[cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Feb 19 18:28:44 UTC 2015

I partially agree, but I would put it this way:  CA membership requirements are intended to make sure an applicant is a "real" CA.  Today, both Mozilla and Microsoft require a CA to have a Baseline Requirements audit for its roots to be included in the trusted root store.  Here is the Microsoft link:  http://social.technet.microsoft.com/wiki/contents/articles/26675.windows-root-certificate-program-audit-requirements-for-cas.aspx

Plus, the CA-Browser Forum itself requires all CAs to follow the BRs for their certs to be considered trustworthy (except that the Forum has no enforcement power – that is left to the browsers through their root program requirements):

These Baseline Requirements describe an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly-Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software. The Requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying–party Application Software Suppliers. ***

1. Scope The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates describe a subset of the requirements that a Certification Authority must meet in order to issue Publicly Trusted Certificates. Except where explicitly stated otherwise, these requirements apply only to relevant events that occur on or after the Effective Date. *** These Requirements are applicable to all Certification Authorities within a chain of trust. They are to be flowed down from the Root Certification Authority through successive Subordinate Certification Authorities.

2. Purpose The primary goal of these Requirements is to enable efficient and secure electronic communication, while addressing user concerns about the trustworthiness of Certificates. The Requirements also serve to inform users and help them to make informed decisions when relying on Certificates.

No CA is required to join the Forum to operate – the CAs only need to satisfy the browsers.  But I can’t think of any reason why a CA would choose NOT to follow the BRs and get a BR audit if it wants to be considered a “real” CA.

And I don’t think the Forum would want to accept any new CA member that said “I choose not to follow the BRs, and I choose not to get a BR audit” – why would we want such a CA as a member?

So it seems reasonable to update our bylaws to require a BR audit for membership.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Thursday, February 19, 2015 9:33 AM
To: Kirk Hall (RD-US); CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

On 19/02/15 16:59, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> wrote:

> Based on all this, I would say all CAs should have full year BR audits

> in place by now.  We can change our Bylaw on membership at Bylaw 2.1

> to reflect this.

I agree with the former, but let me challenge for a moment whether it directly implies the goodness of the latter.

Why do we have membership criteria at all? I would say that it's solely to prevent people or organizations signing up as members who are not actually doing things the forum concerns itself with. Therefore, our membership criteria should be as wide as possible consistent with that goal. We currently require a WebTrust or ETSI scheme audit. I think it's unlikely that an organization will seek and pay for such a thing unless they are actually a CA. So I would say our membership criteria are already rigorous enough.

To put it another way: Mozilla's root program requirements are not the same thing as CAB Forum membership criteria.

I suspect that a new CA won't get very far in practice without a BR audit, but the CAB Forum should not be judging the business model viability of potential members as a condition of membership. That seems a dangerous road to me.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150219/9c91b2d0/attachment-0003.html>

More information about the Public mailing list