[cabfpub] Proposed Shanghai Agenda covering audit issues

Kirk Hall Kirk.Hall at entrustdatacard.com
Sat Sep 22 19:18:54 UTC 2018

On our SCWG call this week, Ryan, Wayne, and others suggested we take time in Shanghai to talk about the audit programs, their different forms of audits and reports, their terminology, and problems that browsers are encountering.  Wayne also indicated he wanted to discuss an "ideal audit life cycle" for a new trusted root from birth to death.  This seems like a great topic for us.

We can also talk about how we want to interpret our current Bylaws Section 2.1 on Forum membership requirements - what type of audit reports are required, and whether we need to clarify Bylaws clarifications.

I've asked Dimitris to be the Moderator on these topics to make sure we stay on schedule and following a logical progression.

We would still have the regular auditor updates before this discussion - that's just the place where WebTrust and ETSI can give us the most recent program news.

Here is my proposed Agenda breakdown.  Comments are welcome.


1. Types of audits/reports under WebTrust and their terminology, including new CAs and new audit/report types (Jeff, Don).  A summary reference table would be welcome.

2. Types of audits/reports under ETSI and their terminology, including new CAs and new audit/report types (Arno, Clemens).  A summary reference table would be welcome.

[Jeff/Don/Arno/Clemens - do you think you can also prepare a summary comparison table of the different WebTrust and ETSI audits and reports, showing which are roughly "equivalent", which are not, and the main differences?]

3. Problems faced by root programs from existing WebTrust/ETSI reports and terminology, including for new CAs (Ryan, Wayne)

*       Oddball report types received

*       Common issues/misunderstandings by new CAs

*       Recommendations on standard terminology to be used (if any)

*       Recommendation for clarification on audit requirements in current BRs, root programs to eliminate misunderstandings, adopt common terminology

4. Ideal audit life cycle - birth to death of a new CA (Wayne - also Ryan, or Mike, or Geoff)

*       Description of ideal cycle (with timelines, multiple use cases) - not necessarily what is required today by BRs, WT/ETSI, root programs, but what browsers would like to see

*       Once there is consensus on ideal life cycle, how do we get there?  Via BRs or via root programs (or both)?

*       Proposals for BR amendments to reach ideal life cycle

*       Do we need to better align BRs and root program rules?

5.  Forum membership rules Bylaws Sec. 2.1 (Dimitris)

*       What does the Forum *want* the audit requirements to be based on different level of membership (Associate Member, Member).  See  https://cabforum.org/pipermail/public/2018-April/013259.html

*       Potential amendments to Bylaws to clarify audit requirements for Associate Member, full Member status.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180922/683509ae/attachment-0002.html>

More information about the Public mailing list