[cabfpub] Fwd: Re: CAB Forum membership criteria
Gervase Markham
gerv at mozilla.org
Tue Mar 28 09:40:01 UTC 2017
Forwarding with permission.
Gerv
-------- Forwarded Message --------
Subject: Re: [cabfpub] CAB Forum membership criteria
Date: Mon, 27 Mar 2017 15:46:44 +0200
From: Florian Weimer <fw at deneb.enyo.de>
To: Gervase Markham <gerv at mozilla.org>
* Gervase Markham via Public:
> I suggest the following addition:
>
> "A Browser member's membership will automatically cease when they stop
> providing security updates for their software product, or if 6 months
> have elapsed since the last such published update."
>
> The rationale is simply that if you stop "producing a software product
> ... for browsing the Web securely", you stop being a member, and whether
> you are updating that product to keep users safe is a good way of
> measuring "producing".
I suggest to replace “security updates” with just ”updates”. Most
browser updates contain security updates these days, so some vendors
might opt not to label security updates as such.
> This is a bit more complex because the definition of a "current" audit
> is not entirely clear. Audits are always retrospective, and then the
> results are not known for a further period. I think we should have a
> presumption that if a previous yearly audit was successful, the next one
> will be. And so I suggest the following addition:
>
> "A CA member's membership will be suspended if either their audit is
> failed or rescinded, or if 15 months [i.e. 12 months audit length plus 3
> months for letter delivery] have elapsed since the end of the audit
> period of their last successful audit. A CA member's membership will
> automatically cease after a further 6 months if they have not passed an
> audit by that time. While suspended, CAs may attend meetings but not
> make Contributions or vote."
I think this goes in the right direction. But it's conceivable that a
systemic issue causes many CAs to fail their audits at the same time
(assuming that audit periods are aligned with calendar years), and it
may be prudent to make sure that the forum can survive that.
More information about the Public
mailing list