Re: Policy 2.6 Proposal: Require English Language Audit Reports
To close out this discussion, I've gone ahead with the proposed change, including the addition of the requirement that the English language version of the audit statement be an authoritative version: https://github.com/mozilla/pkipolicy/commit/e4cc785367350a46fc839639a28a92bd17d542e3 - Wayne On Thu, Apr 5, 2018 at 11:12 AM, Wayne Thayerwrote: > It has been pointed out to me that we should seek to create a policy that > meets our needs without imposing a requirement for auditors to adopt the > English language. For the CP/CPS, we address this concern by requiring a > translation that "...must match the current version..." > > I am of the opinion that the proposed language has the same effect. By > requiring AN authoritative English language version, we are not precluding > other authoritative versions of the audit statement. We are only requiring > that the English language version meet the definition of authoritative: > "possessing > recognized or evident authority *: *clearly accurate or knowledgeable" > > On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Then we go back to: what's the point of becoming a globally-recognized CA >> if you are not allowed by law to recognize as legal the English language >> version? >> >> Some user from the other part of the world might not know YOUR local >> language, but they are more likely to know English. >> >> A local country can simply issue legislation that XYZ Certification >> Authority with certificate public key ##[...] is mandatory to >> be recognized by everyone in the country and that's that. You don't really >> need Mozilla / Microsoft / Apple to accept you as CA to operate. >> You have to earn their (and their user's) trust. One critical step to >> earning this trust is having legally-binding, easy to understand documents. >> >> >> Adrian R. >> >> On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus wrote: >> > I would like to suggest to add the clause "if legally allowed" at the >> end. I had some crazy discussions with colleagues in Russia and Québec >> about documents in English. > > > Rufus - do my comments above solve this problem? > > Also it should be added that the audit information must be publicly >> available in the Internet. > > > Currently, Mozilla publishes audit reports if they aren't already publicly > available on the internet - typically by asking the CA to attach them to a > bug. Does that suffice? If not, we should discuss this as a separate new > requirement. > > >> The whole sentence would be: >> > >> > "The audit information MUST be publicly available in the Internet. An >> English version MUST be provided. The English version MUST be authoritative >> if legally possible under the jurisdiction of the CAs home country." >> > >> >> ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Require English Language Audit Reports
It has been pointed out to me that we should seek to create a policy that meets our needs without imposing a requirement for auditors to adopt the English language. For the CP/CPS, we address this concern by requiring a translation that "...must match the current version..." I am of the opinion that the proposed language has the same effect. By requiring AN authoritative English language version, we are not precluding other authoritative versions of the audit statement. We are only requiring that the English language version meet the definition of authoritative: "possessing recognized or evident authority *: *clearly accurate or knowledgeable" On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Then we go back to: what's the point of becoming a globally-recognized CA > if you are not allowed by law to recognize as legal the English language > version? > > Some user from the other part of the world might not know YOUR local > language, but they are more likely to know English. > > A local country can simply issue legislation that XYZ Certification > Authority with certificate public key ##[...] is mandatory to > be recognized by everyone in the country and that's that. You don't really > need Mozilla / Microsoft / Apple to accept you as CA to operate. > You have to earn their (and their user's) trust. One critical step to > earning this trust is having legally-binding, easy to understand documents. > > > Adrian R. > > On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus wrote: > > I would like to suggest to add the clause "if legally