info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.6 Proposal: Require English Language Audit Reports
148 views
Skip to first unread message
Wayne Thayer
Apr 4, 2018, 4:58:35 PM4/4/18
to mozilla-dev-security-policy
Mozilla needs to be able to read audit reports in the English language
without relying on machine translations that may be inaccurate or
misleading.
I suggest adding the following sentence to the end of policy section 3.1.4
“Public Audit Information”:
An English language version of the publicly-available audit information
MUST be supplied by the Auditor.
This is: https://github.com/mozilla/pkipolicy/issues/106
-------
This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.
Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
without relying on machine translations that may be inaccurate or
misleading.
I suggest adding the following sentence to the end of policy section 3.1.4
“Public Audit Information”:
An English language version of the publicly-available audit information
MUST be supplied by the Auditor.
This is: https://github.com/mozilla/pkipolicy/issues/106
-------
This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.
Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
Ryan Hurst
Apr 4, 2018, 5:46:51 PM4/4/18
to mozilla-dev-s...@lists.mozilla.org
Wayne Thayer
Apr 4, 2018, 7:18:06 PM4/4/18
to Ryan Hurst, mozilla-dev-security-policy
On Wed, Apr 4, 2018 at 2:46 PM, Ryan Hurst via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> On Wednesday, April 4, 2018 at 1:58:35 PM UTC-7, Wayne Thayer wrote:
dev-secur...@lists.mozilla.org> wrote:
> On Wednesday, April 4, 2018 at 1:58:35 PM UTC-7, Wayne Thayer wrote:
> Should the text require the English version to be the authoritative
> version?
>
> This makes sense, and is easy to add to the proposed statement:
> version?
>
An authoritative English language version of the publicly-available audit
information MUST be supplied by the Auditor.
it would be helpful for auditors that issue report in languages other than
English to confirm that this won't create any issues.
Ryan Hurst
Apr 4, 2018, 7:19:25 PM4/4/18
to mozilla-dev-s...@lists.mozilla.org
> An authoritative English language version of the publicly-available audit
> information MUST be supplied by the Auditor.
>
> it would be helpful for auditors that issue report in languages other than
> English to confirm that this won't create any issues.
Tim Hollebeek
Apr 4, 2018, 8:49:39 PM4/4/18
to Ryan Hurst, mozilla-dev-s...@lists.mozilla.org
Call me crazy, but for this particular requirement, I think simple sentences
might
be better.
"The audit information MUST be publicly available. An English version MUST
be provided. The English version MUST be authoritative."
-Tim
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+tim.hollebeek=digice...@lists.mozilla.org] On Behalf Of Ryan
> Hurst via dev-security-policy
> Sent: Wednesday, April 4, 2018 7:19 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Policy 2.6 Proposal: Require English Language Audit Reports
>
>
> > An authoritative English language version of the publicly-available
> > audit information MUST be supplied by the Auditor.
> >
> > it would be helpful for auditors that issue report in languages other
> > than English to confirm that this won't create any issues.
>
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://clicktime.symantec.com/a/1/qGy7WL45gRate5ccNJV7plt7IjXPV-pd-
> LTa9gPkQc8=?d=fgUiNjCpj8UK6ue4NShfzLGHGzkJWwPb3tOchiTvGntTxuK9bVX
> 5aMMPzBijLrabsuGnsFF4O9QSQsBjPBTpEb0gpSmHGiantqc2OcSQ0D4jZ5aLA1u
> eomyRD8-dNmIp4I87-T1G40WpIGyLEnm-
> Z2ye83FoVpIrjeWcM6ujsgxkvPTYEEPgJJ5S8QA9fQctHsjXIyT8HT8j6vDTknG1enh
> GZ_T_dA6JBbp81zJ4L1Ca2eX6aXcvz5BgcHvS6yotf6bd2EfLLWJKAZnR6o1yRxbzw
> lGl0_7xHVJs8xbMEdUuaI4b4pcup6QbPJsW1UQHIPAR6GFsxCauMSz5EJ-
> 5c38HJOLDPZLF5Tj0N6r-
> JIozX3YVUyZqRdSb4iIILNv8LsXVCwyud6ALgaqx4PJwF_leqzOCmmHBoYDZqI9z0
> 932I7QTktLec_1ZHGSkFGA664AXspslouRvtqP4eZfikJgsBoxEO1G2a2tx6n5uwZle
> -vFX&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
might
be better.
"The audit information MUST be publicly available. An English version MUST
be provided. The English version MUST be authoritative."
-Tim
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+tim.hollebeek=digice...@lists.mozilla.org] On Behalf Of Ryan
> Hurst via dev-security-policy
> Sent: Wednesday, April 4, 2018 7:19 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Policy 2.6 Proposal: Require English Language Audit Reports
>
>
> > An authoritative English language version of the publicly-available
> > audit information MUST be supplied by the Auditor.
> >
> > it would be helpful for auditors that issue report in languages other
> > than English to confirm that this won't create any issues.
