AW: DFN-Verein: CPS/CP link in CCADB not in English
It was our assessment when adding data to CCADB, that Mozilla would be interested in the authoritative documents in CCADB and requires English (non-authoritative) translations to be readily available (“provided”) on our websites and upon request. The CCADB-policy states in chapter 5, that URLs for CP and CPS shall be added to CCADB. Several paragraphs below, it is stated that “CAs must provide English versions of any Certificate Policy, Certification Practice Statement…” which does not specify exactly how these English versions shall be provided. English translations have been provided on the webpages at the location stated in DFN-PKI’s CP, chapter 2.2 (Publication of Certification Information) for several years. Therefor we are also of the opinion that we did not violate the CCADB policy. Because the English language versions benefit the community, the links were changed in the CCADB on March 19, 2020. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DFN-Verein: CPS/CP link in CCADB not in English
On Thu, Mar 19, 2020 at 7:06 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > > I'm not sure an incident report is necessary. The CCADB policy allows > both > > to be provided, and the mechanisms that CCADB uses (both for CAs and for > > Root Stores) permit a host of expressiveness (and further changes are > being > > made). > > I guess we're working on different meanings for "provide", in this > sentence of the CCADB policy: > > > CAs must provide English versions of any Certificate Policy, > Certification > > Practice Statement and Audit documents which are not originally in > English > > The way I was looking at it was that a CPS is "provided" to the CCADB by > linking to it. If a translated CPS exists, but it isn't linked to from the > CCADB (or, as far as I can tell, anywhere sensible on the CA's site), can > it > really be said to have been "provided"? Especially when (as is the case > for > DFN-Verein) the cert itself doesn't include cPSuri, indicating where the > CPS > repository even is? No, we’re using the same meaning. There’s just many more fields and ways for a CA to provide a CP/CPS, and even these methods are undergoing some changes (e.g. to account for CAs that may have dozens of CP/CPSes associated with a root). Perhaps the CCADB needs to be augmented, to specifically include an "English > language version" of CP/CPS/Audit statements? That’s a perfectly reasonable suggestion, but also note that, as with above, there’s active development going on in terms of how CP/CPSes are represented and linked to CAs. > > > This is something that the proposed Browser Alignment ballots in the CA/B > > Forum, > > > https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment > > , > > would address. It incorporates the Mozilla Policy, Microsoft Policy, and > > CCADB policy within the BRs itself. > > > > In that branch, see the revised Section 8.6 > > As far as I can see, s8.6 only discussed audit reports, not CP/CPS. Which > is fine and necessary, but when I'm trying to figure out where to send > "y'all have a pile of certs that need revoking because your customers leave > their keys on pastebin" e-mails, a CPS that I can read is what I need. D’oh! You’re entirely right! That should have been added to Section 2.2, and is an oversight in my part. I’ll make sure to fix that. Thanks for bringing up this issue :) > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DFN-Verein: CPS/CP link in CCADB not in English
On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > I'm not sure an incident report is necessary. The CCADB policy allows both > to be provided, and the mechanisms that CCADB uses (both for CAs and for > Root Stores) permit a host of expressiveness (and further changes are being > made). I guess we're working on different meanings for "provide", in this sentence of the CCADB policy: > CAs must provide English versions of any Certificate Policy, Certification > Practice Statement and Audit documents which are not originally in English The way I was looking at it was that a CPS is "provided" to the CCADB by linking to it. If a translated CPS exists, but it isn't linked to from the CCADB (or, as far as I can tell, anywhere sensible on the CA's site), can it really be said to have been "provided"? Especially when (as is the case for DFN-Verein) the cert itself doesn't include cPSuri, indicating where the CPS repository even is? Perhaps the CCADB needs to be augmented, to specifically include an "English language version" of CP/CPS/Audit statements? > This is something that the proposed Browser Alignment ballots in the CA/B > Forum, > https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment > , > would address. It incorporates the Mozilla Policy, Microsoft Policy, and > CCADB policy within the BRs itself. > > In that branch, see the revised Section 8.6 As far as I can see, s8.6 only discussed audit reports, not CP/CPS. Which is fine and necessary, but when I'm trying to figure out where to send "y'all have a pile of certs that need revoking because your customers leave their keys on pastebin" e-mails, a CPS that I can read is what I need. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DFN-Verein: CPS/CP link in CCADB not in English
Matt, I'm not sure an incident report is necessary. The CCADB policy allows both to be provided, and the mechanisms that CCADB uses (both for CAs and for Root Stores) permit a host of expressiveness (and further changes are being made). While there is certainly benefit in highlighting the English language versions, the CCADB policy does not preclude other languages. This is something that the proposed Browser Alignment ballots in the CA/B Forum, https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment , would address. It incorporates the Mozilla Policy, Microsoft Policy, and CCADB policy within the BRs itself. In that branch, see the revised Section 8.6 On Thu, Mar 19, 2020 at 7:58 AM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Mar 19, 2020 at 11:10:05AM +, arnold.ess...@t-systems.com > wrote: > > Thanks for pointing it out. We changed the links so that they now refer > > to the English version of the CP and CPS. > > Thanks for the quick update. Do you have an ETA for the preliminary > incident report? > > - Matt > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DFN-Verein: CPS/CP link in CCADB not in English
On Thu, Mar 19, 2020 at 11:10:05AM +, arnold.ess...@t-systems.com wrote: > Thanks for pointing it out. We changed the links so that they now refer > to the English version of the CP and CPS. Thanks for the quick update. Do you have an ETA for the preliminary incident report? - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
AW: DFN-Verein: CPS/CP link in CCADB not in English
Thanks for pointing it out. We changed the links so that they now refer to the English version of the CP and CPS. -Ursprüngliche Nachricht- Von: dev-security-policy Im Auftrag von Matt Palmer via dev-security-policy Gesendet: Donnerstag, 19. März 2020 10:56 An: mozilla-dev-security-pol...@lists.mozilla.org Betreff: DFN-Verein: CPS/CP link in CCADB not in English As I understand the CCADB Policy (which is included by reference in the Mozilla Root Store Policy), CAs are required to provide an English translation of their CP/CPS documents, and link to them in the CCADB. At the time of writing, the "AllCertificateRecordsReport" CSV shows the link for the "DFN-Verein Certification Authority 2" CP as being https://www.pki.dfn.de/fileadmin/PKI/DFN-PKI_CP.pdf, which at present loads a non-English PDF. Similarly, the link for that same CA's CPS is https://www.pki.dfn.de/fileadmin/PKI/DFN-PKI_CPS.pdf, which is also a non-English document. What is the procedure for poking DFN-Verein (or their parent CA, T-TeleSec) to get them to provide links to suitably translated documents? - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
DFN-Verein: CPS/CP link in CCADB not in English
As I understand the CCADB Policy (which is included by reference in the Mozilla Root Store Policy), CAs are required to provide an English translation of their CP/CPS documents, and link to them in the CCADB. At the time of writing, the "AllCertificateRecordsReport" CSV shows the link for the "DFN-Verein Certification Authority 2" CP as being https://www.pki.dfn.de/fileadmin/PKI/DFN-PKI_CP.pdf, which at present loads a non-English PDF. Similarly, the link for that same CA's CPS is https://www.pki.dfn.de/fileadmin/PKI/DFN-PKI_CPS.pdf, which is also a non-English document. What is the procedure for poking DFN-Verein (or their parent CA, T-TeleSec) to get them to provide links to suitably translated documents? - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