allowed" at the > end. I had some crazy discussions with colleagues in Russia and Québec > about documents in English. Rufus - do my comments above solve this problem? Also it should be added that the audit information must be publicly > available in the Internet. Currently, Mozilla publishes audit reports if they aren't already publicly available on the internet - typically by asking the CA to attach them to a bug. Does that suffice? If not, we should discuss this as a separate new requirement. > The whole sentence would be: > > > > "The audit information MUST be publicly available in the Internet. An > English version MUST be provided. The English version MUST be authoritative > if legally possible under the jurisdiction of the CAs home country." > > > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Require English Language Audit Reports
Then we go back to: what's the point of becoming a globally-recognized CA if you are not allowed by law to recognize as legal the English language version? Some user from the other part of the world might not know YOUR local language, but they are more likely to know English. A local country can simply issue legislation that XYZ Certification Authority with certificate public key ##[...] is mandatory to be recognized by everyone in the country and that's that. You don't really need Mozilla / Microsoft / Apple to accept you as CA to operate. You have to earn their (and their user's) trust. One critical step to earning this trust is having legally-binding, easy to understand documents. Adrian R. On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus wrote: > I would like to suggest to add the clause "if legally allowed" at the end. I > had some crazy discussions with colleagues in Russia and Québec about > documents in English. Also it should be added that the audit information must > be publicly available in the Internet. The whole sentence would be: > > "The audit information MUST be publicly available in the Internet. An English > version MUST be provided. The English version MUST be authoritative if > legally possible under the jurisdiction of the CAs home country." > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Policy 2.6 Proposal: Require English Language Audit Reports
I would like to suggest to add the clause "if legally allowed" at the end. I had some crazy discussions with colleagues in Russia and Québec about documents in English. Also it should be added that the audit information must be publicly available in the Internet. The whole sentence would be: "The audit information MUST be publicly available in the Internet. An English version MUST be provided. The English version MUST be authoritative if legally possible under the jurisdiction of the CAs home country." With best regards, Rufus Buschart Siemens AG GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.siemens.com/ingenuityforlife -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+rufus.buschart=siemens@lists.mozilla.org] On Behalf Of Tim Hollebeek via dev-security-policy Sent: Donnerstag, 5. April 2018 02:49 To: Ryan Hurst; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Policy 2.6 Proposal: Require English Language Audit Reports Call me crazy, but for this particular requirement, I think simple sentences might be better. "The audit information MUST be publicly available. An English version MUST be provided. The English version MUST be authoritative." -Tim > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of > bounces+Ryan > Hurst via dev-security-policy > Sent: Wednesday, April 4, 2018 7:19 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Policy 2.6 Proposal: Require English Language Audit > Reports > > > > An authoritative English language version of the publicly-available > > audit information MUST be supplied by the Auditor. > > > > it would be helpful for auditors that issue report in languages > > other than English to confirm that this won't create any issues. > > That would address my concern. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/a/1/qGy7WL45gRate5ccNJV7plt7IjXPV-pd- > LTa9gPkQc8=?d=fgUiNjCpj8UK6ue4NShfzLGHGzkJWwPb3tOchiTvGntTxuK9bVX > 5aMMPzBijLrabsuGnsFF4O9QSQsBjPBTpEb0gpSmHGiantqc2OcSQ0D4jZ5aLA1u > eomyRD8-dNmIp4I87-T1G40WpIGyLEnm- > Z2ye83FoVpIrjeWcM6ujsgxkvPTYEEPgJJ5S8QA9fQctHsjXIyT8HT8j6vDTknG1enh > GZ_T_dA6JBbp81zJ4L1Ca2eX6aXcvz5BgcHvS6yotf6bd2EfLLWJKAZnR6o1yRxbzw > lGl0_7xHVJs8xbMEdUuaI4b4pcup6QbPJsW1UQHIPAR6GFsxCauMSz5EJ- > 5c38HJOLDPZLF5Tj0N6r- > JIozX3YVUyZqRdSb4iIILNv8LsXVCwyud6ALgaqx4PJwF_leqzOCmmHBoYDZqI9z0 > 932I7QTktLec_1ZHGSkFGA664AXspslouRvtqP4eZfikJgsBoxEO1G2a2tx6n5uwZle > -vFX=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-polic > y ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Policy 2.6 Proposal: Require English Language Audit Reports
