subject:"RE\: Policy 2.6 Proposal\: Require English Language Audit Reports"

Re: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-16 Thread Wayne Thayer via dev-security-policy

To close out this discussion, I've gone ahead with the proposed change,
including the addition of the requirement that the English language version
of the audit statement be an authoritative version:

https://github.com/mozilla/pkipolicy/commit/e4cc785367350a46fc839639a28a92bd17d542e3

- Wayne

On Thu, Apr 5, 2018 at 11:12 AM, Wayne Thayer  wrote:

> It has been pointed out to me that we should seek to create a policy that
> meets our needs without imposing a requirement for auditors to adopt the
> English language. For the CP/CPS, we address this concern by requiring a
> translation that "...must match the current version..."
>
> I am of the opinion that the proposed language has the same effect. By
> requiring AN authoritative English language version, we are not precluding
> other authoritative versions of the audit statement. We are only requiring
> that the English language version meet the definition of authoritative: 
> "possessing
> recognized or evident authority *: *clearly accurate or knowledgeable"
>
> On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Then we go back to: what's the point of becoming a globally-recognized CA
>> if you are not allowed by law to recognize as legal the English language
>> version?
>>
>>  Some user from the other part of the world might not know YOUR local
>> language, but they are more likely to know English.
>>
>> A local country can simply issue legislation that XYZ Certification
>> Authority with certificate public key ##[...] is mandatory to
>> be recognized by everyone in the country and that's that. You don't really
>> need Mozilla / Microsoft / Apple to accept you as CA to operate.
>> You have to earn their (and their user's) trust. One critical step to
>> earning this trust is having legally-binding, easy to understand documents.
>>
>> 
>> Adrian R.
>>
>> On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus  wrote:
>> > I would like to suggest to add the clause "if legally allowed" at the
>> end. I had some crazy discussions with colleagues in Russia and Québec
>> about documents in English.
>
>
> Rufus - do my comments above solve this problem?
>
> Also it should be added that the audit information must be publicly
>> available in the Internet.
>
>
> Currently, Mozilla publishes audit reports if they aren't already publicly
> available on the internet - typically by asking the CA to attach them to a
> bug. Does that suffice? If not, we should discuss this as a separate new
> requirement.
>
>
>> The whole sentence would be:
>> >
>> > "The audit information MUST be publicly available in the Internet. An
>> English version MUST be provided. The English version MUST be authoritative
>> if legally possible under the jurisdiction of the CAs home country."
>> >
>>
>>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-05 Thread Wayne Thayer via dev-security-policy

It has been pointed out to me that we should seek to create a policy that
meets our needs without imposing a requirement for auditors to adopt the
English language. For the CP/CPS, we address this concern by requiring a
translation that "...must match the current version..."

I am of the opinion that the proposed language has the same effect. By
requiring AN authoritative English language version, we are not precluding
other authoritative versions of the audit statement. We are only requiring
that the English language version meet the definition of
authoritative: "possessing
recognized or evident authority *: *clearly accurate or knowledgeable"

On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Then we go back to: what's the point of becoming a globally-recognized CA
> if you are not allowed by law to recognize as legal the English language
> version?
>
>  Some user from the other part of the world might not know YOUR local
> language, but they are more likely to know English.
>
> A local country can simply issue legislation that XYZ Certification
> Authority with certificate public key ##[...] is mandatory to
> be recognized by everyone in the country and that's that. You don't really
> need Mozilla / Microsoft / Apple to accept you as CA to operate.
> You have to earn their (and their user's) trust. One critical step to
> earning this trust is having legally-binding, easy to understand documents.
>
> 
> Adrian R.
>
> On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus  wrote:
> > I would like to suggest to add the clause "if legally allowed" at the
> end. I had some crazy discussions with colleagues in Russia and Québec
> about documents in English.

Rufus - do my comments above solve this problem?

Also it should be added that the audit information must be publicly
> available in the Internet.

Currently, Mozilla publishes audit reports if they aren't already publicly
available on the internet - typically by asking the CA to attach them to a
bug. Does that suffice? If not, we should discuss this as a separate new
requirement.

> The whole sentence would be:
> >
> > "The audit information MUST be publicly available in the Internet. An
> English version MUST be provided. The English version MUST be authoritative
> if legally possible under the jurisdiction of the CAs home country."
> >
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-05 Thread Adrian R. via dev-security-policy

Then we go back to: what's the point of becoming a globally-recognized CA if 
you are not allowed by law to recognize as legal the English language version?

