[cabfpub] Proposed Shanghai Agenda covering audit issues

Kirk Hall Kirk.Hall at entrustdatacard.com
Sun Sep 23 17:59:20 UTC 2018

I believe topic #3 as I have listed it below fairly presents your request on the Sept. 20  teleconference call, as it covers what you said you wanted to discuss – “Problems faced by root programs from existing WebTrust/ETSI reports and terminology.”  You didn’t request #1 or #2 because I was the one who thought of adding those segments when drafting the Agenda – this is intended as an introduction to existing audit/report types from the people who actually run WebTrust and ETSI to help educate the Members in the room so they can then fully understand the remaining topics #3 - #5.

You didn’t request #4 – Wayne did that at the WebTrust meeting in San Jose on Sept. 11, and I made a note at that time.  So I think it’s appropriate to let Wayne present his ideas.

Finally, while you did raise a different interpretation of our membership rules on our Sept. 6 teleconference than we have followed in the past (you said you thought a Point in Time audit is enough for a CA applicant to qualify for full membership under the current Bylaws, which is not what we have done in the past or what the members said they wanted in the Doodle poll) I was actually the person who raised the question of what form of audit is required for membership during that call.  Because Dimitris will be taking over new membership requests in November, it makes sense for him to present that issue.

But I will remove Dimitris as a Moderator for the five issues – each presenter can be the moderator of his own topic.  And I will remove Wayne as a co-presenter with you on #3 and make you sole presenter – but I know Wayne also said he was having problems with some forms of audit reports, so I hope you will let him add his input during #3.

If you want to suggest different wording for your #3 below, please let me know and I will include it on the Agenda.   How much time would you like for this segment?

Discussion of Audit Terminology, Problems, Ideal Life Cycle for Root CA Audits

#1  Types of audits/reports under WebTrust<https://www.cabforum.org/wiki/WebTrust> and their terminology  Jeff, Don

#2  Types of audits/reports under ETSI and their terminology  Arno, Clemens, Phillipe

#3  Problems faced by root programs from existing WebTrust/ETSI reports and terminology  Ryan, Wayne

#4  Ideal audit life cycle – birth to death of a new CA  Wayne

#5  Forum membership rules Bylaws Sec. 2.1 – Audit requirements  Dimitris

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Saturday, September 22, 2018 8:12 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CABFPub <public at cabforum.org>
Subject: [EXTERNAL]Re: [cabfpub] Proposed Shanghai Agenda covering audit issues


I appreciate this attempt, but this wasn't what I was requesting. Could you clarify that you're not willing to schedule the sessions as I'd requested / and/or appointing other facilitators for those discussions?

I specifically was requesting to present on #1, #2, #3, and #5. I believe the recordings will show that.

This is a critically important area for Google, and while we welcome participation, the request for the sessions, as made on the call, stands, with Google facilitating the discussion.

On Sat, Sep 22, 2018 at 3:19 PM Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
On our SCWG call this week, Ryan, Wayne, and others suggested we take time in Shanghai to talk about the audit programs, their different forms of audits and reports, their terminology, and problems that browsers are encountering.  Wayne also indicated he wanted to discuss an “ideal audit life cycle” for a new trusted root from birth to death.  This seems like a great topic for us.

We can also talk about how we want to interpret our current Bylaws Section 2.1 on Forum membership requirements – what type of audit reports are required, and whether we need to clarify Bylaws clarifications.

I’ve asked Dimitris to be the Moderator on these topics to make sure we stay on schedule and following a logical progression.

We would still have the regular auditor updates before this discussion – that’s just the place where WebTrust and ETSI can give us the most recent program news.

Here is my proposed Agenda breakdown.  Comments are welcome.


1. Types of audits/reports under WebTrust and their terminology, including new CAs and new audit/report types (Jeff, Don).  A summary reference table would be welcome.

2. Types of audits/reports under ETSI and their terminology, including new CAs and new audit/report types (Arno, Clemens).  A summary reference table would be welcome.

[Jeff/Don/Arno/Clemens – do you think you can also prepare a summary comparison table of the different WebTrust and ETSI audits and reports, showing which are roughly “equivalent”, which are not, and the main differences?]

3. Problems faced by root programs from existing WebTrust/ETSI reports and terminology, including for new CAs (Ryan, Wayne)

•       Oddball report types received

•       Common issues/misunderstandings by new CAs

•       Recommendations on standard terminology to be used (if any)

•       Recommendation for clarification on audit requirements in current BRs, root programs to eliminate misunderstandings, adopt common terminology

4. Ideal audit life cycle – birth to death of a new CA (Wayne – also Ryan, or Mike, or Geoff)

•       Description of ideal cycle (with timelines, multiple use cases) – not necessarily what is required today by BRs, WT/ETSI, root programs, but what browsers would like to see

•       Once there is consensus on ideal life cycle, how do we get there?  Via BRs or via root programs (or both)?

•       Proposals for BR amendments to reach ideal life cycle

•       Do we need to better align BRs and root program rules?

5.  Forum membership rules Bylaws Sec. 2.1 (Dimitris)

•       What does the Forum *want* the audit requirements to be based on different level of membership (Associate Member, Member).  See  https://cabforum.org/pipermail/public/2018-April/013259.html

•       Potential amendments to Bylaws to clarify audit requirements for Associate Member, full Member status.

Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180923/f02dce6f/attachment-0003.html>

More information about the Public mailing list