<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
color:black;}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";
color:black;}
span.EstiloCorreo22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Hi, inline<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal style='line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a><o:p></o:p></span></p><p class=MsoNormal style='line-height:normal'><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>945067705</span><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='line-height:normal'><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=585 height=111 id="_x0000_i1026" src="cid:image001.png@01CF80BA.FAE02660" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span style='font-family:"Calibri","sans-serif";color:navy;mso-fareast-language:ES-TRAD'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='line-height:normal'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Ben Wilson [mailto:ben@digicert.com] <br><b>Enviado el:</b> martes, 03 de junio de 2014 3:43<br><b>Para:</b> Barreira Iglesias, Iñigo; md@ssc.lt; kirk_hall@trendmicro.com; gerv@mozilla.org; public@cabforum.org<br><b>Asunto:</b> Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'>Thanks, Moudrick, Kirk and Iñigo,<br><br>For those who haven't looked up this ETSI document, Section 7.5 says, "(d) Adequate arrangements to cover liabilities arising from its operations and/or activities; (e) Financial stability and resources required to operate in conformity with this policy; and (f) Policies and procedures for the resolution of complaints and disputes received from customers or other parties about the provisioning of electronic trust services." This appears to be based, somewhat, on the liability structure set up in Art.6 of of EU Directive 1999/93/EC and subsection (h) of Annex II, <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093">http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093</a>, the latter of which reads, “(h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;” <span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This is also recorded in the new EU regulation, in recital 37 and articles 13 and 24, and indicates the need to be covered by insurances policies but according to national law.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This is to be discussed in the secondary legislation by means of implementing acts for these 2 articles. My idea is to explain more detailed in 2 weeks at Eilat<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US><br><br>CAs are supposed to address their responsibility under Art. 6. </span>This can be written in their CP/CPS either under Section 2.3 (RFC 2527) or Section 9.2 (RFC 3647) -- maybe more explicit requirements in the BRs are needed about what must be written in those sections? Also, I see that "risk" is noted in Annex II, but not in section 7.5 (too hard to audit?), an insurance or financial stability requirement is a much easier way to address risks to third parties than other methods, and it more fairly distributes the loss potential. See e.g. <a href="http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf">http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf</a> <span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As an example, Izenpe in its CPS at section 9.2 indicates that has an insurance and the financial resources needed but don´t indicate the amount covered. This is only know by the Ministry (our supervisory body) and the auditors.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US><br><br>According to </span><a href="http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf"><span lang=EN-US>http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf</span></a><span lang=EN-US> <br>most EU countries have simply copied this text from Annex II into their own laws without further requirements. </span>However, some, like Spain, have set forth specific insurance amounts for " Cobertura de seguro u otras garantías para los terceros de buena fe cuando incumpla las obligaciones que impone la Ley 59/2003, de 19 de diciembre, de Firma Electrónica" - from what I can tell, the amount is 3 million Euros. <a href="http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf">http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf</a> <span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That´s right. That´s something that all CAs in Spain shall comply to operate in our country, whitout that insurance we are not allowed to work or at least not being qualified and then recognized in the Spanish Trusted List. But, maybe it´s different for other countries.