 Some user from the other part of the world might not know YOUR local language, 
but they are more likely to know English.

A local country can simply issue legislation that XYZ Certification Authority 
with certificate public key ##[...] is mandatory to be recognized 
by everyone in the country and that's that. You don't really need Mozilla / 
Microsoft / Apple to accept you as CA to operate.
You have to earn their (and their user's) trust. One critical step to earning 
this trust is having legally-binding, easy to understand documents.

Adrian R.

On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus  wrote:
> I would like to suggest to add the clause "if legally allowed" at the end. I 
> had some crazy discussions with colleagues in Russia and Québec about 
> documents in English. Also it should be added that the audit information must 
> be publicly available in the Internet. The whole sentence would be:
> 
> "The audit information MUST be publicly available in the Internet. An English 
> version MUST be provided. The English version MUST be authoritative if 
> legally possible under the jurisdiction of the CAs home country."
> 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-05 Thread Buschart, Rufus via dev-security-policy

I would like to suggest to add the clause "if legally allowed" at the end. I 
had some crazy discussions with colleagues in Russia and Québec about documents 
in English. Also it should be added that the audit information must be publicly 
available in the Internet. The whole sentence would be:

"The audit information MUST be publicly available in the Internet. An English 
version MUST be provided. The English version MUST be authoritative if legally 
possible under the jurisdiction of the CAs home country."

With best regards,
Rufus Buschart

Siemens AG
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:rufus.busch...@siemens.com

www.siemens.com/ingenuityforlife


-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+rufus.buschart=siemens@lists.mozilla.org]
 On Behalf Of Tim Hollebeek via dev-security-policy
Sent: Donnerstag, 5. April 2018 02:49
To: Ryan Hurst; mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Policy 2.6 Proposal: Require English Language Audit Reports

Call me crazy, but for this particular requirement, I think simple sentences 
might be better.

"The audit information MUST be publicly available.  An English version MUST be 
provided.  The English version MUST be authoritative."

-Tim

> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of 
> bounces+Ryan
> Hurst via dev-security-policy
> Sent: Wednesday, April 4, 2018 7:19 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Policy 2.6 Proposal: Require English Language Audit 
> Reports
> 
> 
> > An authoritative English language version of the publicly-available 
> > audit information MUST be supplied by the Auditor.
> >
> > it would be helpful for auditors that issue report in languages 
> > other than English to confirm that this won't create any issues.
> 
> That would address my concern.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://clicktime.symantec.com/a/1/qGy7WL45gRate5ccNJV7plt7IjXPV-pd-
> LTa9gPkQc8=?d=fgUiNjCpj8UK6ue4NShfzLGHGzkJWwPb3tOchiTvGntTxuK9bVX
> 5aMMPzBijLrabsuGnsFF4O9QSQsBjPBTpEb0gpSmHGiantqc2OcSQ0D4jZ5aLA1u
> eomyRD8-dNmIp4I87-T1G40WpIGyLEnm-
> Z2ye83FoVpIrjeWcM6ujsgxkvPTYEEPgJJ5S8QA9fQctHsjXIyT8HT8j6vDTknG1enh
> GZ_T_dA6JBbp81zJ4L1Ca2eX6aXcvz5BgcHvS6yotf6bd2EfLLWJKAZnR6o1yRxbzw
> lGl0_7xHVJs8xbMEdUuaI4b4pcup6QbPJsW1UQHIPAR6GFsxCauMSz5EJ-
> 5c38HJOLDPZLF5Tj0N6r-
> JIozX3YVUyZqRdSb4iIILNv8LsXVCwyud6ALgaqx4PJwF_leqzOCmmHBoYDZqI9z0
> 932I7QTktLec_1ZHGSkFGA664AXspslouRvtqP4eZfikJgsBoxEO1G2a2tx6n5uwZle
> -vFX=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-polic
> y
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-04 Thread Tim Hollebeek via dev-security-policy

Call me crazy, but for this particular requirement, I think simple sentences
might
be better.

"The audit information MUST be publicly available.  An English version MUST
be provided.  The English version MUST be authoritative."

