<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
h1
{mso-style-priority:9;
mso-style-link:"Título 1 Car";
margin-top:24.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Cambria","serif";
color:#365F91;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0cm;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.Ttulo1Car
{mso-style-name:"Título 1 Car";
mso-style-priority:9;
mso-style-link:"Título 1";
font-family:"Cambria","serif";
color:#365F91;
font-weight:bold;}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
color:black;}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";
color:black;}
p.Heading1, li.Heading1, div.Heading1
{mso-style-name:"Heading 1";
mso-style-link:"Heading 1 Char";
margin:0cm;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Cambria","serif";
color:#365F91;
font-weight:bold;}
p.HTMLPreformatted, li.HTMLPreformatted, div.HTMLPreformatted
{mso-style-name:"HTML Preformatted";
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
p.BalloonText, li.BalloonText, div.BalloonText
{mso-style-name:"Balloon Text";
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EstiloCorreo28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo30
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.EstiloCorreo31
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo33
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:263342548;
mso-list-template-ids:934476860;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:506333814;
mso-list-template-ids:-42041196;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1072317300;
mso-list-template-ids:-670931570;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1219394652;
mso-list-template-ids:729973850;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:1504205589;
mso-list-template-ids:-430122084;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:2115902274;
mso-list-template-ids:-295512474;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Fort he record, we´re with CFC Underwriting for all our cyber risks<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal style='line-height:normal'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a><o:p></o:p></span></p><p class=MsoNormal style='line-height:normal'><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>945067705</span><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='line-height:normal'><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:normal'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=585 height=111 id="_x0000_i1026" src="cid:image001.png@01CF8A45.A8F3A4F0" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span style='font-family:"Calibri","sans-serif";color:navy;mso-fareast-language:ES-TRAD'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='line-height:normal'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>En nombre de </b>Ben Wilson<br><b>Enviado el:</b> martes, 10 de junio de 2014 18:20<br><b>Para:</b> 'Rick Andrews'; public@cabforum.org<br><b>Asunto:</b> Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks, Rick. For any CA looking into cyber insurance coverage, here are some lists of nominees for best insurers and advisors (from an announcement I received about an upcoming industry event).<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal'><strong><span lang=EN-US>Cyber Risk Experts</span></strong><span lang=EN-US><o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Rick Bortnick of Christie Parabue and Young<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Matthew Clarke of AIG Australia<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Nick Economidis of Beazley<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Emily Freeman of Lockton<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Mark Greisiger of NetDiligence<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Steve Haase of INSUREtrust<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Toby Merrill of ACE<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>John Mullen of Lewis Brisbois Bisgaard & Smith<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo1'><span lang=EN-US>Bob Parisi of Marsh<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal'><strong><span lang=EN-US>Best Cyber Incident Response </span></strong><span lang=EN-US><o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo2'><span lang=EN-US>AIG<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo2'><span lang=EN-US>AllClear ID<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo2'><span lang=EN-US>BakerHostetler<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo2'><span lang=EN-US>Beazley<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo2'><span lang=EN-US>Identity Theft 911<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo2'><span lang=EN-US>Lewis Brisbois<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo2'><span lang=EN-US>Mandiant<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal'><b><span lang=EN-US>Best Internal Cyber Risk Analysis<o:p></o:p></span></b></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>AIG<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>Experian<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>Kroll<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>Liberty International Underwriters<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>Privacy Professionals<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>RPS Technology & Cyber<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>Verizon<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>Willis<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>XL Group<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l1 level1 lfo3'><span lang=EN-US>Zurich<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal'><strong><span lang=EN-US>Best New Cyber Risk Innovation </span></strong><span lang=EN-US><o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo4'><span lang=EN-US>ACE (Sidecar with data breach outside limits)<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo4'><span lang=EN-US>AIG (CyberEdge iPad app)<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo4'><span lang=EN-US>Privacy Professionals (Pre-event loss mitigation tool)<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo4'><span lang=EN-US>Risk Based Security (YourCISO risk management portal)<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo4'><span lang=EN-US>BitSight (Security ratings)<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo4'><span lang=EN-US>Willis (PRISM)<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal'><strong><span lang=EN-US>Best Cyber Risk Brokers</span></strong><span lang=EN-US><o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo5'><span lang=EN-US>Aon<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo5'><span