<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thanks, Rick<br>
<br>
Just to summarize where are we now, I see four different
approaches:<br>
1) Leave it as is;<br>
2) State a "business" requirement that potentially can be resolved
by appropriate insurance provisions (no absolute figures, ETSI
style);<br>
3) Ballot 121;<br>
4) decrease existing absolute figures, how about 3 mln. Euro ok?<br>
<br>
Obviously 3) can be combined with 2) but not with 1) or 3).<br>
Also worth mentioning, for some CAs insurance is a measure of
"product quality", if we eliminate it, those CAs may have a
negative "side effect".<br>
<br>
To my surprise PCI DSS doesn't state any direct insurance
requirements. <br>
<br>
Any other ideas?<br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 6/9/2014 10:49 PM, Rick Andrews wrote:<br>
</div>
<blockquote
cite="mid:544B0DD62A64C1448B2DA253C011414607CBFEDA59@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
margin-top:24.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Cambria","serif";
color:#365F91;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
color:black;}
p.HTMLconformatoprevio, li.HTMLconformatoprevio, div.HTMLconformatoprevio
{mso-style-name:"HTML con formato previo";
mso-style-link:"HTML con formato previo Car";
margin:0in;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";
color:black;}
p.Textodeglobo, li.Textodeglobo, div.Textodeglobo
{mso-style-name:"Texto de globo";
mso-style-link:"Texto de globo Car";
margin:0in;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Cambria","serif";
color:#365F91;
font-weight:bold;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 85.05pt 70.85pt 85.05pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">A
Timely article (pun intended):<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">
Cyberattack Insurance a Challenge for Business <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">
<a moz-do-not-send="true"
href="http://p.nytimes.com/email/re?location=InCMR7g4BCKC2wiZPkcVUkfBKD0WxM+9&user_id=c619a85212e2206d7323c9ed8f4e42e9&email_type=eta&task_id=1402342739914133®i_id=0"><b>http://nyti.ms/1oLGfqR
</b></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">-Rick<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="margin-left:.5in;line-height:normal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ben
Wilson<br>
<b>Sent:</b> Thursday, June 05, 2014 5:55 AM<br>
<b>To:</b> 'Moudrick M. Dadashov';
<a class="moz-txt-link-abbreviated" href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>; <a class="moz-txt-link-abbreviated" href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>;
<a class="moz-txt-link-abbreviated" href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>; <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">Thanks.
Let’s keep this discussion moving toward an amendment that
provides a more reasonable, but objective, uniform, and
auditable standard to be applied and implemented globally to
address cyber risks and reduce potential loss to third
parties. I’ve found about 100 academic papers that mention
cyber insurance and about 200 web pages in the .com space
that discuss cyber coverage. I’m sifting through those now.
I’m happy to make them available to anyone who wants to
participate in this review.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="margin-left:.5in;line-height:normal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Moudrick
M. Dadashov<br>
<b>Sent:</b> Thursday, June 5, 2014 4:43 AM<br>
<b>To:</b> Ben Wilson; <a class="moz-txt-link-abbreviated" href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>;
<a class="moz-txt-link-abbreviated" href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; <a class="moz-txt-link-abbreviated" href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>;
<a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">Hi,<br>
<br>
looks like we are not alone on this planet:<br>
<br>
<a moz-do-not-send="true"
href="http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nations-critical-infrastructure/">http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nations-critical-infrastructure/</a><br>
<br>
Is EV SSL issuance a part of NCI?<br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 6/3/2014 4:43 AM, Ben Wilson wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;line-height:normal">Thanks,
Moudrick, Kirk and Iñigo,<br>
<br>
For those who haven't looked up this ETSI document, Section
7.5 says, "(d) Adequate arrangements to cover liabilities
arising from its operations and/or activities; (e) Financial
stability and resources required to operate in conformity
with this policy; and (f) Policies and procedures for the
resolution of complaints and disputes received from
customers or other parties about the provisioning of
electronic trust services." This appears to be based,
somewhat, on the liability structure set up in Art.6 of of
EU Directive 1999/93/EC and subsection (h) of Annex II, <a
moz-do-not-send="true"
href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093">http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093</a>,
the latter of which reads, “(h) maintain sufficient
financial resources to operate in conformity with the
requirements laid down in the Directive, in particular to
bear the risk of liability for damages, for example, by
obtaining appropriate insurance;” <br>
<br>
CAs are supposed to address their responsibility under Art.