Call me crazy, but for this particular requirement, I think simple sentences might be better. "The audit information MUST be publicly available. An English version MUST be provided. The English version MUST be authoritative." -Tim > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Ryan > Hurst via dev-security-policy > Sent: Wednesday, April 4, 2018 7:19 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Policy 2.6 Proposal: Require English Language Audit Reports > > > > An authoritative English language version of the publicly-available > > audit information MUST be supplied by the Auditor. > > > > it would be helpful for auditors that issue report in languages other > > than English to confirm that this won't create any issues. > > That would address my concern. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/a/1/qGy7WL45gRate5ccNJV7plt7IjXPV-pd- > LTa9gPkQc8=?d=fgUiNjCpj8UK6ue4NShfzLGHGzkJWwPb3tOchiTvGntTxuK9bVX > 5aMMPzBijLrabsuGnsFF4O9QSQsBjPBTpEb0gpSmHGiantqc2OcSQ0D4jZ5aLA1u > eomyRD8-dNmIp4I87-T1G40WpIGyLEnm- > Z2ye83FoVpIrjeWcM6ujsgxkvPTYEEPgJJ5S8QA9fQctHsjXIyT8HT8j6vDTknG1enh > GZ_T_dA6JBbp81zJ4L1Ca2eX6aXcvz5BgcHvS6yotf6bd2EfLLWJKAZnR6o1yRxbzw > lGl0_7xHVJs8xbMEdUuaI4b4pcup6QbPJsW1UQHIPAR6GFsxCauMSz5EJ- > 5c38HJOLDPZLF5Tj0N6r- > JIozX3YVUyZqRdSb4iIILNv8LsXVCwyud6ALgaqx4PJwF_leqzOCmmHBoYDZqI9z0 > 932I7QTktLec_1ZHGSkFGA664AXspslouRvtqP4eZfikJgsBoxEO1G2a2tx6n5uwZle > -vFX=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Require English Language Audit Reports
> An authoritative English language version of the publicly-available audit > information MUST be supplied by the Auditor. > > it would be helpful for auditors that issue report in languages other than > English to confirm that this won't create any issues. That would address my concern. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Require English Language Audit Reports
On Wed, Apr 4, 2018 at 2:46 PM, Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, April 4, 2018 at 1:58:35 PM UTC-7, Wayne Thayer wrote: > > Mozilla needs to be able to read audit reports in the English language > > without relying on machine translations that may be inaccurate or > > misleading. > > > > I suggest adding the following sentence to the end of policy section > 3.1.4 > > “Public Audit Information”: > > > > An English language version of the publicly-available audit information > > MUST be supplied by the Auditor. > > > > This is: https://github.com/mozilla/pkipolicy/issues/106 > > > > --- > > > > This is a proposed update to Mozilla's root store policy for version > > 2.6. Please keep discussion in this group rather than on GitHub. Silence > > is consent. > > > > Policy 2.5 (current version): > > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md > > Should the text require the English version to be the authoritative > version? > > This makes sense, and is easy to add to the proposed statement: An authoritative English language version of the publicly-available audit information MUST be supplied by the Auditor. it would be helpful for auditors that issue report in languages other than English to confirm that this won't create any issues. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Require English Language Audit Reports
On Wednesday, April 4, 2018 at 1:58:35 PM UTC-7, Wayne Thayer wrote: > Mozilla needs to be able to read audit reports in the English language > without relying on machine translations that may be inaccurate or > misleading. > > I suggest adding the following sentence to the end of policy section 3.1.4 > “Public Audit Information”: > > An English language version of the publicly-available audit information > MUST be supplied by the Auditor. > > This is: https://github.com/mozilla/pkipolicy/issues/106 > > --- > > This is a proposed update to Mozilla's root store policy for version > 2.6. Please keep discussion in this group rather than on GitHub. Silence > is consent. > > Policy 2.5 (current version): > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md Should the text require the English version to be the authoritative version? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy