[cabfpub] Bylaw update proposal

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon Mar 23 18:11:11 MST 2015 

Dean - funny you should bring up the membership rules in the Bylaws.  I have just incorporated the comments from our recent face to face meeting in the revised text below, and would like to present it for discussion as a pre-ballot.  It incorporates the issue you have just raised.

Here is my revised proposal for revising Bylaw 2.1:

2.1  Qualifying for Forum Membership

(a) CA/Browser Forum members shall meet at least one of the following criteria.

(1) Issuing CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit Trust Service Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security audit, or ETSI 102042 or ETSI 101456 equivalent audit reports prepared by a properly-qualified auditor, and that actively issues certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers.  Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Interested Party status for a period of time and participate in meetings, teleconferences, and Member mailing lists, but may not propose or endorse ballots or vote.

(2) Root CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit Trust Service Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security audit, or ETSI 102042 or ETSI 101456 equivalent audit reports prepared by a properly-qualified auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers.  Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Interested Party status for a period of time and participate in meetings, teleconferences, and Member mailing lists, but may not propose or endorse ballots or vote.

(3) Browser: The member organization produces a software product intended for use by the general public for browsing the Web securely.

(b) Applicants should supply the following information:

(1) Confirmation that the applicant satisfies at least one of the membership criteria (and if it satisfies more than one, indication of the single category under which the applicant wishes to apply).

(2) URL of the current qualifying performance audit report.

(3) The organization name, as you wish it to appear on the Forum Web site and in official Forum documents.

(4) URL of the applicant's main Web site.

(5) Names and email addresses of employees who will participate in the Forum mail list.

(6) Emergency contact information for security issues related to certificate trust.

(7) Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements.

(c) An Applicant shall become a Member once the Forum has determined by vote consensus among the Members during a teleconference or meeting that the Applicant meets all of the requirements of subsection (a) or, upon the request of any Member, by a Ballot among the Members. A vote of Acceptance by consensus shall be determined or a Ballot of the Members shall be held as soon as the Applicant indicates that it has presented all information required under subsection (b) and has responded to all follow-up questions from the Forum and the Member has complied with the requirements of Section 5.5.


Explanation of Bylaw amendments

The amendments do the following (for WebTrust, please read in "or ETSI equivalent"):

1.  Update the old name of WebTrust for CAs to the new name.

2.  Add the requirement of a BR WebTrust audit (since no CA can issue SSL certs today without one, and the BRs are the most important product of the Forum to date - why would a CA want to join the Forum if it can't or won't follow the BRs and get a BR WebTrust audit?  Why would we want that CA as a CA Member?)

There was some discussion that CAs without a BR WebTrust might want to participate anyway - I doubt that, but they can comment on the public list and join working groups.  There was also discussion that CAs that only issue code signing certs don't need a BR WebTrust audit under browser rules - to date, no CA issuing only code signing certs has applied to be a Member, so maybe we just wait to see if this ever happens.

3.  I was told our old ETSI numbers are no longer valid.  To deal with this into the future, I have changed the language above to "or ETSI equivalent" so the reference will always be valid.

4.  Instead of giving a new CA "observer" status, which is not defined, I followed the suggestion to give the new CA "Interested Party" status, which is defined at Bylaw 3.1.  We get to define the level of participation of various Interested Parties, so we could allow a new CA to participate (but not vote) on all conference calls, meetings, and mail lists, the same as we do for WebTrust and ETSI representatives.

5.  I added the following as an additional item of information that new CAs would have to submit to apply for membership:  "Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements."  That is similar to what you were seeking.

6.  Finally, I clarified that new members could be accepted by consensus during a teleconference of meeting of the Members, but that any Member could request a Ballot on acceptance (so if a Member objected, it could take the matter to a vote).  This is roughly what we have been doing.

I welcome comments.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150324/37e91cc7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Bylaw update proposal.pdf
Type: application/pdf
Size: 282057 bytes
Desc: Bylaw update proposal.pdf
Url : https://cabforum.org/pipermail/public/attachments/20150324/37e91cc7/attachment-0001.pdf

More information about the Public mailing list