The CA/Browser Forum (a.k.a. CABForum), the same people who devised EV certificates for SSL/TLS servers, are now working on defining EV for code signing. They're really working on defining code signing, what it means, how it works, etc. They're addressing such fundamental issues as whether signatures on code should be valid in perpetuity (as NSS now interprets them) or whether the signatures' validity should expire along with the signer's certificate, and other similar issues. They have some ideas about refreshed signatures, etc.
I know this because I am a recipient of the CABForum mailing lists, having once been a Mozilla representative to it. I am now subscribed to those lists as an observer. I observe that, by the measure of emails generated on the subject, Mozilla's present representatives are not very active in the discussions of this topic. Representatives from Opera and Microsoft and several of the CAs are much more active. I suspect (and speculate here) that this is because code signing just isn't very important to Mozilla. Mozilla products do not require code signing for anything. When a user of a Mozilla product downloads an "extension", the only difference that code signing makes to that user's experience is the presence (or absence) of the word "unsigned" in red letters in a dialog that most users click through without reading. So, I suspect that Mozilla's representatives are not very active in the code signing discussions because they just don't care about it. While this may be OK for Mozilla, it is bad news (IMO) for NSS. When and if a standard emerges for EV code signing certs, there will undoubtedly be a bunch of new requirements on implementations of code signing (and code signature verification). NSS tools that produce those signatures will need to meet those requirements. NSS will be in the position that it must either (a) implement all those new requirements, or (b) make no claims about recognition of EV code signing certs. The latter position would put NSS and the products that use in (and that do care about code signing) at a competitive disadvantage, IMO. So, my questions are: - Can we get Mozilla's representatives to CABForum to play a more active role in the definition of EV code signing? - Failing that, can we get them to delegate that duty to us NSS developers (as they did for some time in the past)? - Failing either of those, do we NSS developers WANT to play a more active role in the definition of EV code signing? Please reply to mozilla.dev.tech.crypto and/or dev-tech-crypto@lists.mozilla.org (requires subscription). /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
