The Symbian Signed Story, Part 2
Posted by Craig H on 26 May 2009
Previously on The Symbian Signed Story:
- Public launch on 18th May 2004
A quality mark to replace “Nokia OK” and other manufacturer certifications
- Self-supporting (neither subsidised nor profit-making)
Fees for signing go to third-party Certificate Authority, fees for testing go to third-party test house
- Security was not a primary goal
Symbian OS didn’t have platform security until 2 years later
The next phase in the evolution of Symbian Signed focused on reducing the cost to developers of getting their apps certified. As we have noted, the fees paid by developers were divided between fees for signing (mainly for issuing publisher certificates) going to VeriSign and fees for testing going to Capgemini. Symbian therefore resolved to bring the benefits of an open market for signing and testing services to bear.
At launch, there was only one test house available (Capgemini) but Symbian was already in discussions with other test houses. Test houses set their own prices, and two new options (MphasiS and NSTL) that launched on 5th October 2004 were significantly cheaper (at €195 and €250 respectively) than Capgemini. Developers submitting their applications for certification had a free choice of which test house to use, and many (but by no means all) did choose a lower cost option.
It turned out to be more of a challenge to bring the same open-market benefits to the signing side of the service. VeriSign’s ACS Publisher IDs cost $350, a figure which I think was originally established to match the fees for their Microsoft Authenticode service. Especially considering the reduction in testing fees, this was now a significant proportion of the cost to developers, so Symbian tried engaging with several alternative CAs in order to promote some competition. We did get as far as having alternative root certificates issued by GeoTrust, but then they were taken over by VeriSign in 2006 which rather defeated the objective! The strategy finally bore fruit on 18th June 2007 when it was announced that TC TrustCenter would being offering publisher ID certificates for $200.
Meanwhile, the Symbian OS product development engineers and Symbian Signed staff were working together on the introduction of Symbian OS platform security. The development project was already well into the design phase when I joined Symbian at the start of 2002, but as I recall the bulk of the implementation work was done from 2003 to 2005. The first phones incorporating the platform security architecture shipped to customers in March 2006.
This post is already getting quite long, so platform security will be addressed in a Part 3 later this week (I know, I said that last time, sorry! :-))