[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Feb 8 20:24:18 UTC 2019

Thank you for reminding us these past discussions, they are indeed very 

One observation is that these were discussions about Forum membership 
requirements when the Forum was considering other types of digital 
certificates and not just SSL/TLS, before the new governance established 
by ballot 206. The server certificate working group is currently focused 
on SSL/TLS Certificates and candidate members with experience in SSL/TLS 
certificates can prove that with a BR-compliant audit report (not 
necessarily a "successful" or "clean" audit). I believe there is 
consensus for not requiring a clean audit.

I am still uncertain about other Members' opinion. If the Server 
Certificate Working Group wants more relaxed criteria for Membership 
(like they are today), I would appreciate members to indicate their 

In any case, since this seems to be a controversial matter, I will 
create a new thread in the Server Certificate Working Group public list 
and remove the additional requirements for WebTrust. I hope you are ok 
with the additional criteria for the third option (equivalent audits 
like Government CAs). If not, I can remove that option also.


On 8/2/2019 8:50 μ.μ., Ryan Sleevi wrote:
> Here's some references for some of the past discussions:
> You can search for the discussion around Ballot 149, in which Kirk had 
> proposed changes similar to what you're doing now. There's quite a bit 
> of discussion on that from various bits, but I suspect 
> https://cabforum.org/pipermail/public/2015-May/005620.html probably 
> captures it. This was a continuation of a discussion from earlier - 
> see https://cabforum.org/pipermail/public/2015-March/005375.html - 
> which itself was a continuation of the discussion from Cupertino in 
> Meeting 34 - 
> https://cabforum.org/2015/03/11/2015-03-11-minutes-of-cupertino-f2f-meeting-34/
> If there's concerns that we haven't captured those objections enough, 
> I'm sure we can make sure minutes going forward capture controversial 
> topics more thoroughly.
> My search focused on discussions on our public list; searching our 
> governance reform list is a bit trickier, but this was something we 
> similarly discussed when revising the Bylaws to our current form, and 
> the same concerns and objections were shared in the discussion of the 
> draft SCWG charter. Let me know if the above isn't sufficient.
> We know that there will be direct harm - by promoting more exclusion - 
> by requiring the SSL BRs w/ Net Sec. While it's true that ETSI has 
> incorporated them directly, were ETSI to provide a similar broad 
> profile, I suspect there would be support for *reducing* the current 
> ETSI requirements. Given how ETSI functions, I suspect that 'reducing' 
> is accomplished by adding yet another criteria, since unlike WebTrust, 
> you don't mix and match the same, but the end result would be to 
> increase opportunities for participation.
> There's very little benefit to increasing membership requirements. The 
> main benefits seem to be logistical, rather than practical - 
> increasing requirements can exclude more members and thus make it 
> cheaper or easier to host or organize meetings. However, given the 
> harm that can be caused by that, it does not seem useful - members who 
> are affected by the requirements cannot contribute effectively to them.
> Consider, for example, if the only way to contribute to the EVGLs was 
> to have an EVGL audit. Imagine how difficult it would be to correct 
> any criteria that prevented a CA from getting an EVGL audit, such as 
> the discussion we saw related to E&O insurance/liability limits, as 
> raised by our Asian CA members. Today, they could propose suggestions 
> by virtue of the open membership; in a world where only entities with 
> the audits could participate in the discussions, there would be no way 
> to resolve that or push for change, short of hoping someone 'takes 
> pity' and does it themselves.
> From our perspective; the Forum's strength is not its production of 
> Guidelines themselves, but in providing a venue to gather feedback 
> about proposed changes in a way that does not create conflicting 
> requirements between Root Stores. The Guidelines do not and have never 
> represented 'best' practice - just a common baseline. As we've shifted 
> to a WG model, that same logic extends to WGs - the greatest value in 
> the Forum is through having diverse views represented and gathering 
> feedback about potentially conflicting requirements, to try and find 
> solutions for those conflicts. From our early involvement in the first 
> governance reform - that lead to the creation of the public lists - to 
> our effort to provide opportunity to gather and share public feedback 
> via the questions@ list, we've valued increased participation and 
> transparency. The Validation Summit effort in Herndon was, in many 
> ways, a high point in the Forum's opportunity for participation. We 
> should be pushing for greater involvement - as we've seen through the 
> participation of Cisco, for example - than adding barriers that would 
> limit it.

More information about the Public mailing list