On Thu, Mar 19, 2020 at 7:06 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > > I'm not sure an incident report is necessary. The CCADB policy allows > both > > to be provided, and the mechanisms that CCADB uses (both for CAs and for > > Root Stores) permit a host of expressiveness (and further changes are > being > > made). > > I guess we're working on different meanings for "provide", in this > sentence of the CCADB policy: > > > CAs must provide English versions of any Certificate Policy, > Certification > > Practice Statement and Audit documents which are not originally in > English > > The way I was looking at it was that a CPS is "provided" to the CCADB by > linking to it. If a translated CPS exists, but it isn't linked to from the > CCADB (or, as far as I can tell, anywhere sensible on the CA's site), can > it > really be said to have been "provided"? Especially when (as is the case > for > DFN-Verein) the cert itself doesn't include cPSuri, indicating where the > CPS > repository even is? No, we’re using the same meaning. There’s just many more fields and ways for a CA to provide a CP/CPS, and even these methods are undergoing some changes (e.g. to account for CAs that may have dozens of CP/CPSes associated with a root). Perhaps the CCADB needs to be augmented, to specifically include an "English > language version" of CP/CPS/Audit statements? That’s a perfectly reasonable suggestion, but also note that, as with above, there’s active development going on in terms of how CP/CPSes are represented and linked to CAs. > > > This is something that the proposed Browser Alignment ballots in the CA/B > > Forum, > > > https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment > > , > > would address. It incorporates the Mozilla Policy, Microsoft Policy, and > > CCADB policy within the BRs itself. > > > > In that branch, see the revised Section 8.6 > > As far as I can see, s8.6 only discussed audit reports, not CP/CPS. Which > is fine and necessary, but when I'm trying to figure out where to send > "y'all have a pile of certs that need revoking because your customers leave > their keys on pastebin" e-mails, a CPS that I can read is what I need. D’oh! You’re entirely right! That should have been added to Section 2.2, and is an oversight in my part. I’ll make sure to fix that. Thanks for bringing up this issue :) > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
