Version 1.2 of the CA / Browser Forum bylaws were adopted and became effective 16 October 2014, and are available as a PDF here: CA-Browser Forum Bylaws v.1.2
Version 1.1 of the CA / Browser Forum bylaws were adopted and became effective 25 March 2014, and are available as a PDF here: CA-Browser Forum Bylaws v. 1.1
Version 1.0 of the Bylaws were adopted in 2012 and is available here: CA/Browser Forum Bylaws v. 1.0
BYLAWS OF THE CA/BROWSER FORUM
Version 1.4 – Adopted effective as of 4 April 2016
1. CA/BROWSER FORUM – PURPOSE, STATUS, AND ANTITRUST LAWS
1.1 Purpose of the Forum:
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of leading certification authorities (CAs) and vendors of Internet browser software and other applications.
Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.
1.2 Status of the Forum and Forum Activities
The Forum has no corporate or association status, but is simply a group of CAs and browsers which communicates or meets from time to time to discuss matters of common interest relevant to the Forum’s purpose. The Forum has no regulatory or industry powers over its members or others. Other than those rights and responsibilities found in the Forum’s Intellectual Property Rights Policy (IPR), Forum “membership” or other participation status does not convey any legal status or rights, but is intended simply as a guide to the levels of participation in Forum activities.
1.3 Intellectual Property Rights Policy; Antitrust Laws and Regulations; Goal; Conduct
Forum Members, Associate Members, and Interested Parties must comply with the then-current IPR policy and all applicable antitrust laws and regulations during their Forum activities.
The historic goal of Forum activities (including development of proposed requirements and guidelines and voting on all matters) has been to seek substantial consensus among Forum Members before proceeding or adopting final work product, and this goal will remain for the future. Members shall not use their participation in the Forum either to promote their own products and offerings or to restrict or impede the products and offerings of other Members.
The Chair will read an antitrust compliance statement at the start of all Forum Meetings (and on other occasions, as the Chair deems necessary) in substantially the following form:
“As you know, this meeting includes companies that compete against one another. This meeting is intended to discuss technical standards related to the provision of existing and new types of digital certificates without restricting competition in developing and marketing such certificates. This meeting is not intended to share competitively-sensitive information among competitors, and therefore all participants agree not to discuss or exchange information related to:
(a) Pricing policies, pricing formulas, prices or other terms of sale;
(b) Costs, cost structures, profit margins,
(c) Pending or planned service offerings,
(d) Customers, business, or marketing plans; or
(e) The allocation of customers, territories, or products in any way.”
2. FORUM MEMBERSHIP AND VOTING
2.1 Qualifying for Forum Membership
(a) CA/Browser Forum members shall meet at least one of the following criteria.
(1) Issuing CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs audit, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and that actively issues certificates to Web servers that are openly accessible from the Internet using a browser created by a Browser member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.
(2) Root CA: The member organization operates a certification authority that has a current and successful WebTrust for CAs, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using a browser created by a Browser member. Applicants that are not actively issuing certificates but otherwise meet membership criteria may be granted Associate Member status under Bylaw Sec. 3.1 for a period of time to be designated by the Forum.
(3) Browser: The member organization produces a software product intended for use by the general public for browsing the Web securely.
(b) Applicants should supply the following information:
(1) Confirmation that the applicant satisfies at least one of the membership criteria (and if it satisfies more than one, indication of the single category under which the applicant wishes to apply).
(2) The organization name, as you wish it to appear on the Forum Web site and in official Forum documents.
(3) URL of the applicant’s main Web site.
(4) Names and email addresses of employees who will participate in the Forum mail list.
(5) Emergency contact information for security issues related to certificate trust.
CA Applicants should supply the following additional information:
(6) URL of the current qualifying performance audit report.
(7) The URL of at least one third party website that includes a certificate issued by the Applicant in the certificate chain.
(8) Links or references to issued certificates that demonstrate compliance with all applicable certificate, CRL, and OCSP requirements.
(c) An Applicant shall become a Member once the Forum has determined by consensus among the Members during a teleconference or meeting that the Applicant meets all of the requirements of subsection (a) or, upon the request of any Member, by a Ballot among the Members. Acceptance by consensus shall be determined or a Ballot of the Members shall be held as soon as the Applicant indicates that it has presented all information required under subsection (b) and has responded to all follow-up questions from the Forum and the Member has complied with the requirements of Section 5.5.
