<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Jeremy,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Allow me to address your points.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>1) Implementers are free to adopt the standards produced as they see fit.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Absolutely, but in this case it was the sole implementer who approached this group to produce the standard. I think at that time it was reasonably assumed by this Forum that contributing to the creation of this standard would result in the creation of a program that would be open to any qualified CA. Seven years in and a lot of work later and that is not the case. Only two CAs have been admitted to the resulting program. In Tom's own words, "The intention however was never to enable all CS certs to become EV CS certs, only to enable those vendors..." Had that intention been made known in 2007 I seriously doubt any work would ever have been undertaken by this Forum.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>2) Work in the forum is on an entirely a voluntary basis.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Correct, but such work should only be undertaken within the constraints of the bylaws of this Forum.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>3) If Comodo feels that the Forum’s code signing work is unproductive...<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>It has been productive, but seven years in, what it has produced is something that only two CAs can use.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>4) ...a better approach would be to simply stop following the working group rather than trying to eliminate the entire project.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>That might be true, were it not for the Forum bylaws, IPR agreement and our very real concern that under the current conditions further work on EV Code Signing could bring this Forum under accusations of collusion or violations of anti trust regulations.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>5) The attendance on the working group calls indicates that many CAs find that these guidelines have significant potential to improve the security of the Internet as a whole.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I completely agree that there is substantial interest in Code Signing amongst CAs. Unfortunately there is little interest among the other half of this Forum. I would love to see that change, but I think recent conversations both on this subject of EV Code Signing, and on the recent attempts to modify the bylaws to allow other platform vendors who are interested in Code Signing to participate, I think it is very clear that;<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>a) currently none of the other platform vendors who are current Forum members have any interest in pursuing this topic, and;<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>b) that before we could admit any platform vendor who may be interested the Forum bylaws and voting procedures would need to undergo serious revision.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Rich<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jeremy Rowley [mailto:jeremy.rowley@digicert.com] <br><b>Sent:</b> Thursday, April 03, 2014 4:39 PM<br><b>To:</b> richard.smith@comodo.com; 'Robin Alden'<br><b>Cc:</b> 'CABFPub'<br><b>Subject:</b> RE: [cabfpub] Baseline Requirements as part of browers programs<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Again, I strongly disagree. Implementers are free to adopt the standards produced as they see fit. For example, Mozilla chose to implement different standards than the Forum’s audit requirements. That’s great. I’m just happy they are using the standard. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Work in the forum is on an entirely a voluntary basis. If Comodo feels that the Forum’s code signing work is unproductive, a better approach would be to simply stop following the working group rather than trying to eliminate the entire project. The attendance on the working group calls indicates that many CAs find that these guidelines have significant potential to improve the security of the Internet as a whole.<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"></a><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Rich Smith<br><b>Sent:</b> Thursday, April 3, 2014 2:10 PM<br><b>To:</b> 'Jeremy Rowley'; 'Robin Alden'<br><b>Cc:</b> 'CABFPub'<br><b>Subject:</b> Re: [cabfpub] Baseline Requirements as part of browers programs<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>It's not any kind of success to those who contributed substantial time and resources to a work product that was only ever created in the first place at the request of that single adopter, only to have that single adopter take the resulting work product and create a closed program which only allows a very small minority of those who gave their time and effort to benefit from it.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>For one in that minority, I guess it's a resounding success, for the rest it was and continues to be a complete waste of time and resources, and a distraction from matters this Forum SHOULD be engaged in which benefit the entire ecosystem.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Down the road should there either be additional adopters of the specification, or should the single adopter choose to open their program, then it may be in this Forum's wider interest to engage in further activity to revise and improve the specification. At present, it is not, and it is IMO in contravention of the Forum bylaws to continue ongoing work unless and until one of the above conditions is met.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Don't get me wrong, if a vendor wants to run a closed program, that is their prerogative, but it is not the Forum's job, nor in the interests of the Forum to do the work to design it for them without some benefit to the wider Forum.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Rich<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Jeremy Rowley<br><b>Sent:</b> Thursday, April 03, 2014 3:37 PM<br><b>To:</b> 'Robin Alden'<br><b>Cc:</b> 'CABFPub'<br><b>Subject:</b> Re: [cabfpub] Baseline Requirements as part of browers programs<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Thanks Robin. I missed that. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Still, my underlying point remains the same – a single adopter in a space where there are only 3-4 major players is a huge success. The fact that Microsoft is using the CAB Forum’s EV Guidelines, and choosing to improve them through that same venue, is a huge success and a tribute to the Forum’s ability to product relevant and quality work product. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Robin Alden [<a href="mailto:robin@comodo.com">mailto:robin@comodo.com</a>] <br><b>Sent:</b> Thursday, April 3, 2014 11:07 AM<br><b>To:</b> Jeremy Rowley<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Baseline Requirements as part of browers programs<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-GB>Hi Jeremy,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> You mentioned on today’s call that you thought only Mozilla had adopted the BRs as part of their CA program.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>After refreshing my memory, I believe Microsoft also require compliance with the BRs – at least for CAs following the WebTrust audit route.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><a href="http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx">http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Search for “Qualified Audit Regime”.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>They are also replacing the current standard for government CAs with a BR audit equivalency standard. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>There are a number of other references to the BRs on that page, too.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Regards<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Robin<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Robin Alden M.Sc. FRI MIET<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>CTO -- Comodo<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Invent ² Secure<o:p></o:p></span></p></div></div></div></body></html>