<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 24/1/2019 8:16 μ.μ., Wayne Thayer
via Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJE6Z6ctE=UYTpZv5Li3KA=EebxWc7R2BkUWCVu-_V6atAHvHw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div>On today's call we discussed a number of changes to the
bylaws aimed at clarifying the rules for membership. The
proposal for section 2.1(a)(1) resulting from today's
discussion is:</div>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Certificate Issuer: The
member organization operates a certification authority that
has a publicly-available audit report or attestation
statement that meets the following requirements:<br>
* Is based on the full, current version of the WebTrust for
CAs, ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria<br>
* Covers a period of at least 60 days<br>
* Covers a period that ends within the past 15 months<br>
* Was prepared by a properly-Qualified Auditor<br>
<br>
<div>In addition, the member organization is a member of a
CWG, and actively issues certificates to end entities,
such certificates being treated as valid by a Certificate
Consumer Member. Applicants that are not actively issuing
certificates but otherwise meet membership criteria may be
granted Associate Member status under Bylaw Sec. 3.1 for a
period of time to be designated by the Forum.</div>
</blockquote>
<div><br>
</div>
<div>Similar changes would be made to 2.1(a)(2) for Root
Certificate Issuers.</div>
<div><br>
</div>
<div>The question of requiring period-of-time audits was left
unresolved on today's call. I have included the requirement
here because the results of a straw poll conducted earlier
this year [1] indicated strong support for such a
requirement.</div>
<div><br>
</div>
<div>Comments?</div>
</div>
</div>
</blockquote>
<br>
We can explicitly say that Certificate Issuers can be accepted with
a WebTrust for CAs Point-in-time public audit report but will remain
in the Associate Member status until they provide a Period-of-time
public audit report.<br>
<br>
<blockquote type="cite"
cite="mid:CAJE6Z6ctE=UYTpZv5Li3KA=EebxWc7R2BkUWCVu-_V6atAHvHw@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<div>One additional question on this section that we didn't
get to on the call is the vague requirement for "actively"
issuing certificates. Should we remove the word "actively"
and change the final sentence to allow Associate member
status for organizations with a point-in-time audit?<br>
</div>
</div>
</div>
</blockquote>
<br>
I think we should remove the word "actively". Even a certificate
issued to a domain controlled by the Certificate Issuer that chains
to a Certificate Consumer Member's software should be sufficient.<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:CAJE6Z6ctE=UYTpZv5Li3KA=EebxWc7R2BkUWCVu-_V6atAHvHw@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Wayne</div>
<div><br>
</div>
<div>[1] <a
href="https://cabforum.org/pipermail/public/2018-April/013259.html"
moz-do-not-send="true">https://cabforum.org/pipermail/public/2018-April/013259.html</a><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org" moz-do-not-send="true">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public" moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>