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>For the same reason, when Izenpe decided to go after the EV, well, we made a small increase in the insurance, to cover the 5 million $ which is a little bit more of 3,5 million € (depending on the day </span><span lang=EN-US style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> )<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US> So, in order to be more fair to non-US CAs, what about that 3-million-Euro amount instead that just said "third party cyber coverage"? </span>(I have Betterley's 2014 Cyber Insurance Report that I can use to create a definition of "third party cyber coverage".) Given the facts above, I can't see any reason to replace our objective rule with something as subjective as "adequate arrangements" or "sufficient financial resources," which are subjective and impossible to audit, let alone eliminate it altogether.<span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ok for me.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US><br><br>Financial stability is a key component of being a CA, especially one that issues Extended Validation certificates. </span>It certainly seems that any European CA wanting to issue the "qualified website" equivalent of an EV certificate will have to meet Art 6 / Annex II requirements in any event.<span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This is still a nightmare in ETSI<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US><br><br>Also, we require insurance for banks and automobile owners/drivers. </span>Not for first-party coverage, but for third-party coverage--we do not want innocent third parties left holding the bag--it's what economists call "negative externality". Banks, for example, have great security, but they also have to handle the risk that all of that security won't protect against everything--nothing works perfectly 100%. Banks are required by regulators to have financial reserves, deposit insurance, and other risk-mitigating processes. See <a href="http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf">http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf</a> Under the EU Directive on capital adequacy of investment …firms and credit institutions, this means coverage of EUR 20 000 for each depositor, minimum start-up-capital of EUR 5 million, and then ongoing solvency ratios per Basel requirements.<br><br>Ben <br><br><br><br><o:p></o:p></p><div><p class=MsoNormal style='line-height:normal'>On 6/2/2014 1:40 AM, <a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Hi,</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>The TS 102 042 is the one for EV and BR certs and also indicates in 7.5 what Mou has stated. </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>This “control” was included to let the CA to set the requirements appropriate to its needs and according to national legislation.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Regards</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a></span><o:p></o:p></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:8.5pt;line-height:115%;font-family:"Tahoma","sans-serif"'>945067705</span><o:p></o:p></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=585 height=111 id="Imagen_x0020_1" src="cid:image001.png@01CF80BA.FAE02660" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><o:p></o:p></p><p class=MsoNormal style='line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;line-height:115%;font-family:"Tahoma","sans-serif";color:windowtext'>De:</span></b><span style='font-size:10.0pt;line-height:115%;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>En nombre de </b>Moudrick M. Dadashov<br><b>Enviado el:</b> sábado, 31 de mayo de 2014 2:30<br><b>Para:</b> <a href="mailto:ben@digicert.com">ben@digicert.com</a>; <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; 'Gervase Markham'; 'public >> CABFPub'<br><b>Asunto:</b> Re: [cabfpub] Ballot 121 (insurance)</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><div><p class=MsoNormal>On 5/31/2014 2:46 AM, Ben Wilson wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Do you have a proposal that addresses the concerns about financial<o:p></o:p></pre><pre>stability?<o:p></o:p></pre></blockquote><p class=MsoNormal>Please see ETSI TS 101 456 V1.4.3 section 7.5 specifically points d), e) and f) - IMO they are close to what you are looking for.<br><br>As a standardization body ETSI doesn't set its requirements in terms of absolute amounts, this is left to implementers - in this case to MS Governments.<br><br>FYI:<br><a href="http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf">http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf</a><br><br>Given the fact that EVG is incorporated into ETSI "as is", I see potential conflict between the two approaches. <br><br>Thanks.<br>M.D.