On Thursday, October 27, 2016 at 3:22:03 AM UTC-7, wangs...@gmail.com wrote: > 在 2016年10月27日星期四 UTC+8上午8:09:06,Peter Kurrasch写道: > > I think these are both good points and my recommendation is that Mozilla > > deny GDCA's request for inclusion. > > > > > > We should not have to explain something as basic as document versioning and > > version control. If GDCA can not demonstrate sufficient controls over their > > documentation, there is no reason for the Internet community to place > > confidence in any of the other versioning systems that are needed to > > operate a CA. > > > > > > Question: Are auditors expected to review translations of CP or CPS docs > > and verify consistency between them? > > > > > > > > > > > > > > > > > > > > > > > > From: Jakob Bohm > > Sent: Saturday, October 22, 2016 9:07 AM > > To: mozilla-dev-s...@lists.mozilla.org > > Subject: Re: Guang Dong Certificate Authority (GDCA) root inclusion request > > > > > > On 21/10/2016 10:38, Han Yuwei wrote: > > > > > > I think this is a major mistake and a investgation should be conducted > > > for CPS is a critical document about CA. This is not just a translation > > > problem but a version control problem. Sometimes it can be lying. > > > > > > > Let me try to be more specific: > > > > When publishing a document called CPS version 4.3 the document with > > that number must have the same contents in all languages that have a > > document with that name and version number. > > > > When making any change, even just correcting a mistyped URL, the > > document becomes a new document version which should have a new and > > larger number than the number of the document before the change. > > Thus when a published document refers to a broken URL on your own > > server, it is often cheaper to repair the server than to publish a new > > document version. Some of the oldest CAs have been proudly > > publishing their various important files at multiple URLs corresponding > > to whatever was mentioned in old CP and CPS documents etc., only > > shutting down those URLs years after the corresponding CA roots were > > shut down. > > > > There can also be a "draft" document which has no number and which > > contains the changes that will go into the next numbered edition. Such > > a "draft" would have no official significance, as it has not been > > officially "published". For a well-planned change, the final "draft" > > would be translated and checked into the relevant languages (e.g. > > Chinese with mainland writing system, Chinese with Hong Kong and Macao > > Special Administrative Regions old writing system, English), before > > simultaneously publishing the matching documents with the same number > > on the same day. > > > > There are infinitely many version numbers in the universe to choose > > from. There are also computer programs that can generate new version > > numbers every time a draft is changed, but computers cannot decide when > > a version is good enough in all languages to make an official > > publication, and the computer generated version numbers are often > > impractical for publication because they count all the small steps that > > were not published. > > > > > > Enjoy > > > > Jakob > > -- > > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > > This public discussion message is non-binding and may contain errors. > > WiseMo - Remote Service Management for PCs, Phones and Embedded > > _______________________________________________ > > dev-security-policy mailing list > > dev-secur...@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > We’d like to explain a few points. > > 1. We have already implemented version control on Chinese version CP/CPS, the > revision and release of CP/CPS are reviewed and approved by the security > policy committee (see section 1.5 in CP/CPS). The Chinese version CP/CPS is > also reviewed by our auditor. > > 2. The Chinese version CP/CPS is the formal documents we published in our > Website. In the initial phase of "Bug 1128392", we have summited the Chinese > version CP/CPS to Mozilla, and Mozilla release a basic review list in file > "1128392-CAInformation.pdf" which contains instructions for us to summit some > chapters of the CP/CPS in English version. We are not able to provide an > accurate English version CP/CPS, but we will do our best to finish this > translations and upload for reviewing process. We will upload the new English > version CP/CPS for reference ASAP. However the English version CP/CPS should > not be considered as formal documents. In case of any discrepancy between two > versions, the Chinese version shall prevail. > > 3. Our auditor only reviews the Chinese version CP/CPS. It is not their > responsibility to confirm the translated English versions.
According to Peter, " I reviewed the annual audit reports linked in your email, including the auditor's opinion and the management assertions. Good: - The reports and management assertion include an English language version - The English versions are authoritative (no qualification the Chinese language version holds in case of conflict) " This contradicts your assertion your assertion that "We are not able to provide an accurate English version CP/CPS, but we will do our best to finish this translations and upload for reviewing process. We will upload the new English version CP/CPS for reference ASAP. However the English version CP/CPS should not be considered as formal documents. In case of any discrepancy between two versions, the Chinese version shall prevail. " _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy