On our teleconference last week, we discussed whether Bylaws require a CA 
applicant for Forum membership to have a completed Period of Time (POT) or 
"performance audit" to be admitted as a Member, or whether a Point in Time 
(PIT) or "readiness audit" is sufficient.  We decided to take a Doodle poll to 
find the Member's preference - I will send the link to two polls in a separate 
email to the Management list.  Once we decide a direction, we will amend our 
Bylaws to clarify.

Background: Bylaw 2.1 (see below) only requires an "audit report" without 
specifying whether this is a POT or PIT audit, or either.  However, I do note 
that Bylaw 2.1(b)(6) which lists information a CA applicant must provide in 
connection with its membership application requires the "URL of the current 
qualifying performance audit report" - the term "performance audit report" 
typically means a POT audit, so that may be a clue that only a successful POT 
audit is acceptable under Bylaw 2.1(a).

On our call, some Members noted that ETSI audits are, by nature, always POT 
audits, so this question about whether to accept a PIT audit applies only to 
WebTrust audits, not ETSI audits.

Under Bylaw 2.1(a)(2) we also allow CAs "that are not actively issuing 
certificates but otherwise meet membership criteria" to be granted non-voting 
Associate Member status under Bylaw 3.1.  We could choose different audit 
requirements (POT versus PIT) for full Membership versus Associate Membership 
status - I will send out a separate Doodle poll for each.

Please look for two Doodle poll voting links - one on full Membership and one 
on Associate Membership - in my email to the Management list (please vote on 
both questions).  Let's finish voting by Friday, April 20.

*****

Bylaw 2.1           Qualifying for Forum Membership

(a)  CA/Browser Forum members shall meet at least one of the following 
criteria. ***

(2)  Root CA:


1.       The member organization operates a certification authority

2.       that has a current and successful WebTrust for CAs, or ETSI 102042 or 
ETSI 101456 audit report prepared by a properly-qualified auditor, and

3.       that actively issues certificates to subordinate CAs that, in turn, 
actively issue certificates to Web servers

4.       that are openly accessible from the Internet,

5.       such certificates being treated as valid when  using a browser created 
by a Browser member.

Applicants that are not actively issuing certificates but otherwise meet 
membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 
for a period of time to be designated by the Forum. ***

(b)  Applicants should supply the following information: ***

(6) URL of the current qualifying performance audit report. ***

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to