CP or CPS, but the PDS gives reasonably 
view for a customer, and most of the CAs already have it in english.

regards. Viktor Varga
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy Update Proposal: Require full CP/CPS in English

2015-11-20 Thread Chris Hofmann

On Fri, Nov 20, 2015 at 8:12 AM, Richard Barnes  wrote:

> On Thu, Nov 19, 2015 at 6:22 PM, Matt Palmer  wrote:
>
> > On Thu, Nov 19, 2015 at 05:00:03PM -0800, Kathleen Wilson wrote:
> > > Insert 3rd bullet point:
> > > "- translate into English the Certificate Policy and Certification
> > Practice
> > > Statement documents pertaining to the certificates to be included and
> the
> > > trust bits to be enabled;"
> > >
> > > I will appreciate recommendations about how to improve this proposed
> > update.
> >
> > Some wording to require CAs to acknowledge that this translation is not
> > merely informative, but in fact a binding agreement with the Internet
> > community, would be useful.  I can easily imagine a CA claiming, in the
> > event of a breach of the CPS, that the "authoritative" version, in an
> > alternate language, doesn't describe things in quite the same way, and so
> > isn't a breach.
> >
> > > Is this a reasonable requirement to add?
> >
> > I think it is.  The working language of the technical Internet (and this
> > list)
>
>
> The latter is the important thing here: This is the community that is
> evaluating and making decisions based on these documents, so the
> commitments in them need to be intelligible to us.
>
> --Richard
>
>
This is a hard problem, but it cuts both ways.  The community that is
executing the commitments also needs to have intelligible documents
that can be shared and understood among all that could participate
in the process of delivering and protecting certificates.

For this to really work well we should attempt to have good translations
in both directions, understand that this is hard.

The Airline example is a good one, but these communications have
a critical time constraint.  e.g. I must land my plane now!

With the content we are talking about its probably more important
to get the content right, and understandable by all parties involved
than it is to do it fast and on a time critical timeline.

It might be worth identifying some sections of the operational
requirements that need to have good translations in order to reduce
the chances of injecting human error due to participants in the process
not understanding and communicating responsibilities correctly.

It's probably these human error's that we've seen show up
that need to have the most attention, and we don't want
the human errors to be compounded by the fact that the
instructions were not in a language that was well understood.

Our mozilla translation community might also be a helpful part
of this as a sanity check and review to see if the language
in both translations directions is effective and matching
in intent.

-chofmann

>
> > is, for better or worse, English, and ensuring that the core
> > documentation of a CA's agreement with the Internet community is
> consumable
> > by the largest possible number of interested parties is an important
> goal.
> >
> > - Matt
> >
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
> >
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy Update Proposal: Require full CP/CPS in English

2015-11-19 Thread Kathleen Wilson


I would like to discuss this proposal[1] next:

- (D26) Add a requirement for CAs to provide English-translated versions 
of their complete CP / CPS


I think we would have to narrow it down a bit, because some CAs have 
several CP/CPS documents for their various product offerings, not 
related to SSL or S/MIME certs.


So, how about if we add a bullet point to section 6 of the Inclusion 
policy, which currently starts as follows.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
~~
6. We require that all CAs whose certificates are distributed with our 
software products:

- provide some service relevant to typical users of our software products;
- publicly disclose information about their policies and business 
practices (e.g., in a Certificate Policy and Certification Practice 
Statement);

~~

Insert 3rd bullet point:
"- translate into English the Certificate Policy and Certification 
Practice Statement documents pertaining to the certificates to be 
included and the trust bits to be enabled;"


I will appreciate recommendations about how to improve this proposed update.

Is this a reasonable requirement to add?

Are there any arguments against adding this requirement that we should 
consider?



Thanks,
Kathleen

[1] https://wiki.mozilla.org/CA:CertificatePolicyV2.3

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy Update Proposal: Require full CP/CPS in English

2015-11-19 Thread Matt Palmer

On Thu, Nov 19, 2015 at 05:00:03PM -0800, Kathleen Wilson wrote:
> Insert 3rd bullet point:
> "- translate into English the Certificate Policy and Certification Practice
> Statement documents pertaining to the certificates to be included and the
> trust bits to be enabled;"
> 
> I will appreciate recommendations about how to improve this proposed update.

Some wording to require CAs to acknowledge that this translation is not
merely informative, but in fact a binding agreement with the Internet
community, would be useful.  I can easily imagine a CA claiming, in the
event of a breach of the CPS, that the "authoritative" version, in an
alternate language, doesn't describe things in quite the same way, and so
isn't a breach.

> Is this a reasonable requirement to add?

I think it is.  The working language of the technical Internet (and this
list) is, for better or worse, English, and ensuring that the core
documentation of a CA's agreement with the Internet community is consumable
by the largest possible number of interested parties is an important goal.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Policy Update Proposal: Require full CP/CPS in English

Re: Policy Update Proposal: Require full CP/CPS in English

Re: Policy Update Proposal: Require full CP/CPS in English

Re: Policy Update Proposal: Require full CP/CPS in English

Policy Update Proposal: Require full CP/CPS in English

Re: Policy Update Proposal: Require full CP/CPS in English

6 matches

Site Navigation

Mail list logo

Footer information