6. This can be written in their CP/CPS either under Section
2.3 (RFC 2527) or Section 9.2 (RFC 3647) -- maybe more
explicit requirements in the BRs are needed about what must
be written in those sections? Also, I see that "risk" is
noted in Annex II, but not in section 7.5 (too hard to
audit?), an insurance or financial stability requirement is
a much easier way to address risks to third parties than
other methods, and it more fairly distributes the loss
potential. See e.g. <a moz-do-not-send="true"
href="http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf">http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf</a>
<br>
<br>
According to <a moz-do-not-send="true"
href="http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf">http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf</a>
<br>
most EU countries have simply copied this text from Annex II
into their own laws without further requirements. However,
some, like Spain, have set forth specific insurance amounts
for " Cobertura de seguro u otras garantías para los
terceros de buena fe cuando incumpla las obligaciones que
impone la Ley 59/2003, de 19 de diciembre, de Firma
Electrónica" - from what I can tell, the amount is 3 million
Euros. <a moz-do-not-send="true"
href="http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf">http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf</a>
So, in order to be more fair to non-US CAs, what about that
3-million-Euro amount instead that just said "third party
cyber coverage"? (I have Betterley's 2014 Cyber Insurance
Report that I can use to create a definition of "third party
cyber coverage".) Given the facts above, I can't see any
reason to replace our objective rule with something as
subjective as "adequate arrangements" or "sufficient
financial resources," which are subjective and impossible to
audit, let alone eliminate it altogether.<br>
<br>
Financial stability is a key component of being a CA,
especially one that issues Extended Validation
certificates. It certainly seems that any European CA
wanting to issue the "qualified website" equivalent of an EV
certificate will have to meet Art 6 / Annex II requirements
in any event.<br>
<br>
Also, we require insurance for banks and automobile
owners/drivers. Not for first-party coverage, but for
third-party coverage--we do not want innocent third parties
left holding the bag--it's what economists call "negative
externality". Banks, for example, have great security, but
they also have to handle the risk that all of that security
won't protect against everything--nothing works perfectly
100%. Banks are required by regulators to have financial
reserves, deposit insurance, and other risk-mitigating
processes. See <a moz-do-not-send="true"
href="http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf">http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf</a>
Under the EU Directive on capital adequacy of investment
…firms and credit institutions, this means coverage of EUR
20 000 for each depositor, minimum start-up-capital of EUR 5
million, and then ongoing solvency ratios per Basel
requirements.<br>
<br>
Ben <br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal"
style="margin-left:.5in;line-height:normal">On 6/2/2014
1:40 AM, <a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">Hi,</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">The
TS 102 042 is the one for EV and BR certs and also
indicates in 7.5 what Mou has stated. </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">This
“control” was included to let the CA to set the
requirements appropriate to its needs and according to
national legislation.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D">Regards</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;line-height:9.75pt"><b><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif""
lang="ES-TRAD">Iñigo Barreira</span></b><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif""
lang="ES-TRAD"><br>
Responsable del Área técnica<br>
<a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:8.5pt;line-height:115%;font-family:"Tahoma","sans-serif""
lang="ES-TRAD">945067705</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES-TRAD"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"><img
id="Imagen_x0020_1"
src="cid:part10.07020003.09050400@ssc.lt"
alt="Descripción:
cid:image001.png@01CE3152.B4804EB0" border="0"
height="111" width="585"></span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;line-height:9.75pt"><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD">ERNE!
Baliteke mezu honen zatiren bat edo mezu osoa legez
babestuta egotea. Mezua badu bere hartzailea. Okerreko
helbidera heldu bada (helbidea gaizki idatzi,
transmisioak huts egin) eman abisu igorleari, korreo
honi erantzuna. KONTUZ!</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"><br>
</span><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD">ATENCION!
