在 2016年11月17日星期四 UTC+8下午7:20:05,Gervase Markham写道: > Hi Kathleen, > > On 15/11/16 00:51, Kathleen Wilson wrote: > > There were some recommendations to deny this request due to the > > versioning problems between the English documents and the original > > documents. > > > > Do you all still feel that is the proper answer to this root > > inclusion request? > > As I understand it, what happened was as follows: > > * As part of their application, GDCA provided both Chinese and English > versions of their CP/CPS, posted to m.d.s.policy on 3rd August: > > Chinese CP: http://www.gdca.com.cn/cp/cp > Chinese CPS: http://www.gdca.com.cn/cps/cps > English CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346 > English CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749 > > (I don't immediately have URLs for their EV CP and CPS in Chinese or > English from the original submission.) > > * On 26th September, it was pointed out by Andrew Whalley that the > English versions had lower version numbers than the Chinese versions > (CP: 1.2 vs. 1.4; CPS: 4.1 vs 4.3) > > * On 27th September, one day later, GDCA provided new English versions > with the same version numbers as the Chinese versions: > > CP V1.4: https://bugzilla.mozilla.org/attachment.cgi?id=8795090 > CPS V4.3: https://bugzilla.mozilla.org/attachment.cgi?id=8795091 > EV CP V1.2: https://bugzilla.mozilla.org/attachment.cgi?id=8795093 > EV CPS V1.3: https://bugzilla.mozilla.org/attachment.cgi?id=8795094 > > * It was pointed out by more than one person that there were significant > content differences between the English and Chinese versions which were > both labelled with the same version number > > * GDCA said this was due to a "poor CP/CPS English translation" and on > 28th October, provided new English versions (again) with the same > version numbers > > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805543 > CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8805545 > EV CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805546 > EV CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8805547 > > What Mozilla has to decide is whether this was incompetence or malice. > Were GDCA trying to hide something? If so, their inclusion must be in > doubt. If they were not trying to hide something and just need a lesson > in version control, that is not necessarily something which > disqualifies, although it does give one concern. > > Looking at the CPS (using pdf2txt and diff), the differences between the > originally-submitted v4.1 and the first 4.3 are very minor. One > intermediate certificate changes name throughout, as does the name of > GDCA. Three certs in an appendix are replaced with others. Other than > that, the only changes are these: > > https://gist.github.com/gerv/fc311785c49c7fdfdfba78d6d5ad4aa9 > > This seems like an odd change, removing specificity about how domain > validation is done. This change was _added_ to the Chinese version of > 3.2.5 between 4.1 and 4.2, and moved to section 3.2.7 in version 4.3. So > how does going from 4.1 to 4.3 in the English version lead to it being > removed?
On 2015.8.20, we uploaded the English Version 4.1 to bugzilla for the first time, and section 3.2.5 was translated from the Chinese version CPS 4.1. On 2015.10.22, Kathleen pointed out that section 3.2.5 " Domain name recognition and identification" could not meet the requirements of Mozilla. Therefore, on 2015.11.17, we submitted a new English Version 4.1 with modified section 3.2.5. However, due to the negligence of our employee, the submitted English Version 4.3 on 2016.9.26 was revised based on the English version 4.1 of 2015.8.20. In the submitted English Version 4.3 on 2016.10.28, this mistake was found and solved. For the question that "the Chinese version of 3.2.5 between 4.1 and 4.2 moved to section 3.2.7 in version 4.3", this is because we added section 3.2.5 " Authentication of SSL Server Identity" and section 3.2.6 " Authentication of CodeSigning Identity". Accordingly, the former 3.2.5 changes into 3.2.7. > > The differences between the first 4.3 and the second one are much more > extensive. > > So I'd say the questions for GDCA are these: > > * When you were asked to produce a version of your CPS matching Chinese > version 4.3, within a day you came up with: > https://bugzilla.mozilla.org/attachment.cgi?id=8795091 > That clearly doesn't match Chinese version 4.3, and yet it has "version > 4.3" written in it. And the effective date marked within it is one month > _earlier_ than the effective date of the Chinese 4.3. How did this > happen? How did such a document come to exist with such a version number > and date attached, when it is so massively different from the real 4.3, > and so similar to the previous 4.1? > > * You say you only translated the relevant bits rather than all of it, > which is why there is a discrepancy, but the diff between 4.1 and the > first version of 4.3 reveals no additions, only one deletion. How does > that fit? GDCA takes security and governance seriously and we have a strict control for Chinese version CP/CPS, all the contents are disclosed. And The Chinese versions for CPS 4.1, 4.2, 4.3 are published on the official website, so we cannot cover-up anything. There are three reasons for the confusion in the English versions: 1) The English versions don't have a version control or audit process and we misunderstand that we only need to provide the related chapters of CP/CPS in English; 2) For fear of affecting the progress of inclusion, we were eager to upload new English versions quickly , which resulting in some omissions and inconsistent etc. 3) During the translation period, our company name changed, some new root certificates and intermediate certificates are issued, point/time of period audit were made and so on, so the Chinese versions were updated several times, but the employee who is responsible for the translation didn't translated into English version timely. Now we strictly implement version controlling of English version CP/CPS, and have sent the English versions to the auditor for review, the new versions will be published before next Tuesday 23:59. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
