[cabfpub] FW: Bylaw update proposal

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Mar 26 22:57:34 UTC 2015

The issue is simply this:

1.  No public CA can have a root in the browsers today without two audits – WebTrust and (now) BR WebTrust (or ETSI equivalent).  When the Bylaws were adopted, only one audit was required – but one audit will no longer get you in the browser root stores – you can no longer be considered a public CA.

2.  We have always accommodated companies with sub-CAs as members so long as they have their own WebTrust (or ETSI equivalent) audit.  That won’t change, except now they must have both required audits.  (I’m not sure we have any members in this category today.)

3.  I don’t think there is any appetite to accept as members companies with only their own MPKI / EPKI who only issue certs to themselves and their subsidiaries and affiliates, and I don’t think any company in this position is interested in joining.  They are not a public CA issuing certs to others.

I’m afraid we are overthinking this – this began when we recognized that our Bylaws fail to mention the second type of audit now required to get your roots in the browser.  It’s only an update, not any change in the idea of who could be a CA member of the Forum.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, March 26, 2015 3:30 PM
To: Kirk Hall (RD-US)
Subject: Re: [cabfpub] FW: Bylaw update proposal

On Thu, Mar 26, 2015 at 10:30 AM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Peter – on the issue of membership, I still believe that anyone on your list could potentially apply for membership as a CA.  However, one requirement is that the applicant “operates a certification authority”, which to me implies providing certificates to others (not just to the applicant’s own websites).  So I would argue that an enterprise with an unconstrained sub-CA in its name that is used only for MPKI/EPKI is not operating a certification authority and could not be a Member.  After all, we cover standards for vetting, fraud prevention, etc. that are not relevant to MPKI/EPKI.

If anyone thinks there is confusion on this point, maybe we need to add a membership limitation in the Bylaws that a CA and SubCA member must be a company that “operates a certification authority to issue SSL digital certificates to others”, or similar language.  Maybe I will add that to the Bylaws ballow.

Thanks for pointing this out.



I'm not sure I agree with your interpretation. The baseline requirements gives a fairly clear definition of "Certification Authority", if you're wishing to use that criteria.

"to others" is still ambiguous. Is a multi-national corporation with affiliates issuing to others or not?

More importantly, I still fail to see why the pressing need to restrict membership. There's already the proposal to require even more audits than we do today - that is, the parallel to "Webtrust for CAs" would be "Principles and Criteria for Certification Authorities 2.0", more generally.

I guess I'm still confused as to the problem you're trying to solve, since it mostly seems to make the Forum more exclusionary.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150326/d3b4c2b0/attachment-0003.html>

More information about the Public mailing list