[cabfpub] Doodle polls on form of audit necessary for Membership and Associate Membership status

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Apr 9 00:29:57 UTC 2018

On our teleconference last week, we discussed whether Bylaws require a CA applicant for Forum membership to have a completed Period of Time (POT) or "performance audit" to be admitted as a Member, or whether a Point in Time (PIT) or "readiness audit" is sufficient.  We decided to take a Doodle poll to find the Member's preference - I will send the link to two polls in a separate email to the Management list.  Once we decide a direction, we will amend our Bylaws to clarify.

Background: Bylaw 2.1 (see below) only requires an "audit report" without specifying whether this is a POT or PIT audit, or either.  However, I do note that Bylaw 2.1(b)(6) which lists information a CA applicant must provide in connection with its membership application requires the "URL of the current qualifying performance audit report" - the term "performance audit report" typically means a POT audit, so that may be a clue that only a successful POT audit is acceptable under Bylaw 2.1(a).

On our call, some Members noted that ETSI audits are, by nature, always POT audits, so this question about whether to accept a PIT audit applies only to WebTrust audits, not ETSI audits.

Under Bylaw 2.1(a)(2) we also allow CAs "that are not actively issuing certificates but otherwise meet membership criteria" to be granted non-voting Associate Member status under Bylaw 3.1.  We could choose different audit requirements (POT versus PIT) for full Membership versus Associate Membership status - I will send out a separate Doodle poll for each.

Please look for two Doodle poll voting links - one on full Membership and one on Associate Membership - in my email to the Management list (please vote on both questions).  Let's finish voting by Friday, April 20.


Bylaw 2.1           Qualifying for Forum Membership

(a)  CA/Browser Forum members shall meet at least one of the following criteria. ***

(2)  Root CA:

1.       The member organization operates a certification authority

2.       that has a current and successful WebTrust for CAs, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and

3.       that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers

4.       that are openly accessible from the Internet,

5.       such certificates being treated as valid when  using a browser created by a Browser member.

Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum. ***

(b)  Applicants should supply the following information: ***

(6) URL of the current qualifying performance audit report. ***

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180409/a7142007/attachment-0002.html>

More information about the Public mailing list