lang=EN-US>Lockton<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo5'><span lang=EN-US>Marsh<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo5'><span lang=EN-US>RPS Technology & Cyber<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo5'><span lang=EN-US>Wells Fargo<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo5'><span lang=EN-US>Willis<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal'><strong><span lang=EN-US>Best Cyber Risk Insurers</span></strong><span lang=EN-US><o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>ACE<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>AIG<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>Beazley<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>CFC Underwriting<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>Liberty International Underwriters<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>Philadelphia<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>XL<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo6'><span lang=EN-US>Zurich<o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Ben<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='line-height:normal'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Rick Andrews<br><b>Sent:</b> Monday, June 9, 2014 1:50 PM<br><b>To:</b> public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>A Timely article (pun intended):<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> Cyberattack Insurance a Challenge for Business <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> <a href="http://p.nytimes.com/email/re?location=InCMR7g4BCKC2wiZPkcVUkfBKD0WxM+9&user_id=c619a85212e2206d7323c9ed8f4e42e9&email_type=eta&task_id=1402342739914133®i_id=0"><b>http://nyti.ms/1oLGfqR </b></a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:36.0pt;line-height:normal'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Thursday, June 05, 2014 5:55 AM<br><b>To:</b> 'Moudrick M. Dadashov'; <a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>; <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; <a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks. Let’s keep this discussion moving toward an amendment that provides a more reasonable, but objective, uniform, and auditable standard to be applied and implemented globally to address cyber risks and reduce potential loss to third parties. I’ve found about 100 academic papers that mention cyber insurance and about 200 web pages in the .com space that discuss cyber coverage. I’m sifting through those now. I’m happy to make them available to anyone who wants to participate in this review.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:36.0pt;line-height:normal'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Moudrick M. Dadashov<br><b>Sent:</b> Thursday, June 5, 2014 4:43 AM<br><b>To:</b> Ben Wilson; <a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>; <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; <a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US>Hi,<br><br>looks like we are not alone on this planet:<br><br><a href="http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nations-critical-infrastructure/">http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nations-critical-infrastructure/</a><br><br>Is EV SSL issuance a part of NCI?<br><br>Thanks,<br>M.D.<br><br>On 6/3/2014 4:43 AM, Ben Wilson wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt;line-height:normal'><span lang=EN-US>Thanks, Moudrick, Kirk and Iñigo,<br><br>For those who haven't looked up this ETSI document, Section 7.5 says, "(d) Adequate arrangements to cover liabilities arising from its operations and/or activities; (e) Financial stability and resources required to operate in conformity with this policy; and (f) Policies and procedures for the resolution of complaints and disputes received from customers or other parties about the provisioning of electronic trust services." This appears to be based, somewhat, on the liability structure set up in Art.6 of of EU Directive 1999/93/EC and subsection (h) of Annex II, <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093">http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093</a>, the latter of which reads, “(h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;” <br><br>CAs are supposed to address their responsibility under Art. 6. This can be written in their CP/CPS either under Section 2.3 (RFC 2527) or Section 9.2 (RFC 3647) -- maybe more explicit requirements in the BRs are needed about what must be written in those sections? Also, I see that "risk" is noted in Annex II, but not in section 7.5 (too hard to audit?), an insurance or financial stability requirement is a much easier way to address risks to third parties than other methods, and it more fairly distributes the loss potential. See e.g. <a href="http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf">http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf</a> <br><br>According to <a href="http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf">http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf</a> <br>most EU countries have simply copied this text from Annex II into their own laws without further requirements. However, some, like Spain, have set forth specific insurance amounts for " Cobertura de seguro u otras garantías para los terceros de buena fe cuando incumpla las obligaciones que impone la Ley 59/2003, de 19 de diciembre, de Firma Electrónica" - from what I can tell, the amount is 3 million Euros. <a href="http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf">http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf</a> So, in order to be more fair to non-US CAs, what about that 3-million-Euro amount instead that just said "third party cyber coverage"? (I have Betterley's 2014 Cyber Insurance Report that I can use to create a definition of "third party cyber coverage".) Given the facts above, I can't see any reason to replace our objective rule with something as subjective as "adequate arrangements" or "sufficient financial resources," which are subjective and impossible to audit, let alone eliminate it altogether.<br><br>Financial stability is a key component of being a CA, especially one that issues Extended Validation certificates. It certainly seems that any European CA wanting to issue the "qualified website" equivalent of an EV certificate will have to meet Art 6 / Annex II requirements in any event.