Este mensaje contiene informacion privilegiada o
confidencial a la que solo tiene derecho a acceder el
destinatario. Si usted lo recibe por error le
agradeceriamos que no hiciera uso de la informacion y
que se pusiese en contacto con el remitente.</span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:10.0pt;line-height:115%;font-family:"Tahoma","sans-serif";color:windowtext">De:</span></b><span
style="font-size:10.0pt;line-height:115%;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>En nombre de </b>Moudrick M. Dadashov<br>
<b>Enviado el:</b> sábado, 31 de mayo de 2014 2:30<br>
<b>Para:</b> <a moz-do-not-send="true"
href="mailto:ben@digicert.com">ben@digicert.com</a>;
<a moz-do-not-send="true"
href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>;
'Gervase Markham'; 'public >> CABFPub'<br>
<b>Asunto:</b> Re: [cabfpub] Ballot 121 (insurance)</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">On 5/31/2014
2:46 AM, Ben Wilson wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre style="margin-left:.5in">Do you have a proposal that addresses the concerns about financial<o:p></o:p></pre>
<pre style="margin-left:.5in">stability?<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">Please
see ETSI TS 101 456 V1.4.3 section 7.5 specifically points
d), e) and f) - IMO they are close to what you are looking
for.<br>
<br>
As a standardization body ETSI doesn't set its
requirements in terms of absolute amounts, this is left to
implementers - in this case to MS Governments.<br>
<br>
FYI:<br>
<a moz-do-not-send="true"
href="http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf">http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf</a><br>
<br>
Given the fact that EVG is incorporated into ETSI "as is",
I see potential conflict between the two approaches. <br>
<br>
Thanks.<br>
M.D.<br>
<br>
<br>
<o:p></o:p></p>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">-----Original Message-----<o:p></o:p></pre>
<pre style="margin-left:.5in">From: <a moz-do-not-send="true" href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> [<a moz-do-not-send="true" href="mailto:kirk_hall@trendmicro.com">mailto:kirk_hall@trendmicro.com</a>] <o:p></o:p></pre>
<pre style="margin-left:.5in">Sent: Friday, May 30, 2014 5:20 PM<o:p></o:p></pre>
<pre style="margin-left:.5in">To: <a moz-do-not-send="true" href="mailto:ben@digicert.com">ben@digicert.com</a>; 'Gervase Markham'; 'public >> CABFPub'<o:p></o:p></pre>
<pre style="margin-left:.5in">Subject: RE: [cabfpub] Ballot 121 (insurance)<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Ben -- as I indicated to the EV Working Group in an email recently, I have<o:p></o:p></pre>
<pre style="margin-left:.5in">definitely changed my mind about the EVGL insurance requirement based on my<o:p></o:p></pre>
<pre style="margin-left:.5in">own experience in starting AffirmTrust in 2010. (As a reminder to all,<o:p></o:p></pre>
<pre style="margin-left:.5in">AffirmTrust was acquired by Trend Micro in 2011, and Trend is big enough and<o:p></o:p></pre>
<pre style="margin-left:.5in">has a strong enough balance sheet and treasury that under the EVGL we are<o:p></o:p></pre>
<pre style="margin-left:.5in">entirely exempt from the insurance requirements -- so we have no personal<o:p></o:p></pre>
<pre style="margin-left:.5in">stake in this.) <o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">While starting my own company, the insurance brokers kept asking me why I<o:p></o:p></pre>
<pre style="margin-left:.5in">wanted the insurance coverages -- they clearly didn't think I needed them --<o:p></o:p></pre>
<pre style="margin-left:.5in">and they warned me that the E&O coverage in particular probably wasn't going<o:p></o:p></pre>
<pre style="margin-left:.5in">to provide me with any meaningful protection for anything (given that it<o:p></o:p></pre>
<pre style="margin-left:.5in">generally doesn't cover contractual liability for a bad cert, return of<o:p></o:p></pre>
<pre style="margin-left:.5in">fees, etc.) So it felt like a very big waste of money.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Plus we now know from eight years of experience (plus the anecdotal evidence<o:p></o:p></pre>
<pre style="margin-left:.5in">of Trend Micro's legal counsel from his decade at VeriSign) that there<o:p></o:p></pre>
<pre style="margin-left:.5in">simply aren't claims from customers or relying parties for mis-issued certs<o:p></o:p></pre>
<pre style="margin-left:.5in">and that the need for insurance (even if it did cover the mis-issuance of EV<o:p></o:p></pre>
<pre style="margin-left:.5in">certs) is minimal at best. The one case of catastrophic failure and breach,<o:p></o:p></pre>
<pre style="margin-left:.5in">DigiNotar, apparently resulted in a court ruling that the insurer would be<o:p></o:p></pre>
