[cabfpub] Bylaw interpretation: root store membership required?

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Apr 11 15:43:02 UTC 2017

+1.  I think you are correct.  If you had asked me, I would have said the membership rules in the Bylaws already required a CA member to have at least one trusted root in one browser - but to my surprise that specific language is not there.

I think your interpretation of "openly accessible" reaches that requirement, as you suggest.  Otherwise, CAs who only issue for private PKI networks would qualify for Forum membership, and I think that was not our intent (CAs in that position don't need to follow the BRs or browser root program rules, so why be a member).  I think it would be a good idea to add a specific requirement to be in at least one root store to clarify the original intention.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Tuesday, April 11, 2017 8:26 AM
To: CABFPub <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [EXTERNAL][cabfpub] Bylaw interpretation: root store membership required?

The CA membership criteria say a member CA is one which:

"actively issues certificates to Web servers that are openly accessible from the Internet using a browser created by a Browser member".

What does "openly accessible" mean? Does it mean that the CA is included in at least one browser member's root store? After all, a website with a cert from an untrusted CA is still accessible in each of the browser member's browsers, after clicking through a warning.

If it does mean that, I need to update my membership ballot to take account of the fact that being in at least one root store is a membership criterion. I believe that in the past we've treated this as being a criterion for full membership, but it's not explicitly in there, so I wanted to check.

Public mailing list
Public at cabforum.org

More information about the Public mailing list