[cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

Gervase Markham gerv at mozilla.org
Thu Feb 19 17:33:27 UTC 2015

On 19/02/15 16:59, kirk_hall at trendmicro.com wrote:
> Based on all this, I would say all CAs should have full year BR audits
> in place by now.  We can change our Bylaw on membership at Bylaw 2.1 to
> reflect this.

I agree with the former, but let me challenge for a moment whether it
directly implies the goodness of the latter.

Why do we have membership criteria at all? I would say that it's solely
to prevent people or organizations signing up as members who are not
actually doing things the forum concerns itself with. Therefore, our
membership criteria should be as wide as possible consistent with that
goal. We currently require a WebTrust or ETSI scheme audit. I think it's
unlikely that an organization will seek and pay for such a thing unless
they are actually a CA. So I would say our membership criteria are
already rigorous enough.

To put it another way: Mozilla's root program requirements are not the
same thing as CAB Forum membership criteria.

I suspect that a new CA won't get very far in practice without a BR
audit, but the CAB Forum should not be judging the business model
viability of potential members as a condition of membership. That seems
a dangerous road to me.


More information about the Public mailing list