[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Ryan Sleevi sleevi at google.com
Fri Feb 8 13:44:22 MST 2019 

On Fri, Feb 8, 2019 at 3:24 PM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

> In any case, since this seems to be a controversial matter, I will
> create a new thread in the Server Certificate Working Group public list
> and remove the additional requirements for WebTrust. I hope you are ok
> with the additional criteria for the third option (equivalent audits
> like Government CAs). If not, I can remove that option also.
>

I'm not opposed to it, I think it merely requires clarity, since we don't
(and there isn't) a very clear definition about Government CAs. We've had
that discussion in the case of Protiviti (which participates in the
discussions on behalf of FPKI) and in cases such as, if I recall correctly,
Hong Kong Post CA. This is, admittedly, an issue with the existing BRs, but
for which the matter is (presently) resolved by Root Store members applying
their own interpretation and/or requirements regarding Section 8.4 of the
BRs.

As a concrete example relevant for those European members, given that the
status of being recognized as Qualified is not fundamentally linked to the
possession of an EN 319 411-1/-2 audit, as I understand it, would a CA that
was qualified, but lacking an EN 319 411-1/-2 audit, constitute a
Government CA by virtue of the eIDAS Regulation (EU) 910/2014 being a
European Regulation?

I suspect that the matter could be resolved by clarifying that CAs which
participate in and provide audit for schemes that meet the existing
criteria (a) and (b) (combining them) from that Section 8.4 of the BRs,
bullet 3, and for which the scheme is required by or established "any
jurisdiction in which the CA operates or issues certificates" (using the
language from 9.16.3), we can avoid the phrase "Government CA" entirely.

Putting that all together:

If the CA is required to use a different audit scheme by any jurisdiction
in which the CA operates or issues certificates, it MAY use such scheme
provided that the audit scheme criteria are available for public and review
and either (a) encompasses all requirements of one of the above schemes or
(b) consists of comparable criteria.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20190208/d4efc8e3/attachment.html>

More information about the Public mailing list