[cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements

[Gervase Markham]

On 03/12/15 21:04, Dean Coclin wrote:
> _Ballot 158: Adopt Code Signing Baseline Requirements_

Mozilla votes No.

Mozilla shares the concern about the appropriateness of CAB Forum as a
standardization venue for non-SSL work. As has been noted in discussions
and in years past, we would prefer the CAB Forum to be even more open
and transparent than it currently is. While the authors of this document
certainly made commendable efforts to include other stakeholders in the
discussions, those interested parties don't get a vote; and we cannot
support a document being ratified using a process which is less
representative than the current CAB Forum process used for SSL documents.

We don't think that the existence of standardised guidelines for code
signing is an objectively bad thing for the world; the reverse is true,
although as participants will know, Mozilla recently decided to remove
the code signing trust bit from our trust store, and so our interest in
this area is reduced. Still, we have a mild hope that either through
Forum reorganization or a move to another venue, the work done here can
find usefulness.

We note that the IPR policy, unfortunately, currently does not offer
unrestricted copyright licensing for the text of Guidelines which have
not been adopted. (Mozilla, given a free hand, would have chosen a more
liberal policy.) However, if it is the consensus of the Code Signing
Working Group that the standardisation of this document should continue
in another venue, we are sure that some arrangement could be made with
copyright holders to permit that. We certainly would not stand in the way.

Gerv