<br><br>Also, we require insurance for banks and automobile owners/drivers. Not for first-party coverage, but for third-party coverage--we do not want innocent third parties left holding the bag--it's what economists call "negative externality". Banks, for example, have great security, but they also have to handle the risk that all of that security won't protect against everything--nothing works perfectly 100%. Banks are required by regulators to have financial reserves, deposit insurance, and other risk-mitigating processes. See <a href="http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf">http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf</a> Under the EU Directive on capital adequacy of investment …firms and credit institutions, this means coverage of EUR 20 000 for each depositor, minimum start-up-capital of EUR 5 million, and then ongoing solvency ratios per Basel requirements.<br><br>Ben <o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:36.0pt;line-height:normal'><span lang=EN-US>On 6/2/2014 1:40 AM, <a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Hi,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>The TS 102 042 is the one for EV and BR certs and also indicates in 7.5 what Mou has stated. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>This “control” was included to let the CA to set the requirements appropriate to its needs and according to national legislation.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'>Regards</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt;line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=ES-TRAD style='font-size:8.5pt;line-height:115%;font-family:"Tahoma","sans-serif"'>945067705</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=ES-TRAD style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=585 height=111 id="Imagen_x0020_1" src="cid:image001.png@01CF8A45.A8F3A4F0" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt;line-height:9.75pt'><span lang=EN-US style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'><br></span><span lang=EN-US style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:36.0pt'><b><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Tahoma","sans-serif";color:windowtext'>De:</span></b><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>En nombre de </b>Moudrick M. Dadashov<br><b>Enviado el:</b> sábado, 31 de mayo de 2014 2:30<br><b>Para:</b> <a href="mailto:ben@digicert.com">ben@digicert.com</a>; <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; 'Gervase Markham'; 'public >> CABFPub'<br><b>Asunto:</b> Re: [cabfpub] Ballot 121 (insurance)</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US>On 5/31/2014 2:46 AM, Ben Wilson wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Do you have a proposal that addresses the concerns about financial<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>stability?<o:p></o:p></span></pre></blockquote><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt'><span lang=EN-US>Please see ETSI TS 101 456 V1.4.3 section 7.5 specifically points d), e) and f) - IMO they are close to what you are looking for.<br><br>As a standardization body ETSI doesn't set its requirements in terms of absolute amounts, this is left to implementers - in this case to MS Governments.<br><br>FYI:<br><a href="http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf">http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf</a><br><br>Given the fact that EVG is incorporated into ETSI "as is", I see potential conflict between the two approaches. <br><br>Thanks.<br>M.D.<o:p></o:p></span></p><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>-----Original Message-----<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>From: <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> [<a href="mailto:kirk_hall@trendmicro.com">mailto:kirk_hall@trendmicro.com</a>] <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Sent: Friday, May 30, 2014 5:20 PM<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>To: <a href="mailto:ben@digicert.com">ben@digicert.com</a>; 'Gervase Markham'; 'public >> CABFPub'<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Subject: RE: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Ben -- as I indicated to the EV Working Group in an email recently, I have<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>definitely changed my mind about the EVGL insurance requirement based on my<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>own experience in starting AffirmTrust in 2010. (As a reminder to all,<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>AffirmTrust was acquired by Trend Micro in 2011, and Trend is big enough and<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>has a strong enough balance sheet and treasury that under the EVGL we are<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>entirely exempt from the insurance requirements -- so we have no personal<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>stake in this.) <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>While starting my own company, the insurance brokers kept asking me why I<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>wanted the insurance coverages -- they clearly didn't think I needed them --<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>and they warned me that the E&O coverage in particular probably wasn't going<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>to provide me with any meaningful protection for anything (given that it<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>generally doesn't cover contractual liability for a bad cert, return of<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>fees, etc.) So it felt like a very big waste of money.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Plus we now know from eight years of experience (plus the anecdotal evidence<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>of Trend Micro's legal counsel from his decade at VeriSign) that there<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>simply aren't claims from customers or relying parties for mis-issued certs<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>and that the need for insurance (even if it did cover the mis-issuance of EV<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>certs) is minimal at best. The one case of catastrophic failure and breach,<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>DigiNotar, apparently resulted in a court ruling that the insurer would be<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>allowed to deny all coverage.