[cabfpub] CAB Forum membership criteria

Gervase Markham gerv at mozilla.org
Mon Mar 27 13:41:34 UTC 2017


The CAB Forum Bylaws define membership criteria, but don't say what
should happen when an existing member ceases to meet those criteria. For
the avoidance of doubt and uncertainty, I think it would be a good idea
to fix this. So I propose some draft text below which explains how I
think it should work.

Browsers
--------

The membership criteria are:

"The member organization produces a software product intended for use by
the general public for browsing the Web securely."

I suggest the following addition:

"A Browser member's membership will automatically cease when they stop
providing security updates for their software product, or if 6 months
have elapsed since the last such published update."

The rationale is simply that if you stop "producing a software product
... for browsing the Web securely", you stop being a member, and whether
you are updating that product to keep users safe is a good way of
measuring "producing".

CAs
---

The membership criteria (which are in two parts, but they are the same
for our purposes) are:

"The member organization operates a certification authority that has a
current and successful WebTrust for CAs audit, or ETSI 102042 or ETSI
101456 audit report prepared by a properly-qualified auditor, and that
actively issues certificates [...] to Web servers that are openly
accessible from the Internet using a browser created by a Browser member."

[We should probably update those ETSI standard version numbers?]

This is a bit more complex because the definition of a "current" audit
is not entirely clear. Audits are always retrospective, and then the
results are not known for a further period. I think we should have a
presumption that if a previous yearly audit was successful, the next one
will be. And so I suggest the following addition:

"A CA member's membership will be suspended if either their audit is
failed or rescinded, or if 15 months [i.e. 12 months audit length plus 3
months for letter delivery] have elapsed since the end of the audit
period of their last successful audit. A CA member's membership will
automatically cease after a further 6 months if they have not passed an
audit by that time. While suspended, CAs may attend meetings but not
make Contributions or vote."

The interim period of suspension is proposed for a number of reasons.
Firstly, because we have seen occasional problems with audit timeliness,
and we don't want members having to re-apply for membership if their
audit letter turns up a bit late. And secondly, because if there are
audit problems of other sorts, there can be a period during which the CA
can remediate them before their membership lapses.


Comments, as always, are welcome.

Gerv



More information about the Public mailing list