<br><br><br><br><o:p></o:p></p><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>-----Original Message-----<o:p></o:p></pre><pre>From: <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> [<a href="mailto:kirk_hall@trendmicro.com">mailto:kirk_hall@trendmicro.com</a>] <o:p></o:p></pre><pre>Sent: Friday, May 30, 2014 5:20 PM<o:p></o:p></pre><pre>To: <a href="mailto:ben@digicert.com">ben@digicert.com</a>; 'Gervase Markham'; 'public >> CABFPub'<o:p></o:p></pre><pre>Subject: RE: [cabfpub] Ballot 121 (insurance)<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Ben -- as I indicated to the EV Working Group in an email recently, I have<o:p></o:p></pre><pre>definitely changed my mind about the EVGL insurance requirement based on my<o:p></o:p></pre><pre>own experience in starting AffirmTrust in 2010. (As a reminder to all,<o:p></o:p></pre><pre>AffirmTrust was acquired by Trend Micro in 2011, and Trend is big enough and<o:p></o:p></pre><pre>has a strong enough balance sheet and treasury that under the EVGL we are<o:p></o:p></pre><pre>entirely exempt from the insurance requirements -- so we have no personal<o:p></o:p></pre><pre>stake in this.) <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>While starting my own company, the insurance brokers kept asking me why I<o:p></o:p></pre><pre>wanted the insurance coverages -- they clearly didn't think I needed them --<o:p></o:p></pre><pre>and they warned me that the E&O coverage in particular probably wasn't going<o:p></o:p></pre><pre>to provide me with any meaningful protection for anything (given that it<o:p></o:p></pre><pre>generally doesn't cover contractual liability for a bad cert, return of<o:p></o:p></pre><pre>fees, etc.) So it felt like a very big waste of money.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Plus we now know from eight years of experience (plus the anecdotal evidence<o:p></o:p></pre><pre>of Trend Micro's legal counsel from his decade at VeriSign) that there<o:p></o:p></pre><pre>simply aren't claims from customers or relying parties for mis-issued certs<o:p></o:p></pre><pre>and that the need for insurance (even if it did cover the mis-issuance of EV<o:p></o:p></pre><pre>certs) is minimal at best. The one case of catastrophic failure and breach,<o:p></o:p></pre><pre>DigiNotar, apparently resulted in a court ruling that the insurer would be<o:p></o:p></pre><pre>allowed to deny all coverage.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>When we collectively were brainstorming in 2005-6 to create the first EV<o:p></o:p></pre><pre>Guidelines, we were trying to come up with lots and lots of requirements to<o:p></o:p></pre><pre>try to set EV certs apart from other certs. As I recall, we considered even<o:p></o:p></pre><pre>more complex verification steps for EV to make it similar to the closing of<o:p></o:p></pre><pre>a major corporate transaction (e.g., getting Board of Directors<o:p></o:p></pre><pre>authorizations, Secretary's Certificates, etc.) -- fortunately, common sense<o:p></o:p></pre><pre>prevailed and we slimmed down the requirements so they are very thorough,<o:p></o:p></pre><pre>but achievable.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Finally, the Forum has learned through eight years of experience that these<o:p></o:p></pre><pre>insurance requirements are even harder and more expensive for<o:p></o:p></pre><pre>non-US/Canadian CAs to satisfy, and that their brokers also tell them the<o:p></o:p></pre><pre>coverages won't provide them with any meaningful protection. We don't want<o:p></o:p></pre><pre>the EV Guidelines to be weighted in favor of US/Canadian CAs.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>The Forum hasn't hesitated from changing other EVGL requirements when we<o:p></o:p></pre><pre>think justified -- such as recently allowing the use of the automatic email<o:p></o:p></pre><pre>verification method to upgrade domains to the EV level (using the same<o:p></o:p></pre><pre>verification methods as for DV and OV certs). For the first seven years of<o:p></o:p></pre><pre>the EVGL, we were all required to do manual vetting of domains with a WhoIs<o:p></o:p></pre><pre>lookup and deal with any mis-match of the registration.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>So for all these reasons, I think Gerv is right and it's time to drop the<o:p></o:p></pre><pre>insurance requirements. Let CAs follow any insurance requirements that<o:p></o:p></pre><pre>their applicable local jurisdiction(s) may impose, but otherwise don't<o:p></o:p></pre><pre>create an additional insurance requirement through the EV Guidelines.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Gerv, thanks for sharing your thoughtful and well informed opinion. It<o:p></o:p></pre><pre>really helps.