[cabfpub] [EXTERNAL] Bylaw interpretation: root store membership required?

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Apr 11 16:36:35 MST 2017


No – more like the situation with the root that Google bought from GlobalSign, but leaving an issuing subroot with GlobalSign for it to use.  (If I understand the situation correctly.)  I don’t think that involved Delegated Third Parties – there are two independent CAs operating under one trusted root with multiple issuing subroots controlled by two different companies.

I’m pretty sure there have been other situations where a new CA got a branded, issuing subroot from another CA, sometimes for a limited time while the new CA generated its own roots and submitted them to the browsers – but I can’t remember exact details.

Bear in mind we are ONLY talking about CABF membership rules under our Bylaws, not the BRs or issues such as audit rules, RAS/DTPs etc.  So let’s keep it simple.  I think we should encourage the widest possible membership as a way of increasing communication and participating by CAs.  If two CA members are "affiliated", then our Bylaws limit them to one vote, but otherwise the two CAs can continue to participate as members.

Today our membership rules are silent on owning/controlling roots and subroots, so a CA that only has the right to use a subroot from another CAs root qualifies for Forum membership (so long as that CA is issuing certs and has the necessary audit).

Gerv – as you recall, we don’t have a definition of “affiliate” in the Bylaws – maybe your ballot should add a definition taken from our IPR Policy agreement.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Tuesday, April 11, 2017 4:13 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] [EXTERNAL] Bylaw interpretation: root store membership required?

There are specific terms in the Baseline Requirements that describe various relationships, and I'm not sure how to map what you describe on to them. It appears to be related to the Delegated Third Party discussion, and you're suggesting Delegated Third Parties - even if nominally called CAs - should not be able to vote/participate. Is that correct?

On Tue, Apr 11, 2017 at 7:07 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
Renting was a short hand way of saying some members may not own a trusted root.  They may have the contractual right to use an issuing subroot of a trusted root owned by another CA – whether they are hosting the issuing subroot themselves or the issuing subroot is hosted for them by the CA that owns the root, or by others.

Whether or not they “own” the issuing subroot, or just have a limited ability to use the subroot for a limited time (hence, “rent”) may vary from case to case.

That’s the language we need to work on if we want to amend the Bylaws on qualifications for CA members.

From: Ryan Sleevi [mailto:sleevi at google.com<mailto:sleevi at google.com>]
Sent: Tuesday, April 11, 2017 9:38 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>
Subject: Re: [cabfpub] [EXTERNAL] Bylaw interpretation: root store membership required?

Can you describe what "renting" a root entails? How is it objectively quantified as distinct from "own or control"?

I would presume, for example, that anyone "renting" a root (the first time I have heard of such claim) would be able to demonstrate "control" for the duration of the rental, much as I would be able to demonstrate control of a vehicle that I was renting and driving.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170411/610e1866/attachment-0001.html>


More information about the Public mailing list