>
> That would address my concern.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://clicktime.symantec.com/a/1/qGy7WL45gRate5ccNJV7plt7IjXPV-pd-
> LTa9gPkQc8=?d=fgUiNjCpj8UK6ue4NShfzLGHGzkJWwPb3tOchiTvGntTxuK9bVX
> 5aMMPzBijLrabsuGnsFF4O9QSQsBjPBTpEb0gpSmHGiantqc2OcSQ0D4jZ5aLA1u
> eomyRD8-dNmIp4I87-T1G40WpIGyLEnm-
> Z2ye83FoVpIrjeWcM6ujsgxkvPTYEEPgJJ5S8QA9fQctHsjXIyT8HT8j6vDTknG1enh
> GZ_T_dA6JBbp81zJ4L1Ca2eX6aXcvz5BgcHvS6yotf6bd2EfLLWJKAZnR6o1yRxbzw
> lGl0_7xHVJs8xbMEdUuaI4b4pcup6QbPJsW1UQHIPAR6GFsxCauMSz5EJ-
> 5c38HJOLDPZLF5Tj0N6r-
> JIozX3YVUyZqRdSb4iIILNv8LsXVCwyud6ALgaqx4PJwF_leqzOCmmHBoYDZqI9z0
> 932I7QTktLec_1ZHGSkFGA664AXspslouRvtqP4eZfikJgsBoxEO1G2a2tx6n5uwZle
> -vFX&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
Buschart, Rufus
Apr 5, 2018, 5:38:12 AM4/5/18
to Tim Hollebeek, Ryan Hurst, mozilla-dev-s...@lists.mozilla.org
I would like to suggest to add the clause "if legally allowed" at the end. I had some crazy discussions with colleagues in Russia and Québec about documents in English. Also it should be added that the audit information must be publicly available in the Internet. The whole sentence would be:
"The audit information MUST be publicly available in the Internet. An English version MUST be provided. The English version MUST be authoritative if legally possible under the jurisdiction of the CAs home country."
With best regards,
Rufus Buschart
Siemens AG
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:rufus.b...@siemens.com
www.siemens.com/ingenuityforlife
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+rufus.buschart=sieme...@lists.mozilla.org] On Behalf Of Tim Hollebeek via dev-security-policy
Sent: Donnerstag, 5. April 2018 02:49
To: Ryan Hurst; mozilla-dev-s...@lists.mozilla.org
Subject: RE: Policy 2.6 Proposal: Require English Language Audit Reports
Call me crazy, but for this particular requirement, I think simple sentences might be better.
"The audit information MUST be publicly available. An English version MUST be provided. The English version MUST be authoritative."
-Tim
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+tim.hollebeek=digice...@lists.mozilla.org] On Behalf Of
> bounces+Ryan
> Hurst via dev-security-policy
> Sent: Wednesday, April 4, 2018 7:19 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Policy 2.6 Proposal: Require English Language Audit
> Reports
>
>
"The audit information MUST be publicly available in the Internet. An English version MUST be provided. The English version MUST be authoritative if legally possible under the jurisdiction of the CAs home country."
With best regards,
Rufus Buschart
Siemens AG
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:rufus.b...@siemens.com
www.siemens.com/ingenuityforlife
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+rufus.buschart=sieme...@lists.mozilla.org] On Behalf Of Tim Hollebeek via dev-security-policy
Sent: Donnerstag, 5. April 2018 02:49
To: Ryan Hurst; mozilla-dev-s...@lists.mozilla.org
Subject: RE: Policy 2.6 Proposal: Require English Language Audit Reports
Call me crazy, but for this particular requirement, I think simple sentences might be better.
"The audit information MUST be publicly available. An English version MUST be provided. The English version MUST be authoritative."
-Tim
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+tim.hollebeek=digice...@lists.mozilla.org] On Behalf Of
> bounces+Ryan
> Hurst via dev-security-policy
> Sent: Wednesday, April 4, 2018 7:19 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Policy 2.6 Proposal: Require English Language Audit
> Reports
>
>
> > An authoritative English language version of the publicly-available
> > audit information MUST be supplied by the Auditor.
> >
> > it would be helpful for auditors that issue report in languages
> > other than English to confirm that this won't create any issues.
>
> > audit information MUST be supplied by the Auditor.
> >
> > it would be helpful for auditors that issue report in languages
> > other than English to confirm that this won't create any issues.
>
Adrian R.
Apr 5, 2018, 6:23:00 AM4/5/18
to mozilla-dev-s...@lists.mozilla.org
Then we go back to: what's the point of becoming a globally-recognized CA if you are not allowed by law to recognize as legal the English language version?
Some user from the other part of the world might not know YOUR local language, but they are more likely to know English.
A local country can simply issue legislation that XYZ Certification Authority with certificate public key ##########[...]#### is mandatory to be recognized by everyone in the country and that's that. You don't really need Mozilla / Microsoft / Apple to accept you as CA to operate.
You have to earn their (and their user's) trust. One critical step to earning this trust is having legally-binding, easy to understand documents.
