On our teleconference last week, we discussed whether Bylaws require a CA
applicant for Forum membership to have a completed Period of Time (POT) or
"performance audit" to be admitted as a Member, or whether a Point in Time
(PIT) or "readiness audit" is sufficient. We decided to take a Doodle poll to
find the Member's preference - I will send the link to two polls in a separate
email to the Management list. Once we decide a direction, we will amend our
Bylaws to clarify.
Background: Bylaw 2.1 (see below) only requires an "audit report" without
specifying whether this is a POT or PIT audit, or either. However, I do note
that Bylaw 2.1(b)(6) which lists information a CA applicant must provide in
connection with its membership application requires the "URL of the current
qualifying performance audit report" - the term "performance audit report"
typically means a POT audit, so that may be a clue that only a successful POT
audit is acceptable under Bylaw 2.1(a).
On our call, some Members noted that ETSI audits are, by nature, always POT
audits, so this question about whether to accept a PIT audit applies only to
WebTrust audits, not ETSI audits.
Under Bylaw 2.1(a)(2) we also allow CAs "that are not actively issuing
certificates but otherwise meet membership criteria" to be granted non-voting
Associate Member status under Bylaw 3.1. We could choose different audit
requirements (POT versus PIT) for full Membership versus Associate Membership
status - I will send out a separate Doodle poll for each.
Please look for two Doodle poll voting links - one on full Membership and one
on Associate Membership - in my email to the Management list (please vote on
both questions). Let's finish voting by Friday, April 20.
Bylaw 2.1 Qualifying for Forum Membership
(a) CA/Browser Forum members shall meet at least one of the following
(2) Root CA:
1. The member organization operates a certification authority
2. that has a current and successful WebTrust for CAs, or ETSI 102042 or
ETSI 101456 audit report prepared by a properly-qualified auditor, and
3. that actively issues certificates to subordinate CAs that, in turn,
actively issue certificates to Web servers
4. that are openly accessible from the Internet,
5. such certificates being treated as valid when using a browser created
by a Browser member.
Applicants that are not actively issuing certificates but otherwise meet
membership criteria may be granted Associate Member status under Bylaw Sec. 3.1
for a period of time to be designated by the Forum. ***
(b) Applicants should supply the following information: ***
(6) URL of the current qualifying performance audit report. ***
Public mailing list