<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We can discuss this briefly during today’s call under Agenda Item 5.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Eddy Nigg<br><b>Sent:</b> Thursday, May 01, 2014 3:43 AM<br><b>To:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The reasons are indeed interesting, question is what would be a better alternative. However if the insurances we are required to take out don't provide what we expect them to do, than it's indeed a waste of money. And we probably should look for something better than that.<br><br>On 04/24/2014 03:16 AM, Ben Wilson wrote: <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>The reasons for this proposed amendment are as follows:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>The insurance requirements were created basically out of thin air during initial drafting of the EVGL, without any particular analysis of claims against CAs, usefulness of insurance, availability of appropriate insurance, or necessary insurance levels. The main purpose of an insurance requirement in the EVGL was to impress the public with the responsibility of CAs who issue EV certificates. However, as noted below, these reasons aren’t really justified by the facts.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>The types and amounts of insurance required under EVGL 8.4 are North America-centric, and are not easily available in other world regions (or not available at all). Insurance for damages “arising out of infringement of the proprietary rights of any third party” are generally not available in many professional liability/errors and omissions policies. The requirement is arguably unfair to CAs outside North America.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>The types of insurance required under EVGL 8.4 are not designed to provide relief or compensation to injured customers or the public who rely on EV certs issued by a CA. Both types of insurance are intended primarily to protect the issuing CA, not injured claimants, and the insurers will try to avoid or defeat all claims from claimants. The policies typically include defense costs within the policy limits, so an insurance policy might be entirely consumed by defense costs to protect the issuing CA, with nothing left to pay claims to claimants.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraphCxSpFirst style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>Commercial General Liability insurance doesn’t really help customers or relying parties who claim injury from a bad cert – these policies are more designed to protect the CA from things like people falling on a slippery floor in the CA’s offices, etc. Likewise, professional liability/E&O coverage will only pay after defending the CA if a judgment is likely or rendered, and the insurer may try to avoid coverage if the issuing CA has done some bad things. For example, Diginotar’s insurer has denied all coverage because Diginotar hid its breach and failed to report the problem for several weeks, compounding the damages and violating its obligations to the insurers – so the insurance was worthless. These policies also do not cover contract claims from customers (e.g., a claim of breach of contract by the CA such as failure to issue a proper cert).</span><o:p></o:p></p><p class=MsoListParagraph><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraphCxSpLast style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>Some have suggested that even if the current insurance requirements don’t actually protect the public or customers, they are nevertheless useful as a “show of seriousness” by a CA. If that is a worthwhile objective, we may as well require other irrelevant things instead like proof of auto insurance or a minimum office space size – none of these qualifications are really relevant to whether a CA operates competently and in compliance with requirements. Instead, we rely mostly on (1) annual performance audits, and (2) browser root programs (and consequences of failure) to confirm competence and compliance.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>VeriSign’s previous general counsel for ten years has said VeriSign never faced a claim for damages from any certs during that time. In most cases, bad certs are simply revoked and possibly reissued.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>Even though there have been virtually no claims against issuing CAs, buying the minimum insurance can be expensive for smaller CAs. There is typically a minimum premium of $25,000 or more per year with a significant deductible, even though the CA will likely never have a covered claim. That’s a waste of money.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>In the Diginotar case, apparently claims were made against the company’s insurers (perhaps from investors for loss of value of the company when it was shut down). In any case, Diginotar’s insurer denied all coverage for the claims based on Diginotar’s bad acts and breach of its obligations to the insurer. There would be no possibly insurance coverage for customers or relying parties, so the insurance was of no value.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>Some countries have their own minimum insurance requirements for companies incorporated or registered in their jurisdiction, while many do not. The CA/Browser Forum should defer to these decisions by the governing jurisdictions and require compliance with local standards – or just delete Section 8.4 entirely, as every CA must already comply with applicable laws.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span><span style='font-family:"Arial","sans-serif"'>Finally, under current EVGL Sec. 8.4, large companies like Trend Micro get to opt out of the insurance requirements because they meet the stated financial requirements. This is arguably an unfair advantage for large companies over small ones.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=line874 style='margin:0in;margin-bottom:.0001pt'><span lang=EN style='font-family:"Arial","sans-serif"'>The review period for this ballot shall commence at 2200 UTC on Wednesday, 23 April 2014, and will close at 2200 UTC on Wednesday, 30 April 2014. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Wednesday, 7 May 2014. Votes must be cast by posting an on-list reply to this thread. </span><o:p></o:p></p><p class=line874 style='margin:0in;margin-bottom:.0001pt'><span lang=EN style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=line862 style='margin:0in;margin-bottom:.0001pt'><span lang=EN style='font-family:"Arial","sans-serif"'>A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: </span><a href="https://cabforum.org/members/"><span lang=EN style='font-family:"Arial","sans-serif"'>https://cabforum.org/members/</span></a><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=line862 style='margin:0in;margin-bottom:.0001pt'><span lang=EN style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-family:"Arial","sans-serif"'>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Also, at least six members must participate in the ballot, either by voting in favor, voting against, or abstaining. </span><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>-- <o:p></o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal>Regards <o:p></o:p></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Signer: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Eddy Nigg, COO/CTO<o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>XMPP: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Blog: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Twitter: <o:p></o:p></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://twitter.com/eddy_nigg">Follow Me</a><o:p></o:p></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal> <o:p></o:p></p></td></tr></table><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p></div></div></body></html>