2.2 Ballots Among Forum Members
Ballots will be conducted in accordance with the following rules.
(a) Only votes by Members shall be accepted.
(b) Only one vote per Member company shall be accepted; representatives of corporate affiliates shall not vote.
(c) A representative of any Member can call for a proposed ballot to be published for review and comment by the membership. Any proposed ballot needs two endorsements by other Members in order to proceed. The review period then shall take place for at least seven calendar-days before votes are cast.
(d) The CA/Browser Forum shall provide seven calendar-days for voting, with the deadline clearly communicated via the members’ electronic mailing list. All voting will take place online via the members’ electronic mailing list.
(e) Only votes that indicate a clear ‘yes’ or ‘no’ response to the ballot question shall be considered (i.e. votes to abstain and votes that do not indicate a clear ‘yes’ or ‘no’ response will not figure in the calculation of item (f), below).
(f) Members fall into two categories: CAs (comprising issuing CAs and root CAs, as defined in the membership criteria) and product suppliers (as defined in the membership criteria). In order for the motion to be adopted by the Forum, two-thirds or more of the votes cast by the Members in the CA category must be in favor of the motion, and at least 50% plus one of the votes cast by the members in the browser category must be in favor of the motion At least one CA Member and one browser Member must vote in favor of a ballot for the ballot to be adopted.
(g) A ballot result will be considered valid only when more than half of the number of currently active members has participated. The number of currently active members is the average number of member organizations that have participated in the previous three meetings (both teleconferences and face-to-face meetings).
(h) The CA/Browser Forum will tabulate and announce the results within one calendar-day of the close of the voting period.
3. OTHER FORUM PARTICIPATION
3.1 Associate Members
The Forum may enter into associate member relationships with other organizations when the CA/Browser Forum determines that maintaining such a relationship will be of benefit to the work of the Forum. In the past, entities qualifying as Associate Members have included the AICPA/CICA WebTrust Task Force, the European Telecommunications Standards Institute, Paypal, the Internet Corporation for Assigned Names and Numbers, tScheme, the U.S. Federal PKI, and CAs applying for membership but awaiting full qualification under Section 2.1. Participation as an Associate Member is by invitation only. In order to become an Associate Member, an organization must sign a mutual letter of intent, understanding, or other agreement and the Forum’s IPR Agreement, unless this latter requirement is waived in writing by the Forum based on overriding policies of the Associate Member’s own organization IPR rules. Associate Members may attend face-to-face meetings, communicate with Forum Members on member lists, and access Forum wiki content. Associate Members are not entitled to vote except on special straw polls of the Forum (e.g. when selecting meeting dates, locations, etc.)
3.2 Interested Parties
Any person or entity that wishes to participate in the Forum as an Interested Party may do so by providing their name, affiliation (optional), and contact information, and by agreeing to the IPR Agreement attached as Exhibit A (indicating agreement by manual signing or digitally signing the agreement).
Interested Parties may participate in Forum activities in the following ways:
(a) By becoming involved in Working Groups,
(b) By posting to the Public Mail List, and
(c) By participating in those portions of Forum Teleconferences and Forum Meetings to which they are invited by the Forum Chair relating to their areas of special expertise or the subject of their Working Group participation.
Interested Parties are required to comply with the provisions of the IPR Agreement and these Bylaws. Interested Parties may lose their status as Interested Parties by vote of the Members, in the Members’ sole discretion.
3.3 Other Parties
The public may follow the Forum’s activities by reading all postings on the Public Mail List and the Public Web Site. Questions or comments to the Forum may be sent to Questions Mail List.
4. OFFICERS AND FINANCES
(a) Term of office: The Forum will elect a Chair and Vice Chair, each to serve for a two-year term. The Vice Chair has the authority of the Chair in the event of any absence or unavailability of the Chair, and in such circumstances, any duty delegated to the Chair herein may be performed by the Vice Chair. For example, the Vice Chair will preside at Forum Meetings and Forum Teleconferences in the Chair’s absence. The offices of Chair and Vice Chair may only be filled by Forum Member representatives.
No person may serve as Chair for more than a two-year period or be elected to Vice Chair upon expiration or termination of the person’s service as Chair, but a person is eligible to be elected as Chair again after having vacated the position as Chair for at least two years.
