[cabfpub] [cabfman] Ballot 117 - EV Code Signing Guidelines Corrections

Moudrick Dadashov md at ssc.lt
Thu Apr 3 10:06:07 UTC 2014

Once we define/clarify the fundamental terms, the issues identified so far will have their proper positioning.

The clarification of following terms IMO should help us in further discussions:

1. Code;
2. Code signing;
3. Certificate;
4. SSL certificate (in a broader sense, so that we can find out  which of them are within the Forum's focus);
5. Code signing (in a broader sense, so that we can find out which of them is related or contribute to Forum's primary focus).

The term 'code', in relevance to its life cycle environments (Operating systems, browsers, various run-time framework  plugins,  addons etc.), takes its life from 'ancient' times, today it has so many different meanings, forms and implementations and its not surprising that everyone may  understand it based on his/her personal  experience. 

As an example, the 'code' that is delivered and run within client's browser framework might be more interesting for us than a device driver code running under the control of an  OS. This is just an example how well defined terms could help us to better address things of common interest.

Just my 2c.


Gervase Markham <gerv at mozilla.org> wrote:

>Mozilla believes that every root program provider should have the right
>to choose the CAs they accept or don't accept, and to set the criteria -
>which may be technical, business, management, security or otherwise.
>We also believe that the purpose of the CAB Forum is to work on
>standards which have broad use and acceptability in the industry. We
>don't have a hard definition of what that looks like, we accept that
>some standards will necessarily be more specialist, and we recognise the
>chicken and egg problem - any standard will need some time to see how
>useful and popular it is.
>Version 1.1 of the EV Code Signing Guidelines was adopted nearly 2 years
>ago, in May 2012. (I am unable to find out when version 1.0 was adopted
>- did we ever have a version 1.0?) Since that time, one known program
>has begun using them, involving 2 CAs. We think it is certainly
>questionable as to whether this standard has achieved enough industry
>interest on either side of the fence to continue being a work product of
>the CAB Forum.
>Therefore, from now on, Mozilla plans to abstain on votes related to EV
>Code Signing, until there are further developments (or lack of
>developments) which lead us to either reaffirm our support for CAB Forum
>work on this document, or withdraw it entirely (at which point we would
>actively oppose ballots related to further work).
>If the CAB Forum chooses to stop working on the Code Signing document,
>it's useful to note that our enlightened IPR policy allows (in clause
>6.2) anyone to take guidelines we have produced and make modifications
>and derivative works. So if someone is still using the document and they
>want to turn it into a set of "program requirements" for their specific
>program, they can do so. (Mozilla would expect that, as a matter of
>clarity, the CAB Forum term "Extended Validation" or "EV" would not be
>applied to documents not produced by the Forum, or programs using such
>Public mailing list
>Public at cabforum.org

More information about the Public mailing list