[cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements

Jeremy Rowley jeremy.rowley at digicert.com
Thu Dec 17 10:49:50 MST 2015

As I just pointed out, the CAB Forum adopted EV Code signing long before it ever worked on SSL BRs.  Will Mozilla now vote no on every ballot because of the openness and transparency issue? The code signing BRs were our most open discussion to-date. Seems like a pretext for the no vote to me.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Wednesday, December 16, 2015 9:26 AM
Subject: Re: [cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements

On 03/12/15 21:04, Dean Coclin wrote:
> _Ballot 158: Adopt Code Signing Baseline Requirements_

Mozilla votes No.

Mozilla shares the concern about the appropriateness of CAB Forum as a standardization venue for non-SSL work. As has been noted in discussions and in years past, we would prefer the CAB Forum to be even more open and transparent than it currently is. While the authors of this document certainly made commendable efforts to include other stakeholders in the discussions, those interested parties don't get a vote; and we cannot support a document being ratified using a process which is less representative than the current CAB Forum process used for SSL documents.

We don't think that the existence of standardised guidelines for code signing is an objectively bad thing for the world; the reverse is true, although as participants will know, Mozilla recently decided to remove the code signing trust bit from our trust store, and so our interest in this area is reduced. Still, we have a mild hope that either through Forum reorganization or a move to another venue, the work done here can find usefulness.

We note that the IPR policy, unfortunately, currently does not offer unrestricted copyright licensing for the text of Guidelines which have not been adopted. (Mozilla, given a free hand, would have chosen a more liberal policy.) However, if it is the consensus of the Code Signing Working Group that the standardisation of this document should continue in another venue, we are sure that some arrangement could be made with copyright holders to permit that. We certainly would not stand in the way.

Public mailing list
Public at cabforum.org

More information about the Public mailing list