[cabfpub] CAB Forum membership criteria

Ben Wilson ben.wilson at digicert.com
Mon Mar 27 13:52:47 UTC 2017


What about "While suspended, CAs may attend meetings but not vote." ?

 If someone makes a Contribution, I see that as something positive, because
under 6.4.c. of the  IPR Policy, 
"CAB Forum Participants that submit Contributions, by making a Contribution,
represent and warrant that, to the extent personally known to the individual
Contributors under their control:
c.	The Contribution, if incorporated into a Final Guideline or Final
Maintenance Guideline will not subject the Final Guideline or Final
Maintenance Guideline or implementations of the Final Guideline or Final
Maintenance Guideline, in whole or in part, to licensing obligations,
restrictions or requirements which are inconsistent with those set forth in
this Intellectual Property Rights Policy."

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Monday, March 27, 2017 7:42 AM
To: CABFPub <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [cabfpub] CAB Forum membership criteria

The CAB Forum Bylaws define membership criteria, but don't say what should
happen when an existing member ceases to meet those criteria. For the
avoidance of doubt and uncertainty, I think it would be a good idea to fix
this. So I propose some draft text below which explains how I think it
should work.

Browsers
--------

The membership criteria are:

"The member organization produces a software product intended for use by the
general public for browsing the Web securely."

I suggest the following addition:

"A Browser member's membership will automatically cease when they stop
providing security updates for their software product, or if 6 months have
elapsed since the last such published update."

The rationale is simply that if you stop "producing a software product ...
for browsing the Web securely", you stop being a member, and whether you are
updating that product to keep users safe is a good way of measuring
"producing".

CAs
---

The membership criteria (which are in two parts, but they are the same for
our purposes) are:

"The member organization operates a certification authority that has a
current and successful WebTrust for CAs audit, or ETSI 102042 or ETSI
101456 audit report prepared by a properly-qualified auditor, and that
actively issues certificates [...] to Web servers that are openly accessible
from the Internet using a browser created by a Browser member."

[We should probably update those ETSI standard version numbers?]

This is a bit more complex because the definition of a "current" audit is
not entirely clear. Audits are always retrospective, and then the results
are not known for a further period. I think we should have a presumption
that if a previous yearly audit was successful, the next one will be. And so
I suggest the following addition:

"A CA member's membership will be suspended if either their audit is failed
or rescinded, or if 15 months [i.e. 12 months audit length plus 3 months for
letter delivery] have elapsed since the end of the audit period of their
last successful audit. A CA member's membership will automatically cease
after a further 6 months if they have not passed an audit by that time.
While suspended, CAs may attend meetings but not make Contributions or
vote."

The interim period of suspension is proposed for a number of reasons.
Firstly, because we have seen occasional problems with audit timeliness, and
we don't want members having to re-apply for membership if their audit
letter turns up a bit late. And secondly, because if there are audit
problems of other sorts, there can be a period during which the CA can
remediate them before their membership lapses.


Comments, as always, are welcome.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170327/fe9fcccc/attachment-0001.p7s>


More information about the Public mailing list