~~~~
Adrian R.
Some user from the other part of the world might not know YOUR local language, but they are more likely to know English.
A local country can simply issue legislation that XYZ Certification Authority with certificate public key ##########[...]#### is mandatory to be recognized by everyone in the country and that's that. You don't really need Mozilla / Microsoft / Apple to accept you as CA to operate.
You have to earn their (and their user's) trust. One critical step to earning this trust is having legally-binding, easy to understand documents.
~~~~
Adrian R.
Wayne Thayer
Apr 5, 2018, 2:13:15 PM4/5/18
to Adrian R., mozilla-dev-security-policy
It has been pointed out to me that we should seek to create a policy that
meets our needs without imposing a requirement for auditors to adopt the
English language. For the CP/CPS, we address this concern by requiring a
translation that "...must match the current version..."
I am of the opinion that the proposed language has the same effect. By
requiring AN authoritative English language version, we are not precluding
other authoritative versions of the audit statement. We are only requiring
that the English language version meet the definition of
authoritative: "possessing
recognized or evident authority *: *clearly accurate or knowledgeable"
On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Then we go back to: what's the point of becoming a globally-recognized CA
> if you are not allowed by law to recognize as legal the English language
> version?
>
> Some user from the other part of the world might not know YOUR local
> language, but they are more likely to know English.
>
> A local country can simply issue legislation that XYZ Certification
> Authority with certificate public key ##########[...]#### is mandatory to
> be recognized by everyone in the country and that's that. You don't really
> need Mozilla / Microsoft / Apple to accept you as CA to operate.
> You have to earn their (and their user's) trust. One critical step to
> earning this trust is having legally-binding, easy to understand documents.
>
> ~~~~
> Adrian R.
>
> On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus wrote:
Also it should be added that the audit information must be publicly
> available in the Internet.
Currently, Mozilla publishes audit reports if they aren't already publicly
available on the internet - typically by asking the CA to attach them to a
bug. Does that suffice? If not, we should discuss this as a separate new
requirement.
meets our needs without imposing a requirement for auditors to adopt the
English language. For the CP/CPS, we address this concern by requiring a
translation that "...must match the current version..."
I am of the opinion that the proposed language has the same effect. By
requiring AN authoritative English language version, we are not precluding
other authoritative versions of the audit statement. We are only requiring
that the English language version meet the definition of
authoritative: "possessing
recognized or evident authority *: *clearly accurate or knowledgeable"
On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Then we go back to: what's the point of becoming a globally-recognized CA
> if you are not allowed by law to recognize as legal the English language
> version?
>
> Some user from the other part of the world might not know YOUR local
> language, but they are more likely to know English.
>
> A local country can simply issue legislation that XYZ Certification
> Authority with certificate public key ##########[...]#### is mandatory to
> be recognized by everyone in the country and that's that. You don't really
> need Mozilla / Microsoft / Apple to accept you as CA to operate.
> You have to earn their (and their user's) trust. One critical step to
> earning this trust is having legally-binding, easy to understand documents.
>
> ~~~~
> Adrian R.
>
> On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus wrote:
> > I would like to suggest to add the clause "if legally allowed" at the
> end. I had some crazy discussions with colleagues in Russia and Québec
> about documents in English.
Rufus - do my comments above solve this problem?
> end. I had some crazy discussions with colleagues in Russia and Québec
> about documents in English.
Also it should be added that the audit information must be publicly
> available in the Internet.
available on the internet - typically by asking the CA to attach them to a
bug. Does that suffice? If not, we should discuss this as a separate new
requirement.
Wayne Thayer
Apr 16, 2018, 6:27:01 PM4/16/18
to mozilla-dev-security-policy
To close out this discussion, I've gone ahead with the proposed change,
including the addition of the requirement that the English language version
of the audit statement be an authoritative version:
https://github.com/mozilla/pkipolicy/commit/e4cc785367350a46fc839639a28a92bd17d542e3
- Wayne
including the addition of the requirement that the English language version
of the audit statement be an authoritative version:
https://github.com/mozilla/pkipolicy/commit/e4cc785367350a46fc839639a28a92bd17d542e3
- Wayne
>> > I would like to suggest to add the clause "if legally allowed" at the
>> end. I had some crazy discussions with colleagues in Russia and Québec
>> about documents in English.
>
>
>> end. I had some crazy discussions with colleagues in Russia and Québec
>> about documents in English.
>
>
> Rufus - do my comments above solve this problem?
>
>
> Also it should be added that the audit information must be publicly
>> available in the Internet.
>
>
>> available in the Internet.
>
>
> Currently, Mozilla publishes audit reports if they aren't already publicly
> available on the internet - typically by asking the CA to attach them to a
> bug. Does that suffice? If not, we should discuss this as a separate new
> requirement.
>
>
> available on the internet - typically by asking the CA to attach them to a
> bug. Does that suffice? If not, we should discuss this as a separate new
> requirement.
>
>
0 new messages