The CAB Forum Bylaws define membership criteria, but don't say what should happen when an existing member ceases to meet those criteria. For the avoidance of doubt and uncertainty, I think it would be a good idea to fix this. So I propose some draft text below which explains how I think it should work.
Browsers -------- The membership criteria are: "The member organization produces a software product intended for use by the general public for browsing the Web securely." I suggest the following addition: "A Browser member's membership will automatically cease when they stop providing security updates for their software product, or if 6 months have elapsed since the last such published update." The rationale is simply that if you stop "producing a software product ... for browsing the Web securely", you stop being a member, and whether you are updating that product to keep users safe is a good way of measuring "producing". CAs --- The membership criteria (which are in two parts, but they are the same for our purposes) are: "The member organization operates a certification authority that has a current and successful WebTrust for CAs audit, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and that actively issues certificates [...] to Web servers that are openly accessible from the Internet using a browser created by a Browser member." [We should probably update those ETSI standard version numbers?] This is a bit more complex because the definition of a "current" audit is not entirely clear. Audits are always retrospective, and then the results are not known for a further period. I think we should have a presumption that if a previous yearly audit was successful, the next one will be. And so I suggest the following addition: "A CA member's membership will be suspended if either their audit is failed or rescinded, or if 15 months [i.e. 12 months audit length plus 3 months for letter delivery] have elapsed since the end of the audit period of their last successful audit. A CA member's membership will automatically cease after a further 6 months if they have not passed an audit by that time. While suspended, CAs may attend meetings but not make Contributions or vote." The interim period of suspension is proposed for a number of reasons. Firstly, because we have seen occasional problems with audit timeliness, and we don't want members having to re-apply for membership if their audit letter turns up a bit late. And secondly, because if there are audit problems of other sorts, there can be a period during which the CA can remediate them before their membership lapses. Comments, as always, are welcome. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