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Kirk<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>-----Original Message-----<o:p></o:p></pre><pre>From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On<o:p></o:p></pre><pre>Behalf Of Ben Wilson<o:p></o:p></pre><pre>Sent: Friday, May 30, 2014 3:15 PM<o:p></o:p></pre><pre>To: 'Gervase Markham'; 'public >> CABFPub'<o:p></o:p></pre><pre>Subject: Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Gerv and all,<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>If people want to save money, they can stick to issuing DV or OV<o:p></o:p></pre><pre>certificates. EV certificates need to remain different, and this proposed<o:p></o:p></pre><pre>move is contrary to the first goal we all agreed upon when we began working<o:p></o:p></pre><pre>on the guidelines for issuing Extended Validation Certificates, which my<o:p></o:p></pre><pre>notes indicates was to "increase online trust." <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>If the ballot is re-introduced and passes, then CAs will not be required to<o:p></o:p></pre><pre>have insurance for any negligence in issuing or maintaining EV Certificates.<o:p></o:p></pre><pre>It increases the likelihood that another Diginotar won't be held<o:p></o:p></pre><pre>accountable, and I believe the insurance is currently available at<o:p></o:p></pre><pre>affordable cost, approximately $10,000 per $1 million coverage. I have<o:p></o:p></pre><pre>attached a sample cyber-insurance policy, which is available in similar form<o:p></o:p></pre><pre>from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,<o:p></o:p></pre><pre>etc.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,<o:p></o:p></pre><pre>which took place during 2006. For example, attached is Kirk Hall's memo to<o:p></o:p></pre><pre>the group from June 2006 in which he recommends "indemnity insurance<o:p></o:p></pre><pre>coverage (e.g. "errors and omissions," "cyber coverage," "network computer<o:p></o:p></pre><pre>liability," "professional liability," or other similar coverage) for<o:p></o:p></pre><pre>Extended Validation Certificates [in the amount of $10 million]." <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Opponents of insurance requirements cannot simply erase these historical<o:p></o:p></pre><pre>choices without proposing viable alternatives. (It's always easier to<o:p></o:p></pre><pre>complain and to poke holes at things than to work on real solutions.) And<o:p></o:p></pre><pre>finally, if the EV Guidelines do not contain some form of financial<o:p></o:p></pre><pre>responsibility, then we might as well delete the Section 7 warranties, and<o:p></o:p></pre><pre>the other EV provisions to which they refer, because they will just become<o:p></o:p></pre><pre>empty promises. <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Ben<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>-----Original Message-----<o:p></o:p></pre><pre>From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On<o:p></o:p></pre><pre>Behalf Of Gervase Markham<o:p></o:p></pre><pre>Sent: Friday, May 30, 2014 12:41 PM<o:p></o:p></pre><pre>To: public >> CABFPub<o:p></o:p></pre><pre>Subject: [cabfpub] Ballot 121 (insurance)<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>I talked to our lawyer this morning. Mozilla is now willing to support the<o:p></o:p></pre><pre>proposal in Ballot 121 (removal of the insurance requirement from the EV<o:p></o:p></pre><pre>Guidelines).<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>We feel that this requirement provides no significant protection in practice<o:p></o:p></pre><pre>for either users, for whom CAs can limit liability to $2000 anyway, or for<o:p></o:p></pre><pre>browsers, for whom clause 18.2 which indemnifies them is much more relevant.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>We encourage other CAs and browsers to support this ballot also, and let the<o:p></o:p></pre><pre>CAs put the $N,000 saved towards making their products better and/or cheaper<o:p></o:p></pre><pre>for users.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Gerv<o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>Public mailing list<o:p></o:p></pre><pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre><o:p></o:p></pre><pre>TREND MICRO EMAIL NOTICE<o:p></o:p></pre><pre>The information contained in this email and any attachments is confidential<o:p></o:p></pre><pre>and may be subject to copyright or other intellectual property protection. <o:p></o:p></pre><pre>If you are not the intended recipient, you are not authorized to use or<o:p></o:p></pre><pre>disclose this information, and we request that you notify us by reply mail<o:p></o:p></pre><pre>or telephone and delete the original message from your mail system.<o:p></o:p></pre><pre></pre></td></tr></table><o:p></o:p></pre><p class=MsoNormal><br><br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Public mailing list<o:p></o:p></pre><pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre><p class=MsoNormal> <o:p></o:p></p></blockquote><p class=MsoNormal style='line-height:normal'><o:p> </o:p></p></div></body></html>