[cabfpub] [cabfman] Ballot 117 - EV Code Signing Guidelines Corrections

[Gervase Markham]

Mozilla believes that every root program provider should have the right
to choose the CAs they accept or don't accept, and to set the criteria -
which may be technical, business, management, security or otherwise.

We also believe that the purpose of the CAB Forum is to work on
standards which have broad use and acceptability in the industry. We
don't have a hard definition of what that looks like, we accept that
some standards will necessarily be more specialist, and we recognise the
chicken and egg problem - any standard will need some time to see how
useful and popular it is.

Version 1.1 of the EV Code Signing Guidelines was adopted nearly 2 years
ago, in May 2012. (I am unable to find out when version 1.0 was adopted
- did we ever have a version 1.0?) Since that time, one known program
has begun using them, involving 2 CAs. We think it is certainly
questionable as to whether this standard has achieved enough industry
interest on either side of the fence to continue being a work product of
the CAB Forum.

Therefore, from now on, Mozilla plans to abstain on votes related to EV
Code Signing, until there are further developments (or lack of
developments) which lead us to either reaffirm our support for CAB Forum
work on this document, or withdraw it entirely (at which point we would
actively oppose ballots related to further work).

If the CAB Forum chooses to stop working on the Code Signing document,
it's useful to note that our enlightened IPR policy allows (in clause
6.2) anyone to take guidelines we have produced and make modifications
and derivative works. So if someone is still using the document and they
want to turn it into a set of "program requirements" for their specific
program, they can do so. (Mozilla would expect that, as a matter of
clarity, the CAB Forum term "Extended Validation" or "EV" would not be
applied to documents not produced by the Forum, or programs using such
documents.)

Gerv