[cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri Feb 20 19:01:55 UTC 2015


That’s true – but every person visiting the site would have to do the same thing.  So as a practical matter, no commercial CA will proceed in selling certs generally without its roots being in the main browser root stores, which requires completed WebTrust/ETSI audits to be delivered to the browsers.  And I don’t think the Forum needs to have “private” CA members.

From: "Barreira Iglesias, Iñigo" [mailto:i-barreira at izenpe.net]
Sent: Friday, February 20, 2015 10:54 AM
To: Kirk Hall (RD-US); Peter Bowen; public at cabforum.org
Cc: questions at cabforum.org
Subject: Re: [cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

Kirk, any CA can sell certs without having any audit. It's up to the customers. It's their decission. You can add the CA manually


Enviado de Samsung Mobile



-------- Mensaje original --------
De: kirk_hall at trendmicro.com
Fecha:
Para: Peter Bowen <pzbowen at gmail.com>,"CABFPub (public at cabforum.org)" <public at cabforum.org>
Cc: questions at cabforum.org
Asunto: Re: [cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

Sorry, I should have clarified.

Any CA can get a point in time or “readiness” BR audit at any time, even just before starting operations.

Plus any CA can get a 60 day or 90 day performance BR audit once they start operations – in fact, that is the recommended method (i.e., don’t wait a whole year).

In general, a CA can’t start selling certs to anyone until the CA has its roots in the browsers.  And the browsers won’t add the roots until they see (at least) a WebTrust and a BR readiness audit – so there really is no blocking effect on the membership rules from requiring the audits.  A CA can’t be in operation (can’t be in the browsers) until that happens.

Plus – when my new CA, AffirmTrust (acquired by Trend Micro) applied to the Forum, we had our audits but no customers yet (because at that time, the Mozilla root review process was very slow).  The Forum accepted us, but only on an observer basis, not member, until we started issuing certs to customers.

From: Peter Bowen [mailto:pzbowen at gmail.com]
Sent: Thursday, February 19, 2015 7:14 PM
To: Kirk Hall (RD-US); CABFPub (public at cabforum.org)
Cc: questions at cabforum.org
Subject: Re: [cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

(copying questions@ for visibility)

On Thu, Feb 19, 2015 at 8:59 AM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Based on all this, I would say all CAs should have full year BR audits in place by now.  We can change our Bylaw on membership at Bylaw 2.1 to reflect this.

Have you considered that it is possible a new CA might want to become a member before their first anniversary of operation?  If you require a full year BR audit for membership, you are effectively excluding new CAs, as they presumably will start with a point in time then a partial year audit (given the requirement to get a period of time audit started within 90 days of issuing the first certificate).

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150220/aeb4aed7/attachment-0003.html>


More information about the Public mailing list