> Ian G wrote re CPSs not available in English: > >> Which leads to the first easy fix: insist that all non-english CAs >> translate all their docs. Then I can read the CPS! I personally >> am unsatisfied at that, I see flaws. > >> 1. Frank has made the case for regional and local CAs. The web is >> wide, and CPSs are very long documents. So I think translating >> *all* important documents to english is not only impractical but >> also discriminatory, as non-english cultures (most of them) will >> then face a barrier that the english do not do not. > > I'll differ from you somewhat here. As a practical matter browser > vendors are a major audience for a CA's CPS, along with the CA's > auditor, possibly government agencies concerned with the CA's > operations, and whoever else might care to read it. I can understand > a CA issuing its CPS in the native language of the country in which > it operates; that's probably the best strategy to make sure the > document is properly understood by relevant government agencies and > by its auditors (if they're local). > > However if a CA doesn't offer an English translation of its CPS and > other relevant documents then it disadvantages browser vendors and > other application software vendors who might be interested in > supporting use of the CA's certificates. I don't support making it > mandatory that CAs provide an English version of the CPS, but I have > no problem with telling CAs that not having an English version will > likely cause delays with their application.
Perhaps, making such (discriminatory) criteria mandatory could still be better than enforcing it without stating it clearly. Our CA (Microsec Ltd, a leading CA in Hungary) submitted its inclusion request February 2007. https://bugzilla.mozilla.org/show_bug.cgi?id=370505 Our first public discussion phase was opened October 2008, http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/416427a350db11a9# this public discussion has been postponed, scheduled again and it seem to be postponed again. I think, only the language of our documentation remains the only open issue today. Had we known that in order to be accepted to Mozilla, we MUST/SHOULD submit either an English translation of our CPS/CPSs or we need to maintain our complete documentation in English, perhaps we would have made different decisions in the past two years. Our primary focus are electronic signatures; browsers and SSL certificates are a marginal issue for us. While submitting the English translation of a snapshot of our documentation may be impractical and costly, maintaining a complete documentation both in English and in Hungarian is a major investment that shall perhaps never be justified. Had we known that English documentation is a requirement, we could have chosen to fulfill it by submitting a translation, we could have sought other way to sell certificates accepted by Mozilla, or we could have decided to forget about the Mozilla-inclusion-issue and to advise the Hungarian public to use Explorer instead. Mozilla has the right to determine the requirements for including CAs, but if this is a requirement, then why it is not stated, why it is not public? Being a long-term Mozilla fan, I am really sorry to say that the same procedure at Microsoft was faster, much better defined, less ad hoc, and a lot more transparent. Regards, István _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
