Policy Update Proposal: Require full CP/CPS in English

[Kathleen Wilson]

I would like to discuss this proposal[1] next:

- (D26) Add a requirement for CAs to provide English-translated versions
of their complete CP / CPS

I think we would have to narrow it down a bit, because some CAs have
several CP/CPS documents for their various product offerings, not
related to SSL or S/MIME certs.

So, how about if we add a bullet point to section 6 of the Inclusion
policy, which currently starts as follows.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
~~
6. We require that all CAs whose certificates are distributed with our
software products:
- provide some service relevant to typical users of our software products;
- publicly disclose information about their policies and business
practices (e.g., in a Certificate Policy and Certification Practice
Statement);
~~

Insert 3rd bullet point:
"- translate into English the Certificate Policy and Certification
Practice Statement documents pertaining to the certificates to be
included and the trust bits to be enabled;"

I will appreciate recommendations about how to improve this proposed update.

Is this a reasonable requirement to add?

Are there any arguments against adding this requirement that we should
consider?


Thanks,
Kathleen

[1] https://wiki.mozilla.org/CA:CertificatePolicyV2.3

[Matt Palmer]

On Thu, Nov 19, 2015 at 05:00:03PM -0800, Kathleen Wilson wrote:
> Insert 3rd bullet point:
> "- translate into English the Certificate Policy and Certification Practice
> Statement documents pertaining to the certificates to be included and the
> trust bits to be enabled;"
>
> I will appreciate recommendations about how to improve this proposed update.

Some wording to require CAs to acknowledge that this translation is not
merely informative, but in fact a binding agreement with the Internet
community, would be useful. I can easily imagine a CA claiming, in the
event of a breach of the CPS, that the "authoritative" version, in an
alternate language, doesn't describe things in quite the same way, and so
isn't a breach.

> Is this a reasonable requirement to add?

I think it is. The working language of the technical Internet (and this
list) is, for better or worse, English, and ensuring that the core
documentation of a CA's agreement with the Internet community is consumable
by the largest possible number of interested parties is an important goal.

- Matt

[David E. Ross]

Note: Airline pilots and air-traffic controllers involved with
international flights are required to be sufficiently proficient in
English so that all air-traffic control communications are in English.
Thus, while this requirement for CP/CPS might seem ethnocentric, it has
a precedent.

How about:
> - provide authoritative, binding English translations of the

> Certificate Policy and Certification Practice Statement documents
> pertaining to the certificates to be included and the trust bits to
> be enabled;

--
David E. Ross

The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.

[Richard Barnes]

On Thu, Nov 19, 2015 at 6:22 PM, Matt Palmer <mpa...@hezmatt.org> wrote:

> On Thu, Nov 19, 2015 at 05:00:03PM -0800, Kathleen Wilson wrote:

> > Insert 3rd bullet point:
> > "- translate into English the Certificate Policy and Certification
> Practice
> > Statement documents pertaining to the certificates to be included and the
> > trust bits to be enabled;"
> >
> > I will appreciate recommendations about how to improve this proposed
> update.
>

> Some wording to require CAs to acknowledge that this translation is not
> merely informative, but in fact a binding agreement with the Internet
> community, would be useful. I can easily imagine a CA claiming, in the
> event of a breach of the CPS, that the "authoritative" version, in an
> alternate language, doesn't describe things in quite the same way, and so
> isn't a breach.
>

> > Is this a reasonable requirement to add?
>

> I think it is. The working language of the technical Internet (and this
> list)

The latter is the important thing here: This is the community that is
evaluating and making decisions based on these documents, so the
commitments in them need to be intelligible to us.

