[cabfpub] Bylaws: Update Membership Criteria (section 2.1)

Ryan Sleevi sleevi at google.com
Mon Jan 28 18:48:41 UTC 2019

On Thu, Jan 24, 2019 at 2:30 PM Dimitris Zacharopoulos (HARICA) via Public <
public at cabforum.org> wrote:

> On 24/1/2019 8:16 μ.μ., Wayne Thayer via Public wrote:
> On today's call we discussed a number of changes to the bylaws aimed at
> clarifying the rules for membership. The proposal for section 2.1(a)(1)
> resulting from today's discussion is:
> Certificate Issuer: The member organization operates a certification
>> authority that has a publicly-available audit report or attestation
>> statement that meets the following requirements:
>> * Is based on the full, current version of the WebTrust for CAs, ETSI EN
>> 319 411-1 , or ETSI EN 319 411-2 audit criteria
> Using the example reports for discussion (
http://www.webtrust.org/practitioner-qualifications/docs/item85808.pdf )

If a CA does not escrow CA keys, does not provide subscriber key generation
services, or suspension services, does that count as being based on the
"full, current version"? (Page 11, paragraph 2)

> * Covers a period of at least 60 days
> I'm curious for feedback from the ETSI folks, but perhaps a more inclusive
definition would be
- "Reports on the operational effectiveness of controls for a historic
period of at least 60 days"

The context being that ETSI is a certification scheme, but as part of that
certification, the CAB "may" ("should") examine the historic evidence for
some period of time. 7.9 of 319 403 only requires "since the previous audit"

> * Covers a period that ends within the past 15 months
> This may also be resting on the BR definition of Audit Period. I can see
similar ambiguities arising with respect to ETSI and that its certification
decisions last two years, not one, thus it might cause a CA to believe that
they have up to three years from first completing their audit (that is, if
the letter is issued at T=2 years, covering T=0 to T=2, and is valid to T=4
years, then the CA may believe it's covered until T=5 years and 3 months)

There's also the potential of surveillance audits conducted over specific
issues being resolved, without being a full recertification (e.g. if the
CAB classified it as a minor non-conformity)

"With no more than 27 months having elapsed since the beginning of the
reported-on period and no more than 15 months since the end of the
reported-on period"

It's a mouthful, but perhaps there's a more concise way to capture that
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190128/2446a7b9/attachment-0003.html>

More information about the Public mailing list