[cabfpub] Bylaw interpretation: root store membership required?
Kirk.Hall at entrustdatacard.com
Tue Apr 11 08:43:02 MST 2017
+1. I think you are correct. If you had asked me, I would have said the membership rules in the Bylaws already required a CA member to have at least one trusted root in one browser - but to my surprise that specific language is not there.
I think your interpretation of "openly accessible" reaches that requirement, as you suggest. Otherwise, CAs who only issue for private PKI networks would qualify for Forum membership, and I think that was not our intent (CAs in that position don't need to follow the BRs or browser root program rules, so why be a member). I think it would be a good idea to add a specific requirement to be in at least one root store to clarify the original intention.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Tuesday, April 11, 2017 8:26 AM
To: CABFPub <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [EXTERNAL][cabfpub] Bylaw interpretation: root store membership required?
The CA membership criteria say a member CA is one which:
"actively issues certificates to Web servers that are openly accessible from the Internet using a browser created by a Browser member".
What does "openly accessible" mean? Does it mean that the CA is included in at least one browser member's root store? After all, a website with a cert from an untrusted CA is still accessible in each of the browser member's browsers, after clicking through a warning.
If it does mean that, I need to update my membership ballot to take account of the fact that being in at least one root store is a membership criterion. I believe that in the past we've treated this as being a criterion for full membership, but it's not explicitly in there, so I wanted to check.
Public mailing list
Public at cabforum.org
More information about the Public