Re: DFN-Verein: CPS/CP link in CCADB not in English
On Thu, Mar 19, 2020 at 7:06 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > > I'm not sure an incident report is necessary. The CCADB policy allows > both > > to be provided, and the mechanisms that CCADB uses (both for CAs and for > > Root Stores) permit a host of expressiveness (and further changes are > being > > made). > > I guess we're working on different meanings for "provide", in this > sentence of the CCADB policy: > > > CAs must provide English versions of any Certificate Policy, > Certification > > Practice Statement and Audit documents which are not originally in > English > > The way I was looking at it was that a CPS is "provided" to the CCADB by > linking to it. If a translated CPS exists, but it isn't linked to from the > CCADB (or, as far as I can tell, anywhere sensible on the CA's site), can > it > really be said to have been "provided"? Especially when (as is the case > for > DFN-Verein) the cert itself doesn't include cPSuri, indicating where the > CPS > repository even is? No, we’re using the same meaning. There’s just many more fields and ways for a CA to provide a CP/CPS, and even these methods are undergoing some changes (e.g. to account for CAs that may have dozens of CP/CPSes associated with a root). Perhaps the CCADB needs to be augmented, to specifically include an "English > language version" of CP/CPS/Audit statements? That’s a perfectly reasonable suggestion, but also note that, as with above, there’s active development going on in terms of how CP/CPSes are represented and linked to CAs. > > > This is something that the proposed Browser Alignment ballots in the CA/B > > Forum, > > > https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment > > , > > would address. It incorporates the Mozilla Policy, Microsoft Policy, and > > CCADB policy within the BRs itself. > > > > In that branch, see the revised Section 8.6 > > As far as I can see, s8.6 only discussed audit reports, not CP/CPS. Which > is fine and necessary, but when I'm trying to figure out where to send > "y'all have a pile of certs that need revoking because your customers leave > their keys on pastebin" e-mails, a CPS that I can read is what I need. D’oh! You’re entirely right! That should have been added to Section 2.2, and is an oversight in my part. I’ll make sure to fix that. Thanks for bringing up this issue :) > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DFN-Verein: CPS/CP link in CCADB not in English
On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > I'm not sure an incident report is necessary. The CCADB policy allows both > to be provided, and the mechanisms that CCADB uses (both for CAs and for > Root Stores) permit a host of expressiveness (and further changes are being > made). I guess we're working on different meanings for "provide", in this sentence of the CCADB policy: > CAs must provide English versions of any Certificate Policy, Certification > Practice Statement and Audit documents which are not originally in English The way I was looking at it was that a CPS is "provided" to the CCADB by linking to it. If a translated CPS exists, but it isn't linked to from the CCADB (or, as far as I can tell, anywhere sensible on the CA's site), can it really be said to have been "provided"? Especially when (as is the case for DFN-Verein) the cert itself doesn't include cPSuri, indicating where the CPS repository even is? Perhaps the CCADB needs to be augmented, to specifically include an "English language version" of CP/CPS/Audit statements? > This is something that the proposed Browser Alignment ballots in the CA/B > Forum, > https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment > , > would address. It incorporates the Mozilla Policy, Microsoft Policy, and > CCADB policy within the BRs itself. > > In that branch, see the revised Section 8.6 As far as I can see, s8.6 only discussed audit reports, not CP/CPS. Which is fine and necessary, but when I'm trying to figure out where to send "y'all have a pile of certs that need revoking because your customers leave their keys on pastebin" e-mails, a CPS that I can read is what I need. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DFN-Verein: CPS/CP link in CCADB not in English
Matt, I'm not sure an incident report is necessary. The CCADB policy allows both to be provided, and the mechanisms that CCADB uses (both for CAs and for Root Stores) permit a host of expressiveness (and further changes are being made). While there is certainly benefit in highlighting the English language versions, the CCADB policy does not preclude other languages. This is something that the proposed Browser Alignment ballots in the CA/B Forum, https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment , would address. It incorporates the Mozilla Policy, Microsoft Policy, and CCADB policy within the BRs itself. In that branch, see the revised Section 8.6 On Thu, Mar 19, 2020 at 7:58 AM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Mar 19, 2020 at 11:10:05AM +, arnold.ess...@t-systems.com > wrote: > > Thanks for pointing it out. We changed the links so that they now refer > > to the English version of the CP and CPS. > > Thanks for the quick update. Do you have an ETA for the preliminary > incident report? > > - Matt > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DFN-Verein: CPS/CP link in CCADB not in English
On Thu, Mar 19, 2020 at 11:10:05AM +, arnold.ess...@t-systems.com wrote: > Thanks for pointing it out. We changed the links so that they now refer > to the English version of the CP and CPS. Thanks for the quick update. Do you have an ETA for the preliminary incident report? - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy