<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
The reasons are indeed interesting, question is what would be a
better alternative. However if the insurances we are required to
take out don't provide what we expect them to do, than it's indeed a
waste of money. And we probably should look for something better
than that.<br>
<br>
On 04/24/2014 03:16 AM, Ben Wilson wrote:
<blockquote cite="mid:00a601cf5f52$7bec3b70$73c4b250$@digicert.com"
type="cite">
<div class="WordSection1"><br>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">The
reasons for this proposed amendment are as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">The
insurance requirements were created basically out of thin
air during initial drafting of the EVGL, without any
particular analysis of claims against CAs, usefulness of
insurance, availability of appropriate insurance, or
necessary insurance levels. The main purpose of an
insurance requirement in the EVGL was to impress the public
with the responsibility of CAs who issue EV certificates.
However, as noted below, these reasons aren’t really
justified by the facts.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">The
types and amounts of insurance required under EVGL 8.4 are
North America-centric, and are not easily available in other
world regions (or not available at all). Insurance for
damages “arising out of infringement of the proprietary
rights of any third party” are generally not available in
many professional liability/errors and omissions policies.
The requirement is arguably unfair to CAs outside North
America.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">The
types of insurance required under EVGL 8.4 are not designed
to provide relief or compensation to injured customers or
the public who rely on EV certs issued by a CA. Both types
of insurance are intended primarily to protect the issuing
CA, not injured claimants, and the insurers will try to
avoid or defeat all claims from claimants. The policies
typically include defense costs within the policy limits, so
an insurance policy might be entirely consumed by defense
costs to protect the issuing CA, with nothing left to pay
claims to claimants.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraphCxSpFirst"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">Commercial
General Liability insurance doesn’t really help customers or
relying parties who claim injury from a bad cert – these
policies are more designed to protect the CA from things
like people falling on a slippery floor in the CA’s offices,
etc. Likewise, professional liability/E&O coverage will
only pay after defending the CA if a judgment is likely or
rendered, and the insurer may try to avoid coverage if the
issuing CA has done some bad things. For example,
Diginotar’s insurer has denied all coverage because
Diginotar hid its breach and failed to report the problem
for several weeks, compounding the damages and violating its
obligations to the insurers – so the insurance was
worthless. These policies also do not cover contract claims
from customers (e.g., a claim of breach of contract by the
CA such as failure to issue a proper cert).<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle"><span
style="font-size:12.0pt;line-height:115%;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraphCxSpLast"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">Some
have suggested that even if the current insurance
requirements don’t actually protect the public or customers,
they are nevertheless useful as a “show of seriousness” by a
CA. If that is a worthwhile objective, we may as well
require other irrelevant things instead like proof of auto
insurance or a minimum office space size – none of these
qualifications are really relevant to whether a CA operates
competently and in compliance with requirements. Instead,
we rely mostly on (1) annual performance audits, and (2)
browser root programs (and consequences of failure) to
confirm competence and compliance.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">VeriSign’s
previous general counsel for ten years has said VeriSign
never faced a claim for damages from any certs during that
time. In most cases, bad certs are simply revoked and
possibly reissued.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">Even
though there have been virtually no claims against issuing
CAs, buying the minimum insurance can be expensive for
smaller CAs. There is typically a minimum premium of
$25,000 or more per year with a significant deductible, even
though the CA will likely never have a covered claim.
That’s a waste of money.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">In
the Diginotar case, apparently claims were made against the
company’s insurers (perhaps from investors for loss of value
of the company when it was shut down). In any case,
Diginotar’s insurer denied all coverage for the claims based
on Diginotar’s bad acts and breach of its obligations to the
insurer. There would be no possibly insurance coverage for
customers or relying parties, so the insurance was of no
value.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">Some
countries have their own minimum insurance requirements for
companies incorporated or registered in their jurisdiction,
while many do not. The CA/Browser Forum should defer to
these decisions by the governing jurisdictions and require
compliance with local standards – or just delete Section 8.4
entirely, as every CA must already comply with applicable
laws.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0
level1 lfo1"><!--[if !supportLists]--><span
style="font-size:12.0pt;font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman""> </span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial","sans-serif"">Finally,
under current EVGL Sec. 8.4, large companies like Trend
Micro get to opt out of the insurance requirements because
they meet the stated financial requirements. This is
arguably an unfair advantage for large companies over small
ones.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="line874" style="margin:0in;margin-bottom:.0001pt"><span
style="font-family:"Arial","sans-serif";color:black"
lang="EN">The review period for this ballot shall commence
at 2200 UTC on Wednesday, 23 April 2014, and will close at
2200 UTC on Wednesday, 30 April 2014. Unless the motion is
withdrawn during the review period, the voting period will
start immediately thereafter and will close at 2200 UTC on
Wednesday, 7 May 2014. Votes must be cast by posting an
on-list reply to this thread. <o:p></o:p></span></p>
<p class="line874" style="margin:0in;margin-bottom:.0001pt"><span
style="font-family:"Arial","sans-serif";color:black"
lang="EN"><o:p> </o:p></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span
style="font-family:"Arial","sans-serif";color:black"
lang="EN">A vote in favor of the motion must indicate a
clear 'yes' in the response. A vote against must indicate a
clear 'no' in the response. A vote to abstain must indicate
a clear 'abstain' in the response. Unclear responses will
not be counted. The latest vote received from any
representative of a voting member before the close of the
voting period will be counted. Voting members are listed
here: </span><a moz-do-not-send="true"
href="https://cabforum.org/members/"><span
style="font-family:"Arial","sans-serif""
lang="EN">https://cabforum.org/members/</span></a><span
style="font-family:"Arial","sans-serif";color:black">
<span lang="EN"><o:p></o:p></span></span></p>
<p class="line862" style="margin:0in;margin-bottom:.0001pt"><span
style="font-family:"Arial","sans-serif";color:black"
lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:black"
lang="EN">In order for the motion to be adopted, two thirds
or more of the votes cast by members in the CA category and
greater than 50% of the votes cast by members in the browser
category must be in favor. Also, at least six members must
participate in the ballot, either by voting in favor, voting
against, or abstaining. <o:p></o:p></span><span
style="font-size:12.0pt;font-family:"Arial","sans-serif""><o:p></o:p></span>
<br>
</p>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>