[cabfpub] FW: Bylaw update proposal

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Mar 26 17:30:02 UTC 2015

Peter – on the issue of membership, I still believe that anyone on your list could potentially apply for membership as a CA.  However, one requirement is that the applicant “operates a certification authority”, which to me implies providing certificates to others (not just to the applicant’s own websites).  So I would argue that an enterprise with an unconstrained sub-CA in its name that is used only for MPKI/EPKI is not operating a certification authority and could not be a Member.  After all, we cover standards for vetting, fraud prevention, etc. that are not relevant to MPKI/EPKI.

If anyone thinks there is confusion on this point, maybe we need to add a membership limitation in the Bylaws that a CA and SubCA member must be a company that “operates a certification authority to issue SSL digital certificates to others”, or similar language.  Maybe I will add that to the Bylaws ballow.

Thanks for pointing this out.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Tuesday, March 24, 2015 8:40 AM
Subject: Re: [cabfpub] FW: Bylaw update proposal

From Peter
On Mar 23, 2015 10:29 PM, "Peter Bowen" <pzbowen at gmail.com<mailto:pzbowen at gmail.com>> wrote:
On Mon, Mar 23, 2015 at 10:21 PM, Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>> wrote:
> On Mar 23, 2015 10:09 PM, "kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>"
> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
>> That’s a question for the browsers – Browsers, what do you say?
> I'm not sure why this is a question for browsers - audit scope is audit
> scope. Some CAs include subordinate CAs in scope of their own audits - such
> as when they control and operate the infrastructure - other CAs don't.
> Mozilla Root Inclusion Policy (Sections 8 and 10) require that unconstrained
> subordinate CAs be disclosed and audited. Mozilla CA communications from May
> 2014 [1] affirmed this.
> I would expect that all of the CAs fall in one of the two buckets, and it's
> up to their issuer to decide.
> From the point of view of program operation, it does not make a difference
> whether or not that subordinate is operated by a third party - have audit
> and fill out the form, will travel.

Here are two examples of CAs that are not Root CAs in any browser, and
have issued multiple certificates according to CT logs:

Unisys: http://uispki.unisys.com/rep/ (Current WebTrust for CA and BR
linked at the bottom of the page)

SSL.com: https://secure.comodo.com/products/publiclyDisclosedSubCACerts
- serial 1100C5BF2758C19969FC68ED729DFCD7 (Audit info at top of page)

(apologies for picking on both of these, but they were easy to find)

Both are welcome to join and vote?


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150326/eed208e8/attachment-0003.html>

More information about the Public mailing list