(b) Manner of conducting nominations: At least sixty (60) days prior to the expiration of the current Chair’s term or upon his/her early termination as Chair, the Chair or Vice Chair will announce through the management mailing list that nominations are open for the office of Chair and the Vice Chair will automatically be nominated as the next Chair, but Forum Members may nominate themselves or others to be additional candidates as Chair. A Vice Chair may decline the nomination to the office of Chair and/or indicate an intent to seek nomination for re-election to the office of Vice Chair. The nomination period for Chair will last for at least one week but no longer than four weeks. Upon the close of the nominations for Chair, the nomination period for the office of Vice Chair shall immediately open. The nomination period for Vice Chair will last for at least one week but no longer than four weeks.
(c) Manner of holding officer elections: If a single individual is nominated for a position, the Forum will hold a ballot to confirm appointment of the nominee. For the confirmation ballot, each Forum Member is entitled to a single vote regardless of the number of participating Forum Member representatives or whether the Forum Member is categorized as a CA or product supplier. If multiple votes are received from a Forum Member’s representatives, the last vote submitted during the voting period is considered the Forum Member’s vote. The single nominee is considered confirmed if a majority of the Forum members who vote are in favor of the appointment, regardless of the number of votes cast and irrespective of whether 2/3 of the CAs or 1/2 of the product suppliers approve appointment of the nominee.
If more than one candidate is nominated for Chair or Vice Chair, the Forum will announce an election ballot to determine which candidate will fill the position. Within two weeks after the close of the nomination period, the Chair or Vice Chair will establish an election committee and announce the election ballot on the management mailing list along with the ballot start date, ballot end date, and a description of the voting process. The Chair or Vice Chair will appoint the election committee by selecting at least two volunteers who have a reputation for independence, preferably individuals without voting rights in the Forum and that participate as Interested Parties. The election committee is responsible solely for tallying Forum Member votes in connection with the election ballot. The description must include the email address(es) where members will send their vote, which should be the email addresses of the election committee.
For election ballots, each Forum Member is entitled to a single vote regardless of the number of participating Forum Member representatives or whether the Forum Member is categorized as a CA or product supplier. If multiple votes are received from a Forum Member’s representatives, the last vote submitted during the voting period is considered the Forum Member’s vote. Within two weeks after the election ballot closes, the election committee will compile the votes, ensure that only one vote is counted per Forum Member, confirm the results with other members of the election committee, and publish the ballot results by sending an email to the public mailing list. The election committee will not include any votes submitted before or after the voting period when compiling the votes. The ballot results email will contain only the following information: a short description of the ballot purpose, the total number of votes submitted during the ballot period, and the name of the nominee receiving the most votes. The election committee may include other language as necessary to accurately describe the ballot and any concerns the election committee had with the ballot, provided that such language does not disclose how individual Forum Members voted. The election committee will treat the votes of individual Forum Members as confidential information. The nominee receiving the most votes is appointed to the applicable position, regardless of the number of votes cast and irrespective of whether 2/3 of the CAs or ½ of the product suppliers voted for the nominee. If the election ballot results in a tie among the candidates receiving the most votes, the Chair or Vice Chair will call for another election ballot that includes only the two tying candidates.
(d) Duties: The Chair and Vice Chair shall exercise their functions in a fair and neutral manner, allowing all Members equal treatment for their comments and proposals, and shall not favor one side over another in any matter (except that the Chair and Vice Chair may indicate their own position during discussion and voting on the matter). The Chair and Vice Chair shall have no personal liability for any activities of the Forum or its Members or Interested Parties.
The Chair or the Vice Chair may sign correspondence, applications, forms, Letters of Intent, and Memoranda of Understanding relating to projects with standards bodies, industry groups, and other third parties, but shall have no personal liability therefor.
Because the Forum has no corporate status, it will not maintain funds or banking accounts. The costs of operating Forum websites or mailing lists will be covered by voluntary contribution from Forum Members (who may seek voluntary contributions from other Members to help defray such costs). Forum Members may propose other group activities which they propose to sponsor (e.g., research projects, etc.) which require funding and may seek voluntary contributions from other Members for such activities.
Forum Meetings may be held from time to time upon the voluntary sponsorship of one or more Forum members. The sponsor of a Forum Meeting may suggest a fixed cost per meeting participant as reimbursement to the sponsor to cover (a) the cost of meeting rooms and refreshments, and (b) the cost of any meeting dinner or other group activity. Sponsors will be encouraged to announce any suggested per-participant fixed cost reimbursement amount in advance of the Forum Meeting for participant planning purposes, and will provide a statement or invoice to each participant upon request after the Forum Meeting for submission to the participant’s accounting department. All per-participant reimbursements shall be paid directly to the sponsor.