<pre style="margin-left:.5in">allowed to deny all coverage.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">When we collectively were brainstorming in 2005-6 to create the first EV<o:p></o:p></pre>
<pre style="margin-left:.5in">Guidelines, we were trying to come up with lots and lots of requirements to<o:p></o:p></pre>
<pre style="margin-left:.5in">try to set EV certs apart from other certs. As I recall, we considered even<o:p></o:p></pre>
<pre style="margin-left:.5in">more complex verification steps for EV to make it similar to the closing of<o:p></o:p></pre>
<pre style="margin-left:.5in">a major corporate transaction (e.g., getting Board of Directors<o:p></o:p></pre>
<pre style="margin-left:.5in">authorizations, Secretary's Certificates, etc.) -- fortunately, common sense<o:p></o:p></pre>
<pre style="margin-left:.5in">prevailed and we slimmed down the requirements so they are very thorough,<o:p></o:p></pre>
<pre style="margin-left:.5in">but achievable.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Finally, the Forum has learned through eight years of experience that these<o:p></o:p></pre>
<pre style="margin-left:.5in">insurance requirements are even harder and more expensive for<o:p></o:p></pre>
<pre style="margin-left:.5in">non-US/Canadian CAs to satisfy, and that their brokers also tell them the<o:p></o:p></pre>
<pre style="margin-left:.5in">coverages won't provide them with any meaningful protection. We don't want<o:p></o:p></pre>
<pre style="margin-left:.5in">the EV Guidelines to be weighted in favor of US/Canadian CAs.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">The Forum hasn't hesitated from changing other EVGL requirements when we<o:p></o:p></pre>
<pre style="margin-left:.5in">think justified -- such as recently allowing the use of the automatic email<o:p></o:p></pre>
<pre style="margin-left:.5in">verification method to upgrade domains to the EV level (using the same<o:p></o:p></pre>
<pre style="margin-left:.5in">verification methods as for DV and OV certs). For the first seven years of<o:p></o:p></pre>
<pre style="margin-left:.5in">the EVGL, we were all required to do manual vetting of domains with a WhoIs<o:p></o:p></pre>
<pre style="margin-left:.5in">lookup and deal with any mis-match of the registration.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">So for all these reasons, I think Gerv is right and it's time to drop the<o:p></o:p></pre>
<pre style="margin-left:.5in">insurance requirements. Let CAs follow any insurance requirements that<o:p></o:p></pre>
<pre style="margin-left:.5in">their applicable local jurisdiction(s) may impose, but otherwise don't<o:p></o:p></pre>
<pre style="margin-left:.5in">create an additional insurance requirement through the EV Guidelines.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Gerv, thanks for sharing your thoughtful and well informed opinion. It<o:p></o:p></pre>
<pre style="margin-left:.5in">really helps.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Kirk<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">-----Original Message-----<o:p></o:p></pre>
<pre style="margin-left:.5in">From: <a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On<o:p></o:p></pre>
<pre style="margin-left:.5in">Behalf Of Ben Wilson<o:p></o:p></pre>
<pre style="margin-left:.5in">Sent: Friday, May 30, 2014 3:15 PM<o:p></o:p></pre>
<pre style="margin-left:.5in">To: 'Gervase Markham'; 'public >> CABFPub'<o:p></o:p></pre>
<pre style="margin-left:.5in">Subject: Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Gerv and all,<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">If people want to save money, they can stick to issuing DV or OV<o:p></o:p></pre>
<pre style="margin-left:.5in">certificates. EV certificates need to remain different, and this proposed<o:p></o:p></pre>
<pre style="margin-left:.5in">move is contrary to the first goal we all agreed upon when we began working<o:p></o:p></pre>
<pre style="margin-left:.5in">on the guidelines for issuing Extended Validation Certificates, which my<o:p></o:p></pre>
<pre style="margin-left:.5in">notes indicates was to "increase online trust." <o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">If the ballot is re-introduced and passes, then CAs will not be required to<o:p></o:p></pre>
<pre style="margin-left:.5in">have insurance for any negligence in issuing or maintaining EV Certificates.<o:p></o:p></pre>
<pre style="margin-left:.5in">It increases the likelihood that another Diginotar won't be held<o:p></o:p></pre>
<pre style="margin-left:.5in">accountable, and I believe the insurance is currently available at<o:p></o:p></pre>
<pre style="margin-left:.5in">affordable cost, approximately $10,000 per $1 million coverage. I have<o:p></o:p></pre>
