[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Jan 24 19:30:19 UTC 2019

On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
> On today's call we discussed a number of changes to the bylaws aimed 
> at clarifying the rules for membership. The proposal for section 
> 2.1(a)(1) resulting from today's discussion is:
>     Certificate Issuer: The member organization operates a
>     certification authority that has a publicly-available audit report
>     or attestation statement that meets the following requirements:
>     * Is based on the full, current version of the WebTrust for CAs,
>     ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria
>     * Covers a period of at least 60 days
>     * Covers a period that ends within the past 15 months
>     * Was prepared by a properly-Qualified Auditor
>     In addition, the member organization is a member of a CWG, and
>     actively issues certificates to end entities, such certificates
>     being treated as valid by a Certificate Consumer Member.
>     Applicants that are not actively issuing certificates but
>     otherwise meet membership criteria may be granted Associate Member
>     status under Bylaw Sec. 3.1 for a period of time to be designated
>     by the Forum.
> Similar changes would be made to 2.1(a)(2) for Root Certificate Issuers.
> The question of requiring period-of-time audits was left unresolved on 
> today's call. I have included the requirement here because the results 
> of a straw poll conducted earlier this year [1] indicated strong 
> support for such a requirement.
> Comments?

We can explicitly say that Certificate Issuers can be accepted with a 
WebTrust for CAs Point-in-time public audit report but will remain in 
the Associate Member status until they provide a Period-of-time public 
audit report.

> One additional question on this section that we didn't get to on the 
> call is the vague requirement for "actively" issuing certificates. 
> Should we remove the word "actively" and change the final sentence to 
> allow Associate member status for organizations with a point-in-time 
> audit?

I think we should remove the word "actively". Even a certificate issued 
to a domain controlled by the Certificate Issuer that chains to a 
Certificate Consumer Member's software should be sufficient.


> Thanks,
> Wayne
> [1] https://cabforum.org/pipermail/public/2018-April/013259.html
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190124/78565526/attachment-0003.html>

More information about the Public mailing list