[cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

[Gervase Markham]

On 19/02/15 18:28, kirk_hall at trendmicro.com wrote:
> The
> Requirements are not mandatory for Certification Authorities unless and
> until they become adopted and enforced by relying–party Application
> Software Suppliers. ***

This sentence seems to me to say precisely what I am saying. Making a BR
audit a condition of membership is moving towards making the BRs
mandatory for CAs for a reason _other_ than "they are enforced by
relying party Application Software Suppliers". Which would be contrary
to this sentence.

> No CA is required to join the Forum to operate – the CAs only need to
> satisfy the browsers.  But I can’t think of any reason why a CA would
> choose NOT to follow the BRs and get a BR audit if it wants to be
> considered a “real” CA.

Well, perhaps there is some aspect of the BRs that they disagree with,
or cannot follow for legal reasons, and wish to join in order to get
things changed?

I am also troubled by the general principle of "if you want a voice in
getting these requirements changed, you have to abide by them first".
The CAB Forum does not control the WebTrust audit criteria so this
problem is not apparent when we use that as a membership filter.

> And I don’t think the Forum would want to accept any new CA member that
> said “I choose not to follow the BRs, and I choose not to get a BR
> audit” – why would we want such a CA as a member?

The CA/Browser Forum is not a gentleman's club; we don't get to
blackball people because we don't like the way they do things. The CAB
Forum also does not assess the suitability or trustworthiness of CAs for
any particular role or task.

Unless we think that the current criteria for CA membership are so loose
that people are applying for membership who are not "real CAs", then
there is no need to change the criteria.

Gerv