Interested Parties will not be required to pay anything for their participation in Forum activities, but must cover their own expenses for participation in any Working Group meetings.
5. FORUM ACTIVITIES
5.1 Member Mail List and Member Web Site
The Forum shall maintain a Member Mail List and Member Web Site that are not accessible by the public. The following matters may be posted to the Member Mail List and Member Web Site:
(a) Draft minutes of Forum meetings (both virtual and in-person, and including any sub-groups or committees) will be posted to the Member Mail List to allow Members to make sure they are being correctly reported.
Minutes will be considered Final when approved at a subsequent Forum Meeting or Forum Teleconference, or after 2 weeks have elapsed since publication of the draft if no Forum Meeting or Forum Teleconference is imminent. Final minutes will then be posted to the Public Mail List and Public Web Site. The Chair will, upon request, make redactions of any part of the public copy of the minutes identified as private or sensitive by either the information discloser or a member mentioned or affiliated with the subject of the information.
(b) Nominations for officer positions, Forum Meeting and Forum Teleconference scheduling issues, and discussion of Forum financial issues.
(c) Security incidents if, in the opinion of the Members, discussion on the Public Mail List could reasonably be detrimental to the implementation of security measures by Members.
(d) Proposed responses to questions sent to the Questions Mail List.
(f) Matters which, in the opinion of the Members, require confidentiality.
Members have discretion about which mailing list they use, but are strongly encouraged to use the Public Mail List for matters other than those listed above.
Members are strongly discouraged from posting the text of Member Mail List messages to the Public Mail List without the permission of the author or commenter.
5.2 Public Mail List and Public Web Site
The Chair shall appoint a List Manager who shall maintain a Public Mail List. Forum Members and Interested Parties may post to the Public Mail List in compliance with these Bylaws. Anyone else is allowed to subscribe to and receive messages posted to the Public Mail List, which may be crawled and indexed by Internet search engines.
The Chair shall appoint a Webmaster. The Webmaster shall post instructions on the Public Web Site for subscribing to the Public Mail List.
The following materials shall be posted to the Public Mail List or Public Web Site:
(a) Draft and final agendas for Working Group meetings, Forum Meetings and Forum Teleconferences (including any sub-groups or committees).
(b) Final minutes of Forum Meetings and Forum Teleconferences (including minutes of any sub-groups or committees), and minutes of all Working Group teleconferences and meetings.
(c) Messages formally proposing a Forum ballot (including ballots to establish, modify, or terminate Working Groups), individual votes, vote and quorum counts, and messages announcing ballot outcomes and voting breakdowns.
(d) Initial and final drafts of Forum requirements, guidelines, and recommendations after the drafter has had an opportunity to receive and respond to initial Member comments.
(e) Initial and final drafts of Working Group requirements, guidelines, and recommendations after the drafter has had an opportunity to receive and respond to initial Working Group member comments.
5.3 Working Groups
Members may propose by ballot the appointment of Working Groups open to participation by Members and Interested Parties. The ballot shall outline the scope of the Working Group’s activities, including deliverables, any limitations, and Working Group expiration date. Upon approval of the Working Group, the Chair will call for a show of interest in participation by Members, and shall appoint a Working Group Chair from among the interested Members.
Upon creation of a Working Group, the Forum will post an invitation to all Interested Parties to participate, and will solicit others with expertise and interest in the Working Group subject matter to become Interested Parties and participate in the Working Group. With the approval of the Chair, Working Groups may establish separate list-servs, wikis, and web pages for their communications, but all such separate list-servs must be managed in the same fashion as the Public Mail List. Working Groups may meet by teleconference or face-to-face meetings upon approval by the Chair and the Working Group Chair, but the Forum shall not be responsible for the expenses of any such teleconferences or meetings.
Working Groups may draft recommendations to be forwarded to the Forum for its consideration, but no recommendations will be considered the product of the Working Group unless approved by two-thirds of all Working Group members who vote on the recommendations. All substantial initial and final drafts of the Working Group product will be posted on the Public Mail List.
The Forum shall review the final recommendations from a Working Groups and may approve and implement some or all of the recommendations as appropriate in the Forum’s judgment following the Forum’s regular voting rules. The Forum shall retain the right to amend a Working Group recommendation before approval, but in most cases should first return the proposed amended recommendation to the Working Group for its review and response before voting.