<pre style="margin-left:.5in">attached a sample cyber-insurance policy, which is available in similar form<o:p></o:p></pre>
<pre style="margin-left:.5in">from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,<o:p></o:p></pre>
<pre style="margin-left:.5in">etc.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,<o:p></o:p></pre>
<pre style="margin-left:.5in">which took place during 2006. For example, attached is Kirk Hall's memo to<o:p></o:p></pre>
<pre style="margin-left:.5in">the group from June 2006 in which he recommends "indemnity insurance<o:p></o:p></pre>
<pre style="margin-left:.5in">coverage (e.g. "errors and omissions," "cyber coverage," "network computer<o:p></o:p></pre>
<pre style="margin-left:.5in">liability," "professional liability," or other similar coverage) for<o:p></o:p></pre>
<pre style="margin-left:.5in">Extended Validation Certificates [in the amount of $10 million]." <o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Opponents of insurance requirements cannot simply erase these historical<o:p></o:p></pre>
<pre style="margin-left:.5in">choices without proposing viable alternatives. (It's always easier to<o:p></o:p></pre>
<pre style="margin-left:.5in">complain and to poke holes at things than to work on real solutions.) And<o:p></o:p></pre>
<pre style="margin-left:.5in">finally, if the EV Guidelines do not contain some form of financial<o:p></o:p></pre>
<pre style="margin-left:.5in">responsibility, then we might as well delete the Section 7 warranties, and<o:p></o:p></pre>
<pre style="margin-left:.5in">the other EV provisions to which they refer, because they will just become<o:p></o:p></pre>
<pre style="margin-left:.5in">empty promises. <o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Ben<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">-----Original Message-----<o:p></o:p></pre>
<pre style="margin-left:.5in">From: <a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a moz-do-not-send="true" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On<o:p></o:p></pre>
<pre style="margin-left:.5in">Behalf Of Gervase Markham<o:p></o:p></pre>
<pre style="margin-left:.5in">Sent: Friday, May 30, 2014 12:41 PM<o:p></o:p></pre>
<pre style="margin-left:.5in">To: public >> CABFPub<o:p></o:p></pre>
<pre style="margin-left:.5in">Subject: [cabfpub] Ballot 121 (insurance)<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">I talked to our lawyer this morning. Mozilla is now willing to support the<o:p></o:p></pre>
<pre style="margin-left:.5in">proposal in Ballot 121 (removal of the insurance requirement from the EV<o:p></o:p></pre>
<pre style="margin-left:.5in">Guidelines).<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">We feel that this requirement provides no significant protection in practice<o:p></o:p></pre>
<pre style="margin-left:.5in">for either users, for whom CAs can limit liability to $2000 anyway, or for<o:p></o:p></pre>
<pre style="margin-left:.5in">browsers, for whom clause 18.2 which indemnifies them is much more relevant.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">We encourage other CAs and browsers to support this ballot also, and let the<o:p></o:p></pre>
<pre style="margin-left:.5in">CAs put the $N,000 saved towards making their products better and/or cheaper<o:p></o:p></pre>
<pre style="margin-left:.5in">for users.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in">Gerv<o:p></o:p></pre>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">Public mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><table class="TM_EMAIL_NOTICE"><tr><td><pre><o:p></o:p></pre>
<pre style="margin-left:.5in">TREND MICRO EMAIL NOTICE<o:p></o:p></pre>
<pre style="margin-left:.5in">The information contained in this email and any attachments is confidential<o:p></o:p></pre>
<pre style="margin-left:.5in">and may be subject to copyright or other intellectual property protection. <o:p></o:p></pre>
<pre style="margin-left:.5in">If you are not the intended recipient, you are not authorized to use or<o:p></o:p></pre>
<pre style="margin-left:.5in">disclose this information, and we request that you notify us by reply mail<o:p></o:p></pre>
<pre style="margin-left:.5in">or telephone and delete the original message from your mail system.<o:p></o:p></pre>
<pre style="margin-left:.5in"></pre></td></tr></table><o:p></o:p></pre>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in"><br>
<br>
<br>
<o:p></o:p></p>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">Public mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"
style="margin-left:.5in;line-height:normal"><o:p> </o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in;line-height:normal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>