It has been pointed out to me that we should seek to create a policy that
meets our needs without imposing a requirement for auditors to adopt the
English language. For the CP/CPS, we address this concern by requiring a
translation that "...must match the current version..."
I am of the opinion that the proposed language has the same effect. By
requiring AN authoritative English language version, we are not precluding
other authoritative versions of the audit statement. We are only requiring
that the English language version meet the definition of
authoritative: "possessing
recognized or evident authority *: *clearly accurate or knowledgeable"
On Thu, Apr 5, 2018 at 3:22 AM, Adrian R. via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Then we go back to: what's the point of becoming a globally-recognized CA
> if you are not allowed by law to recognize as legal the English language
> version?
>
> Some user from the other part of the world might not know YOUR local
> language, but they are more likely to know English.
>
> A local country can simply issue legislation that XYZ Certification
> Authority with certificate public key ##########[...]#### is mandatory to
> be recognized by everyone in the country and that's that. You don't really
> need Mozilla / Microsoft / Apple to accept you as CA to operate.
> You have to earn their (and their user's) trust. One critical step to
> earning this trust is having legally-binding, easy to understand documents.
>
> ~~~~
> Adrian R.
>
> On Thursday, 5 April 2018 12:38:12 UTC+3, Buschart, Rufus wrote:
> > I would like to suggest to add the clause "if legally allowed" at the
> end. I had some crazy discussions with colleagues in Russia and Québec
> about documents in English.
Rufus - do my comments above solve this problem?
Also it should be added that the audit information must be publicly
> available in the Internet.
Currently, Mozilla publishes audit reports if they aren't already publicly
available on the internet - typically by asking the CA to attach them to a
bug. Does that suffice? If not, we should discuss this as a separate new
requirement.