[cabfpub] Proposed revision to Ballot 149 - Updating Membership Bylaws

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon Jun 8 23:39:39 UTC 2015 

Here's an idea for moving forward on Ballot 149, which was intended to update our Bylaw 2.1 on membership rules.  Most of the draft ballot is uncontroversial, but one part has drawn opposition from Gerv and Ryan.

BACKGROUND

Our original Bylaw 2.1 has a number of requirements, including that the CA applicant "has a current and successful WebTrust for CAs audit".  (Please read in "or ETSI equivalent" for the rest of this email.)  That Bylaw was adopted before the BR WebTrust audit guidelines were completed, and before any browser started requiring a BR WebTrust audit.

Here is the current Bylaw as applied to a root CA (similar rules for an Issuing CA):

"Root CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers."

Two things changed after that Bylaw was adopted.  First, the name "WebTrust for CAs" changed (it is now changing back).   Second, most or all of the main browser root programs have added a second requirement that the CA also have a valid and current BR WebTrust audit, in addition to a WebTrust for CAs audit.

The changes in this part of my ballot draft were simply intended to update the membership audit requirements to cover both WebTrust and BR WebTrust, and update the names.  My thinking was a CA can't be a real CA unless it has roots in the browsers, and you can't have roots in the browsers any more unless you have both audits because that is what the browsers require.

Gerv and Ryan objected to adding the requirement of a BR WebTrust audit on the grounds (as I understand it) that because the BRs are a product of the Forum itself, it would not be proper to add the requirement of a BR WebTrust audit as a condition to membership in the Forum (even if a BR WebTrust audit is a requirement to getting your roots in the browsers).  I don't share that view, but think we can work around it.

There is another problem with our current rule - government CAs.  Some browsers permit government CAs to be audited by a government auditor (not WebTrust or ETSI) and have its roots in the browser.  Our current Bylaw would not allow a government CA to be a Forum member, which we should probably fix.

NEW PROPOSAL

To get around this issue, we could drop specific membership requirements tied to audits, and instead assume that if multiple browser members of the Forum have allowed the applicant to include at least one root in their browsers, that is sufficient (as we assume the browsers will impose appropriate audit requirements).  This would also open membership to government CAs that don't have WebTrust or ETSI audits.

In concept, my proposal is that any CA with at least one root in the trusted root store of at least two browser members of the CA-Browser Forum  who maintain independent root stores can become a member, if they satisfy all the other requirements.  I suggest two browser members because the day could come when a single browser member drops all audit requirements, etc.  Also, it's hard to see a CA that has a root in only a single browser as being a viable CA.

The membership language for a Root CA would change to something like the following:

Root CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using the browser or application of any two browser members of the Forum that maintain an independent trusted root store any one of the mainstream browsers.

[As edited:]

Root CA: The member organization operates a certification authority that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using the browser or application of any two browser members of the Forum that maintain an independent trusted root store.

We would make a similar change for our application rules for the "Issuing CA" membership category.

There are at least two advantages from this new approach.  First, we don't have to keep updating the specific WebTrust/ETSI audit names and numbers every time there is a change.  Second, this would open up membership to government CAs who may not have a WebTrust/ETSI audit but have roots in the browsers.

The rest of the ballot would be as before.

REQUEST FOR FEEDBACK

I'd appreciate feedback.  We can also discuss on this Thursday's call.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150608/fe54427a/attachment-0002.html>

More information about the Public mailing list