<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I just saw you are mentioning ETSI 102 042 and ETSI 101 456, both
standards are now "historical" and therefore not longer valid
auditing standards. ETSI regrouped auditing standards under 319
401 and 319 411. Please consider this when re-writing the
membership application form.</p>
<p>Thanks, Benedikt<br>
</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">Benedikt Heintel - <a class="moz-txt-link-abbreviated" href="mailto:benedikt@cacert.org">benedikt@cacert.org</a>
CAcert.org - Secure Together
<a class="moz-txt-link-freetext" href="http://www.cacert.org">http://www.cacert.org</a></pre>
<div class="moz-cite-prefix">Am 02.04.2018 um 02:22 schrieb Kirk
Hall via Public:<br>
</div>
<blockquote type="cite"
cite="mid:3406f81121d54926a17d7aaec8b4e908@PMSPEX04.corporate.datacard.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1178886184;
mso-list-type:hybrid;
mso-list-template-ids:1781304706 1245625366 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
mso-ansi-font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
This email relates to an Agenda topic for discussion on our
teleconference this Thursday, April 5.<o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
In recent discussion of a CA membership application, there was
disagreement on whether the “audit” that a CA applicant must
present needs to be a Period of Time (POT) audit, also called
a “performance” audit, or whether it is sufficient for the CA
applicant to have only a Point in Time (PIT) audit, also
called a “readiness” audit. (This issue was not critical to
the application being considered by the Forum.)<o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
As a practical matter these days, CAs generally start their
first POT audit for a specific root on the date of their
successful PIT audit, and then maintain POT audits
continuously thereafter. Under WebTrust, the minimum initial
time period for a POT audit is two months, so it can be
completed relatively quickly (I’m not sure about ETSI minimum
time period for the initial POT audit).
<o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
Other forms of auditor reports, such as a “migration audit
report”, is not considered a WebTrust for CAs Audit but rather
an Agreed Upon Procedures report which is for management use
only, and so would not qualify for CA membership purposes.<o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
I have inserted a copy of excerpts from Bylaw 2.1 below,
parsed to make the separate requirements to be a CA member
clearer.<o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
It’s true that our Bylaw 2.1 only refers to an “audit report”
without specifying whether this is a POT or PIT audit, or
either. However, I do note that Bylaw 2.1(b)(6) which lists
information a CA applicant must provide in connection with its
membership application requires the “<span style="color:black"
lang="EN">URL of the current qualifying <u>
performance</u> audit report” – the term “performance
audit report” typically means a POT audit, so that may be a
clue that only a successful POT audit is acceptable under
Bylaw 2.1(a).<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="color:black" lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="color:black" lang="EN">On our Thursday call,
let’s not argue about what current Bylaw 2.1(a) means, but
instead let’s talk about what we think Bylaw 2.1 should
require for a new CA applicant – a POT audit, a PIT audit,
or either. If needed, I can set up a Doodle poll so people
can vote on the question. After full discussion, let’s then
amend Bylaw 2.1(a) so it’s clear on that point. I
personally am in favor of accepting a POT audit only (even
for a minimum two month period), as I think that shows the
CA is “real” and operating successfully, but I want to hear
what the advocates of accepting a PIT audit think.</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<o:p> </o:p></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<b><span style="color:black" lang="EN">Bylaw 2.1
Qualifying for Forum Membership</span></b><span
style="color:black" lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="color:black" lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal"><span
style="color:black" lang="EN">(a) CA/Browser Forum members
shall meet at least one of the following criteria. ***<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="color:black" lang="EN"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;text-indent:-.25in;line-height:normal"><span
style="color:black" lang="EN">(2) <u>Root CA</u>: <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;text-indent:-.25in;line-height:normal"><span
style="color:black" lang="EN"><o:p> </o:p></span></p>
<p class="MsoListParagraphCxSpFirst"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="color:black" lang="EN"><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN">The member organization
operates a certification authority
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="color:black" lang="EN"><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN">that <u>has a current and
successful
</u></span><u><span style="border:none windowtext
1.0pt;padding:0in" lang="EN">WebTrust</span></u><u><span
style="color:black" lang="EN"> for CAs</span></u><span
style="color:black" lang="EN">, or
<u>ETSI 102042 or ETSI 101456 audit report</u> prepared by a
properly-qualified auditor, and
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="color:black" lang="EN"><span
style="mso-list:Ignore">3.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN">that actively issues
certificates to subordinate CAs that, in turn, actively
issue certificates to Web servers
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="color:black" lang="EN"><span
style="mso-list:Ignore">4.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN">that are openly accessible
from the Internet,
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="color:black" lang="EN"><span
style="mso-list:Ignore">5.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN">such certificates being
treated as valid when using a browser created by a Browser
member.
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal"><span
style="color:black" lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal"><span
style="color:black" lang="EN">Applicants that are <u>not
actively issuing certificates</u> but otherwise meet
membership criteria may be granted Associate Member status
under Bylaw Sec. 3.1 for a period of time to be designated
by the Forum. ***<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;text-indent:-.25in;line-height:normal"><span
style="color:black" lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;text-indent:.25in;line-height:normal"><span
style="color:black" lang="EN">(b) Applicants should supply
the following information: ***<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="color:black" lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;text-indent:-.25in;line-height:normal"><span
style="color:black" lang="EN">(6) URL of the current
qualifying <u>performance</u> audit report. ***<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>