[cabfpub] Bylaws: Update Membership Criteria (section 2.1)
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Jan 24 19:30:19 UTC 2019
On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
> On today's call we discussed a number of changes to the bylaws aimed
> at clarifying the rules for membership. The proposal for section
> 2.1(a)(1) resulting from today's discussion is:
> Certificate Issuer: The member organization operates a
> certification authority that has a publicly-available audit report
> or attestation statement that meets the following requirements:
> * Is based on the full, current version of the WebTrust for CAs,
> ETSI EN 319 411-1 , or ETSI EN 319 411-2 audit criteria
> * Covers a period of at least 60 days
> * Covers a period that ends within the past 15 months
> * Was prepared by a properly-Qualified Auditor
> In addition, the member organization is a member of a CWG, and
> actively issues certificates to end entities, such certificates
> being treated as valid by a Certificate Consumer Member.
> Applicants that are not actively issuing certificates but
> otherwise meet membership criteria may be granted Associate Member
> status under Bylaw Sec. 3.1 for a period of time to be designated
> by the Forum.
> Similar changes would be made to 2.1(a)(2) for Root Certificate Issuers.
> The question of requiring period-of-time audits was left unresolved on
> today's call. I have included the requirement here because the results
> of a straw poll conducted earlier this year  indicated strong
> support for such a requirement.
We can explicitly say that Certificate Issuers can be accepted with a
WebTrust for CAs Point-in-time public audit report but will remain in
the Associate Member status until they provide a Period-of-time public
> One additional question on this section that we didn't get to on the
> call is the vague requirement for "actively" issuing certificates.
> Should we remove the word "actively" and change the final sentence to
> allow Associate member status for organizations with a point-in-time
I think we should remove the word "actively". Even a certificate issued
to a domain controlled by the Certificate Issuer that chains to a
Certificate Consumer Member's software should be sufficient.
>  https://cabforum.org/pipermail/public/2018-April/013259.html
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public