[cabfpub] Proposed revision to Ballot 149 - Updating Membership Bylaws

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Jun 9 05:43:26 UTC 2015

Thanks, Peter.  The process has always required both completed WebTrust/ETSI audits AND being included in browser root programs.  Because Gerv and Ryan don’t believe that the Forum should require a BR WebTrust audit to join (even though Mozilla requires a BR WebTrust audit to be included in the Mozilla trusted root store), I was trying to accommodate their concerns by simply tying the question of who is a “real” operating CA to the independent decision of at least two browser members.

To my knowledge, we have not had any pubic CAs apply to be a member (or show a desire to apply) who had not already completed audit(s) and gotten in root store(s), so this seems to be a somewhat hypothetical issue.  You can’t really issue certs to the public without that.  Can you provide an example of a company you would consider a public CA that has not completed audits and gotten at least one root in a root program or two?  The main work of the Forum is to come up with best practices for public CAs, so it seems prospective members should be able to meet the requirements of being a public CA.

From: Peter Bowen [mailto:pzbowen at gmail.com]
Sent: Monday, June 08, 2015 8:02 PM
To: Kirk Hall (RD-US)
Cc: CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] Proposed revision to Ballot 149 - Updating Membership Bylaws

On Mon, Jun 8, 2015 at 4:39 PM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Here’s an idea for moving forward on Ballot 149, which was intended to update our Bylaw 2.1 on membership rules.  Most of the draft ballot is uncontroversial, but one part has drawn opposition from Gerv and Ryan.

In concept, my proposal is that any CA with at least one root in the trusted root store of at least two browser members of the CA-Browser Forum  who maintain independent root stores can become a member, if they satisfy all the other requirements.  I suggest two browser members because the day could come when a single browser member drops all audit requirements, etc.  Also, it’s hard to see a CA that has a root in only a single browser as being a viable CA.


As you probably know by now, I have a personal interest in the requirements for joining the CA/Browser Forum.  I want to get that out there so there is no confusion.

The Forum has six browser vendors today: Apple, Google, Microsoft, Mozilla, Opera, and Qihoo 360 (https://cabforum.org/members/).  Of these, it is only clear that three of them maintain "independent" trust stores.  Apple, Microsoft, and Mozilla all have clear processes to maintain trust stores that do not depend on any of the other members.  Opera and Google clearly state that they have dependencies on one of the three prior organizations and Qihoo 360 does not have a clear statement on its trust store as far as I can tell.  Therefore this would imply that a CA must have a root in 2/3 of the applicable trust stores.

This also creates a very large delay in joining for new CAs.  Mozilla notes that the total time is as little as 8 months but typically close to a year.  Microsoft and Apple do not public timelines, but I my understanding is that the process can take several months.

I think the Forum should be focused on welcoming new members who meet basic qualifications and this proposal does not do that.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150609/7ff46d85/attachment-0003.html>

More information about the Public mailing list