[cabfpub] Form of audit necessary for CA membership in CA/Browser Forum

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Apr 2 00:22:40 UTC 2018

This email relates to an Agenda topic for discussion on our teleconference this Thursday, April 5.

In recent discussion of a CA membership application, there was disagreement on whether the "audit" that a CA applicant must present needs to be a Period of Time (POT) audit, also called a "performance" audit, or whether it is sufficient for the CA applicant to have only a Point in Time (PIT) audit, also called a "readiness" audit.  (This issue was not critical to the application being considered by the Forum.)

As a practical matter these days, CAs generally start their first POT audit for a specific root on the date of their successful PIT audit, and then maintain POT audits continuously thereafter.  Under WebTrust, the minimum initial time period for a POT audit is two months, so it can be completed relatively quickly (I'm not sure about ETSI minimum time period for the initial POT audit).

Other forms of auditor reports, such as a "migration audit report", is not considered a WebTrust for CAs Audit but rather an Agreed Upon Procedures report which is for management use only, and so would not qualify for CA membership purposes.

I have inserted a copy of excerpts from Bylaw 2.1 below, parsed to make the separate requirements to be a CA member clearer.

It's true that our Bylaw 2.1 only refers to an "audit report" without specifying whether this is a POT or PIT audit, or either.  However, I do note that Bylaw 2.1(b)(6) which lists information a CA applicant must provide in connection with its membership application requires the "URL of the current qualifying performance audit report" - the term "performance audit report" typically means a POT audit, so that may be a clue that only a successful POT audit is acceptable under Bylaw 2.1(a).

On our Thursday call, let's not argue about what current Bylaw 2.1(a) means, but instead let's talk about what we think Bylaw 2.1 should require for a new CA applicant - a POT audit, a PIT audit, or either.  If needed, I can set up a Doodle poll so people can vote on the question.  After full discussion, let's then amend Bylaw 2.1(a) so it's clear on that point.  I personally am in favor of accepting a POT audit only (even for a minimum two month period), as I think that shows the CA is "real" and operating successfully, but I want to hear what the advocates of accepting a PIT audit think.

Bylaw 2.1           Qualifying for Forum Membership

(a)  CA/Browser Forum members shall meet at least one of the following criteria. ***
(2)  Root CA:

1.       The member organization operates a certification authority

2.       that has a current and successful WebTrust for CAs, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and

3.       that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers

4.       that are openly accessible from the Internet,

5.       such certificates being treated as valid when  using a browser created by a Browser member.

Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum. ***

(b)  Applicants should supply the following information: ***

(6) URL of the current qualifying performance audit report. ***

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180402/a5554954/attachment-0002.html>

More information about the Public mailing list