[cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri Feb 20 16:51:39 UTC 2015


Sorry, I should have clarified.

Any CA can get a point in time or “readiness” BR audit at any time, even just before starting operations.

Plus any CA can get a 60 day or 90 day performance BR audit once they start operations – in fact, that is the recommended method (i.e., don’t wait a whole year).

In general, a CA can’t start selling certs to anyone until the CA has its roots in the browsers.  And the browsers won’t add the roots until they see (at least) a WebTrust and a BR readiness audit – so there really is no blocking effect on the membership rules from requiring the audits.  A CA can’t be in operation (can’t be in the browsers) until that happens.

Plus – when my new CA, AffirmTrust (acquired by Trend Micro) applied to the Forum, we had our audits but no customers yet (because at that time, the Mozilla root review process was very slow).  The Forum accepted us, but only on an observer basis, not member, until we started issuing certs to customers.

From: Peter Bowen [mailto:pzbowen at gmail.com]
Sent: Thursday, February 19, 2015 7:14 PM
To: Kirk Hall (RD-US); CABFPub (public at cabforum.org)
Cc: questions at cabforum.org
Subject: Re: [cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

(copying questions@ for visibility)

On Thu, Feb 19, 2015 at 8:59 AM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Based on all this, I would say all CAs should have full year BR audits in place by now.  We can change our Bylaw on membership at Bylaw 2.1 to reflect this.

Have you considered that it is possible a new CA might want to become a member before their first anniversary of operation?  If you require a full year BR audit for membership, you are effectively excluding new CAs, as they presumably will start with a point in time then a partial year audit (given the requirement to get a period of time audit started within 90 days of issuing the first certificate).

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150220/dfae1d11/attachment-0003.html>


More information about the Public mailing list