On 12/12/08 20:39, Frank Hecker wrote:
Note that I have in fact reviewed various sections of the CPS and CP,
using Google Translate. I didn't see anything in them that was
inconsistent with what I've written above.
I find this fascinating. According to the policy, this works.
(Let me be clear: according to the what I see, SECOM passes muster, and
I am not commenting on them. This is comments on the wider scope of
things, and Mozilla's regime.)
But it seems to raise some questions (or emphasise ones made earlier).
I think there is a solution, but first to ramble some.
We can only see the document through the eyes of Google Translate. I'm
well aware of that tool, I use it all the time for documents, and it
isn't what I would call "reliable". "IMHO."
Which leaves us with a google-eye-view and a boilerplate audit report.
Well, ok: It leaves the *non-japanese-reader* with that. And it leaves
Mozilla's due diligence with that.
Switching to userland, my decision to rely on such a cert is based on
what? Nothing, because it is all in japanese or legalese? Or, it is
based on Mozo's DD, which was ... based on not much more.
Which leads to the first easy fix: insist that all non-english CAs
translate all their docs. Then I can read the CPS! I personally am
unsatisfied at that, I see flaws.
1. Frank has made the case for regional and local CAs. The web is
wide, and CPSs are very long documents. So I think translating *all*
important documents to english is not only impractical but also
discriminatory, as non-english cultures (most of them) will then face a
barrier that the english do not do not.
2. OTOH, we do have a Mozilla policy (unwritten perhaps) that all CAs
are the same. So I as end-user do not need to read the CPS in order to
pursue my dodgy trade, mozo did this for me... Whether we agree with
the substance of it or not, Mozo has to act as if it were true, because
it takes on such a heavy load in due diligence, and the UI does its best
to hide any DD info from the user. Which leaves only Mozo needing to
review the translated documents .... and only it? I can't see this
scaling either because of the next point.
3. CPSs are dynamic, or should be dynamic. OK, that's not quite true,
but it is true that threats are dynamic, and therefore security models
should be dynamic, and CPSs should respond alike. If one is really
interested in security, one would be unimpressed by controlled
translations, because the result would be static security (c.f., Boyd).
As I see it, mass translation doesn't scale.
A possible solution is an open end-user offer. I have before mentioned
that each CA should have a relying party agreement or similar; something
on offer to the mozo end-user. It should be the minimum, or default, or
entry-level document for the end-user. It should apply even if the user
never saw it, like an open source licence. It should set liabilities
between CA and end-user.
Now, if such a document were written by each CA, that would be a
*reasonable* target for translation. Indeed, it may work for mozo to say:
* you must have an end-user offer or RPA or similar
* it should be short and sweet and plain language
* it must have a reliable translation in english or be in english
* it must set a liability limit
* it must be prominent, easily available, unmistakable
CAs generally have these already, they are about 3 pages, they are not
impossible to read, and they don't change much. No real drama for
translation.
If such a thing existed in Mozo's policy, it would probably sweep away a
lot of the woes circling around the above situation.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
