<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:NSimSun;
panose-1:2 1 6 9 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText">I partially agree, but I would put it this way: CA membership requirements are intended to make sure an applicant is a "real" CA. Today, both Mozilla and Microsoft require a CA to have a Baseline Requirements audit for its roots to
be included in the trusted root store. Here is the Microsoft link: <a href="http://social.technet.microsoft.com/wiki/contents/articles/26675.windows-root-certificate-program-audit-requirements-for-cas.aspx">
http://social.technet.microsoft.com/wiki/contents/articles/26675.windows-root-certificate-program-audit-requirements-for-cas.aspx</a>
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Plus, the CA-Browser Forum itself requires all CAs to follow the BRs for their certs to be considered trustworthy (except that the Forum has no enforcement power – that is left to the browsers through their root program requirements):<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">These Baseline Requirements describe an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and
management of Publicly-Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software. The Requirements are not mandatory for Certification Authorities
unless and until they become adopted and enforced by relying–party Application Software Suppliers. ***<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">1. Scope The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates describe a subset of the requirements that a Certification Authority must meet in order to issue Publicly Trusted
Certificates. Except where explicitly stated otherwise, these requirements apply only to relevant events that occur on or after the Effective Date. *** These Requirements are applicable to all Certification Authorities within a chain of trust. They are to
be flowed down from the Root Certification Authority through successive Subordinate Certification Authorities.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">2. Purpose The primary goal of these Requirements is to enable efficient and secure electronic communication, while addressing user concerns about the trustworthiness of Certificates. The Requirements also serve
to inform users and help them to make informed decisions when relying on Certificates.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">No CA is required to join the Forum to operate – the CAs only need to satisfy the browsers. But I can’t think of any reason why a CA would choose NOT to follow the BRs and get a BR audit if it wants to be considered a “real” CA.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">And I don’t think the Forum would want to accept any new CA member that said “I choose not to follow the BRs, and I choose not to get a BR audit” – why would we want such a CA as a member?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">So it seems reasonable to update our bylaws to require a BR audit for membership.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Gervase Markham [mailto:gerv@mozilla.org] <br>
Sent: Thursday, February 19, 2015 9:33 AM<br>
To: Kirk Hall (RD-US); CABFPub (public@cabforum.org)<br>
Subject: Re: [cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 19/02/15 16:59, <a href="mailto:kirk_hall@trendmicro.com">
<span style="color:windowtext;text-decoration:none">kirk_hall@trendmicro.com</span></a> wrote:<o:p></o:p></p>
<p class="MsoPlainText">> Based on all this, I would say all CAs should have full year BR audits
<o:p></o:p></p>
<p class="MsoPlainText">> in place by now. We can change our Bylaw on membership at Bylaw 2.1
<o:p></o:p></p>
<p class="MsoPlainText">> to reflect this.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I agree with the former, but let me challenge for a moment whether it directly implies the goodness of the latter.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Why do we have membership criteria at all? I would say that it's solely to prevent people or organizations signing up as members who are not actually doing things the forum concerns itself with. Therefore, our membership criteria should
be as wide as possible consistent with that goal. We currently require a WebTrust or ETSI scheme audit. I think it's unlikely that an organization will seek and pay for such a thing unless they are actually a CA. So I would say our membership criteria are
already rigorous enough.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">To put it another way: Mozilla's root program requirements are not the same thing as CAB Forum membership criteria.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I suspect that a new CA won't get very far in practice without a BR audit, but the CAB Forum should not be judging the business model viability of potential members as a condition of membership. That seems a dangerous road to me.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Gerv<o:p></o:p></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>