--Richard

> is, for better or worse, English, and ensuring that the core
> documentation of a CA's agreement with the Internet community is consumable
> by the largest possible number of interested parties is an important goal.
>
> - Matt
>

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Chris Hofmann]

On Fri, Nov 20, 2015 at 8:12 AM, Richard Barnes <rba...@mozilla.com> wrote:

> On Thu, Nov 19, 2015 at 6:22 PM, Matt Palmer <mpa...@hezmatt.org> wrote:
>
> > On Thu, Nov 19, 2015 at 05:00:03PM -0800, Kathleen Wilson wrote:
> > > Insert 3rd bullet point:
> > > "- translate into English the Certificate Policy and Certification
> > Practice
> > > Statement documents pertaining to the certificates to be included and
> the
> > > trust bits to be enabled;"
> > >
> > > I will appreciate recommendations about how to improve this proposed
> > update.
> >
> > Some wording to require CAs to acknowledge that this translation is not
> > merely informative, but in fact a binding agreement with the Internet
> > community, would be useful. I can easily imagine a CA claiming, in the
> > event of a breach of the CPS, that the "authoritative" version, in an
> > alternate language, doesn't describe things in quite the same way, and so
> > isn't a breach.
> >
> > > Is this a reasonable requirement to add?
> >
> > I think it is. The working language of the technical Internet (and this
> > list)
>
>
> The latter is the important thing here: This is the community that is
> evaluating and making decisions based on these documents, so the
> commitments in them need to be intelligible to us.
>
> --Richard
>
>

This is a hard problem, but it cuts both ways. The community that is
executing the commitments also needs to have intelligible documents
that can be shared and understood among all that could participate
in the process of delivering and protecting certificates.

For this to really work well we should attempt to have good translations
in both directions, understand that this is hard.

The Airline example is a good one, but these communications have
a critical time constraint. e.g. I must land my plane now!

With the content we are talking about its probably more important
to get the content right, and understandable by all parties involved
than it is to do it fast and on a time critical timeline.

It might be worth identifying some sections of the operational
requirements that need to have good translations in order to reduce
the chances of injecting human error due to participants in the process
not understanding and communicating responsibilities correctly.

It's probably these human error's that we've seen show up
that need to have the most attention, and we don't want
the human errors to be compounded by the fact that the
instructions were not in a language that was well understood.

Our mozilla translation community might also be a helpful part
of this as a sanity check and review to see if the language
in both translations directions is effective and matching
in intent.

-chofmann

[Varga Viktor]

I just want to ask you, is not the PDS is enough for this?

119411-1 (319411-1) says you need publish PKI Disclosure Staetement (PDS)
119411-2 (319411-2) refences for certificate profiles the 119412-5

The 119412-5 (319412-5) says in section 5 Requirements on QCStatements in EU qualified certificates in the last row of the table, that you need to have minimum one ereference to an english PDS.

So for qualified certificates are mandatory why dont extend it for all root certs and usages?

I think nearly nobody reads trough a CP or CPS, but the PDS gives reasonably view for a customer, and most of the CAs already have it in english.

regards. Viktor Varga

[Ryan Sleevi]

For matters of inclusion, renewals, or violations, we absolutely read through the CP and CPS quite thoroughly, as these practices are all of direct relevance to the broader Internet community.

To that end, a PDS is frequently insufficient, and only relevant to qualified certificates, which are themselves not something worth emulating :)

[Varga Viktor]

Dear Ryan,

You have right. For audit or inclusion maybe its needed.

I am 100% sure, that only users with auditor attitude are reading our CP or CPSes, none of the customers.

regards.
Viktor Varga
Netlock

-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+varga.viktor=netlo...@lists.mozilla.org] On Behalf Of Ryan Sleevi
Sent: Tuesday, March 1, 2016 11:10 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Policy Update Proposal: Require full CP/CPS in English

On Tuesday, March 1, 2016 at 1:34:49 PM UTC-8, Varga Viktor wrote:

For matters of inclusion, renewals, or violations, we absolutely read through the CP and CPS quite thoroughly, as these practices are all of direct relevance to the broader Internet community.

To that end, a PDS is frequently insufficient, and only relevant to qualified certificates, which are themselves not something worth emulating :) _______________________________________________