[cabfpub] Baseline Requirements as part of browers programs

Rich Smith richard.smith at comodo.com
Fri Apr 4 18:01:51 UTC 2014


Jeremy,

Allow me to address your points.

 

1) Implementers are free to adopt the standards produced as they see fit.

Absolutely, but in this case it was the sole implementer who approached this
group to produce the standard.  I think at that time it was reasonably
assumed by this Forum that contributing to the creation of this standard
would result in the creation of a program that would be open to any
qualified CA.  Seven years in and a lot of work later and that is not the
case.  Only two CAs have been admitted to the resulting program.  In Tom's
own words, "The intention however was never to enable all CS certs to become
EV CS certs, only to enable those vendors..."  Had that intention been made
known in 2007 I seriously doubt any work would ever have been undertaken by
this Forum.

 

2) Work in the forum is on an entirely a voluntary basis.

Correct, but such work should only be undertaken within the constraints of
the bylaws of this Forum.

 

3) If Comodo feels that the Forum’s code signing work is unproductive...

It has been productive, but seven years in, what it has produced is
something that only two CAs can use.

 

4) ...a better approach would be to simply stop following the working group
rather than trying to eliminate the entire project.

That might be true, were it not for the Forum bylaws, IPR agreement and our
very real concern that under the current conditions further work on EV Code
Signing could bring this Forum under accusations of collusion or violations
of anti trust regulations.

 

5) The attendance on the working group calls indicates that many CAs find
that  these guidelines have significant potential to improve the security of
the Internet as a whole.

I completely agree that there is substantial interest in Code Signing
amongst CAs.  Unfortunately there is little interest among the other half of
this Forum.  I would love to see that change, but I think recent
conversations both on this subject of EV Code Signing, and on the recent
attempts to modify the bylaws to allow other platform vendors who are
interested in Code Signing to participate, I think it is very clear that;

a) currently none of the other platform vendors who are current Forum
members have any interest in pursuing this topic, and;

b) that before we could admit any platform vendor who may be interested the
Forum bylaws and voting procedures would need to undergo serious revision.

 

Regards,

Rich

 

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Thursday, April 03, 2014 4:39 PM
To: richard.smith at comodo.com; 'Robin Alden'
Cc: 'CABFPub'
Subject: RE: [cabfpub] Baseline Requirements as part of browers programs

 

Again, I strongly disagree.  Implementers are free to adopt the standards
produced as they see fit.  For example, Mozilla chose to implement different
standards than the Forum’s audit requirements.  That’s great.  I’m just
happy they are using the standard.  

 

Work in the forum is on an entirely a voluntary basis. If Comodo feels that
the Forum’s code signing work is unproductive, a better approach would be to
simply stop following the working group rather than trying to eliminate the
entire project.  The attendance on the working group calls indicates that
many CAs find that  these guidelines have significant potential to improve
the security of the Internet as a whole.

 

Jeremy

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Thursday, April 3, 2014 2:10 PM
To: 'Jeremy Rowley'; 'Robin Alden'
Cc: 'CABFPub'
Subject: Re: [cabfpub] Baseline Requirements as part of browers programs

 

It's not any kind of success to those who contributed substantial time and
resources to a work product that was only ever created in the first place at
the request of that single adopter, only to have that single adopter take
the resulting work product and create a closed program which only allows a
very small minority of those who gave their time and effort to benefit from
it.

 

For one in that minority, I guess it's a resounding success, for the rest it
was and continues to be a complete waste of time and resources, and a
distraction from matters this Forum SHOULD be engaged in which benefit the
entire ecosystem.

 

Down the road should there either be additional adopters of the
specification, or should the single adopter choose to open their program,
then it may be in this Forum's wider interest to engage in further activity
to revise and improve the specification.  At present, it is not, and it is
IMO in contravention of the Forum bylaws to continue ongoing work unless and
until one of the above conditions is met.

 

Don't get me wrong, if a vendor wants to run a closed program, that is their
prerogative, but it is not the Forum's job, nor in the interests of the
Forum to do the work to design it for them without some benefit to the wider
Forum.

 

Regards,

Rich

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Thursday, April 03, 2014 3:37 PM
To: 'Robin Alden'
Cc: 'CABFPub'
Subject: Re: [cabfpub] Baseline Requirements as part of browers programs

 

Thanks Robin.  I missed that.  

 

Still, my underlying point remains the same – a single adopter in a space
where there are only 3-4 major players is a huge success.  The fact that
Microsoft is using the CAB Forum’s EV Guidelines, and choosing to improve
them through that same venue, is a huge success and a tribute to the Forum’s
ability to product relevant and quality work product.  

 

Jeremy

 

From: Robin Alden [mailto:robin at comodo.com] 
Sent: Thursday, April 3, 2014 11:07 AM
To: Jeremy Rowley
Cc: CABFPub
Subject: Baseline Requirements as part of browers programs

 

Hi Jeremy,

                You mentioned on today’s call that you thought only Mozilla
had adopted the BRs as part of their CA program.

 

After refreshing my memory, I believe Microsoft also require compliance with
the BRs – at least for CAs following the WebTrust audit route.

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root
-certificate-program-technical-requirements-version-2-0.aspx

Search for “Qualified Audit Regime”.

 

They are also replacing the current standard for government CAs with a BR
audit equivalency standard. 

 

There are a number of other references to the BRs on that page, too.

 

Regards

 

Robin

 

 

Robin Alden  M.Sc.  FRI  MIET

CTO -- Comodo

Invent ² Secure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140404/0f762792/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140404/0f762792/attachment-0003.bin>


More information about the Public mailing list