-Tim

> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Ryan
> Hurst via dev-security-policy
> Sent: Wednesday, April 4, 2018 7:19 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Policy 2.6 Proposal: Require English Language Audit Reports
> 
> 
> > An authoritative English language version of the publicly-available
> > audit information MUST be supplied by the Auditor.
> >
> > it would be helpful for auditors that issue report in languages other
> > than English to confirm that this won't create any issues.
> 
> That would address my concern.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://clicktime.symantec.com/a/1/qGy7WL45gRate5ccNJV7plt7IjXPV-pd-
> LTa9gPkQc8=?d=fgUiNjCpj8UK6ue4NShfzLGHGzkJWwPb3tOchiTvGntTxuK9bVX
> 5aMMPzBijLrabsuGnsFF4O9QSQsBjPBTpEb0gpSmHGiantqc2OcSQ0D4jZ5aLA1u
> eomyRD8-dNmIp4I87-T1G40WpIGyLEnm-
> Z2ye83FoVpIrjeWcM6ujsgxkvPTYEEPgJJ5S8QA9fQctHsjXIyT8HT8j6vDTknG1enh
> GZ_T_dA6JBbp81zJ4L1Ca2eX6aXcvz5BgcHvS6yotf6bd2EfLLWJKAZnR6o1yRxbzw
> lGl0_7xHVJs8xbMEdUuaI4b4pcup6QbPJsW1UQHIPAR6GFsxCauMSz5EJ-
> 5c38HJOLDPZLF5Tj0N6r-
> JIozX3YVUyZqRdSb4iIILNv8LsXVCwyud6ALgaqx4PJwF_leqzOCmmHBoYDZqI9z0
> 932I7QTktLec_1ZHGSkFGA664AXspslouRvtqP4eZfikJgsBoxEO1G2a2tx6n5uwZle
> -vFX=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-04 Thread Ryan Hurst via dev-security-policy


> An authoritative English language version of the publicly-available audit
> information MUST be supplied by the Auditor.
> 
> it would be helpful for auditors that issue report in languages other than
> English to confirm that this won't create any issues.

That would address my concern.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-04 Thread Wayne Thayer via dev-security-policy

On Wed, Apr 4, 2018 at 2:46 PM, Ryan Hurst via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Wednesday, April 4, 2018 at 1:58:35 PM UTC-7, Wayne Thayer wrote:
> > Mozilla needs to be able to read audit reports in the English language
> > without relying on machine translations that may be inaccurate or
> > misleading.
> >
> > I suggest adding the following sentence to the end of policy section
> 3.1.4
> > “Public Audit Information”:
> >
> > An English language version of the publicly-available audit information
> > MUST be supplied by the Auditor.
> >
> > This is: https://github.com/mozilla/pkipolicy/issues/106
> >
> > ---
> >
> > This is a proposed update to Mozilla's root store policy for version
> > 2.6. Please keep discussion in this group rather than on GitHub. Silence
> > is consent.
> >
> > Policy 2.5 (current version):
> > https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
>
> Should the text require the English version to be the authoritative
> version?
>
> This makes sense, and is easy to add to the proposed statement:

An authoritative English language version of the publicly-available audit
information MUST be supplied by the Auditor.

it would be helpful for auditors that issue report in languages other than
English to confirm that this won't create any issues.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Require English Language Audit Reports

2018-04-04 Thread Ryan Hurst via dev-security-policy

On Wednesday, April 4, 2018 at 1:58:35 PM UTC-7, Wayne Thayer wrote:
> Mozilla needs to be able to read audit reports in the English language
> without relying on machine translations that may be inaccurate or
> misleading.
> 
> I suggest adding the following sentence to the end of policy section 3.1.4
> “Public Audit Information”:
> 
> An English language version of the publicly-available audit information
> MUST be supplied by the Auditor.
> 
> This is: https://github.com/mozilla/pkipolicy/issues/106
> 
> ---
> 
> This is a proposed update to Mozilla's root store policy for version
> 2.6. Please keep discussion in this group rather than on GitHub. Silence
> is consent.
> 
> Policy 2.5 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md

Should the text require the English version to be the authoritative version?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Require English Language Audit Reports

Re: Policy 2.6 Proposal: Require English Language Audit Reports

Re: Policy 2.6 Proposal: Require English Language Audit Reports

RE: Policy 2.6 Proposal: Require English Language Audit Reports

RE: Policy 2.6 Proposal: Require English Language Audit Reports

Re: Policy 2.6 Proposal: Require English Language Audit Reports

Re: Policy 2.6 Proposal: Require English Language Audit Reports

Re: Policy 2.6 Proposal: Require English Language Audit Reports

8 matches

Site Navigation

Mail list logo

Footer information