The Forum shall not be required to submit any matter to a Working Group, but may itself draft requirements and guidelines without a Working Group in its discretion.
5.4 Forum Teleconferences and Forum Meetings
From time to time the Forum will hold Forum Teleconferences and Forum Meetings among the Members and Associate Members, who may participate in person or (where feasible) by teleconference. Interested Parties and others may be invited by the Chair, in the Chair’s discretion, to participate in those portions of Forum Teleconferences and Forum Meetings that are relevant to their expertise or their participation in Working Groups.
5.5 IPR policies
As a requirement for membership, Members must execute and return to the Chair the IPR Agreement attached as Exhibit A.
As a requirement for participation as an Associate Member or Interested Party, Associate Members and Interested Parties must execute and return to the Chair the IPR Agreement attached as Exhibit A.
5.6 Project Lifecycle
In general, Forum projects will follow the model Project Lifecycle attached as Exhibit B. However, the Members may modify this model as appropriate by their subsequent actions.
6.1 Posting and Amendment of the Bylaws
The current Bylaws shall be posted to the Public Web Site. These Bylaws may be amended by subsequent ballot of the Members.
6.2 Procedure for Dealing with Questions and Comments
The Forum procedure for dealing with questions and comments sent to the Questions Mail List shall be as follows. The Chair shall appoint a Questions List Coordinator. The responsibilities of the Questions List Coordinator are:
(a) If practical, within 24 hours send an acknowledgment to the questioner indicating that the question or comment has been received and that a response will provided as soon as is practical.
(b) Coordinate discussion using the Member Mail List until consensus has been achieved.
(c) Post the proposed response to the Member Mail List indicating that Members have 24 hours to object.
(d) If no objections are received before the deadline expires, then send the response to the questioner.
(e) If consensus cannot be achieved, or one or more objections are received, then the matter should be dealt with in the next Forum Meeting or Forum Teleconference.
Forum Meetings: Face-to-face meetings of Members as scheduled from time to time.
Forum Teleconferences: Teleconference meetings of Members as scheduled from time to time.
Member: A Member of the Forum or a representative of the Member (depending on context).
Member Mail List: The email list-serv maintained by the Forum for communications by and among Forum Members. The Member Mail List is not available to Interested Parties or Other Parties.
Member Web Site: The password-protected web site available only to Members (currently called the CA/Browser Forum Wiki).
Public Mail List: The public email list-serv currently located at email@example.com maintained by the Forum for communications by and among Members and Interested Parties. The Public Mail List may be read by Other Parties, but Other Parties may not post to the Public Mail List.
Public Web Site: The web site available only to Members, Interested Parties, and Other Parties (currently located at cabforum.org). A Forum Member will be appointed as Webmaster and will control all postings to the Public Web Site.
Questions Mail List: The email list-serv currently located at firstname.lastname@example.org maintained by the Forum for communications from the public to the Forum.
Exhibit A – CAB Forum IPR Policy Agreement
This CAB Forum IPR Policy Agreement (the “Agreement”) constitutes a binding contract amongst all participants who make Contributions during the process of developing a Draft Guideline for the purpose of incorporating such material into a Draft Guideline or a Final Guideline of the CA / Browser Forum.
In consideration of the mutual promises herein, Participant agrees on his/her/its behalf, and on behalf of any Affiliates, to abide by the terms of the Intellectual Property Rights Policy of the CAB Forum (the “IPR Policy”) v.1.2, incorporated herein by reference. Participant acknowledges that some of its obligations under the IPR Policy may survive the termination of this Agreement, as more fully described in the IPR Policy.
The party signing this Agreement intends that it shall take effect as an instrument under seal. If such party is not a natural person, the individual signing this Agreement for the Participant represents and warrants that he or she has the authority to enter into this Agreement on behalf of the Participant.
The Participant represents and warrants that either: (a) it has the authority to enter into this Agreement on behalf of all of its Affiliates; or (b) it has no Affiliates; or (c) each of its Affiliates has executed and delivered to the CAB Forum a countersignature to this Agreement, indicating that it consents to this Agreement, and agrees to enforce this Agreement’s terms as to any of such Affiliate’s Intellectual Property, including such terms as may properly be changed by the CAB Forum by notice to the Participant under this Agreement.
Print Name __________________________
Participant Organization Name (if entity)
Exhibit B – Project Lifecycle