[cabfpub] Code Signing Baseline Requirements - Public Draft

Gervase Markham gerv at mozilla.org
Fri Aug 29 08:37:56 MST 2014

On 27/08/14 00:34, Ryan Sleevi wrote:
> Indeed, the only reference I can find towards the CA/Browser Forum
> agreeing towards any creation of a Code Signing Working Group is this
> summary - https://cabforum.org/pipermail/public/2013-March/001316.html
> "He noted that at the face-to-face meeting in Mountain View, we had
> decided to start a code signing authentication working group to try to
> address some of the issues that have come up with code signing
> authentication."
> Unfortunately, for the life of me, I cannot find the minutes of that F2F
> in https://cabforum.org/category/minutes , which was hosted by Mozilla
> in February 2013, nor does such voice voting seem to have been
> consistent with our Bylaws (Adopted November 23, 2012). I hope you can
> provide publicly available details where we missed the time most
> opportune to express our concerns, but as you can see below, this is
> certainly not a new set of concerns.

On 21st February, in response to a question from Atsushi, Ben Wilson wrote:

"That is a good question, Atsushi.  I will quickly prepare the minutes
of today’s meeting and I will try to put something together soon for the
last two face-to-face meetings.  It has been hard to prepare them after
face-to-face meetings, and from now on we ought to follow IETF procedure
and assign a scribe before we begin discussions.  Again, 申し訳ありません."

[I was surprised and amused when Google Translate turned that long
string of Japanese characters into the single word "Sorry". I expect
it's a little more nuanced than that. Culture, eh?]

However (and no blame on Ben), it seems such minutes never appeared. We
have got better about this since.

The Code Signing Working Group effort seems to have been kicked off by
an email from Dean to cabfman on 4th March 2013:

"As discussed at our last face to face meeting at Mozilla, a working
group will be formed to improve the authentication for code signing
certificates and suggest enhancements in this area.

Symantec agreed to lead the group, and volunteers from Microsoft,
Globalsign, Digicert and Comodo also stepped forward to be on the committee.

Before we commence work, I wanted to advertise to the broader CABF that
this work will begin soon and also ask if any others want to participate.

Also, can I please get the names and emails of the people that will be
participating from the companies named above?

Thank you,


Responses to this message were from Rich Smith, Tom Albertson, Rob
Stradling and Phil Hallam-Baker, all asking to be involved.


More information about the Public mailing list