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>When we collectively were brainstorming in 2005-6 to create the first EV<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Guidelines, we were trying to come up with lots and lots of requirements to<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>try to set EV certs apart from other certs. As I recall, we considered even<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>more complex verification steps for EV to make it similar to the closing of<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>a major corporate transaction (e.g., getting Board of Directors<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>authorizations, Secretary's Certificates, etc.) -- fortunately, common sense<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>prevailed and we slimmed down the requirements so they are very thorough,<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>but achievable.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Finally, the Forum has learned through eight years of experience that these<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>insurance requirements are even harder and more expensive for<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>non-US/Canadian CAs to satisfy, and that their brokers also tell them the<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>coverages won't provide them with any meaningful protection. We don't want<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>the EV Guidelines to be weighted in favor of US/Canadian CAs.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>The Forum hasn't hesitated from changing other EVGL requirements when we<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>think justified -- such as recently allowing the use of the automatic email<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>verification method to upgrade domains to the EV level (using the same<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>verification methods as for DV and OV certs). For the first seven years of<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>the EVGL, we were all required to do manual vetting of domains with a WhoIs<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>lookup and deal with any mis-match of the registration.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>So for all these reasons, I think Gerv is right and it's time to drop the<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>insurance requirements. Let CAs follow any insurance requirements that<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>their applicable local jurisdiction(s) may impose, but otherwise don't<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>create an additional insurance requirement through the EV Guidelines.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Gerv, thanks for sharing your thoughtful and well informed opinion. It<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>really helps.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Kirk<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>-----Original Message-----<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Behalf Of Ben Wilson<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Sent: Friday, May 30, 2014 3:15 PM<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>To: 'Gervase Markham'; 'public >> CABFPub'<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Subject: Re: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Gerv and all,<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>If people want to save money, they can stick to issuing DV or OV<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>certificates. EV certificates need to remain different, and this proposed<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>move is contrary to the first goal we all agreed upon when we began working<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>on the guidelines for issuing Extended Validation Certificates, which my<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>notes indicates was to "increase online trust." <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>If the ballot is re-introduced and passes, then CAs will not be required to<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>have insurance for any negligence in issuing or maintaining EV Certificates.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>It increases the likelihood that another Diginotar won't be held<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>accountable, and I believe the insurance is currently available at<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>affordable cost, approximately $10,000 per $1 million coverage. I have<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>attached a sample cyber-insurance policy, which is available in similar form<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>etc.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>which took place during 2006. For example, attached is Kirk Hall's memo to<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>the group from June 2006 in which he recommends "indemnity insurance<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>coverage (e.g. "errors and omissions," "cyber coverage," "network computer<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>liability," "professional liability," or other similar coverage) for<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Extended Validation Certificates [in the amount of $10 million]." <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Opponents of insurance requirements cannot simply erase these historical<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>choices without proposing viable alternatives. (It's always easier to<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>complain and to poke holes at things than to work on real solutions.) And<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>finally, if the EV Guidelines do not contain some form of financial<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>responsibility, then we might as well delete the Section 7 warranties, and<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>the other EV provisions to which they refer, because they will just become<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>empty promises. <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Ben<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>-----Original Message-----<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Behalf Of Gervase Markham<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Sent: Friday, May 30, 2014 12:41 PM<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>To: public >> CABFPub<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Subject: [cabfpub] Ballot 121 (insurance)<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>I talked to our lawyer this morning. Mozilla is now willing to support the<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>proposal in Ballot 121 (removal of the insurance requirement from the EV<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Guidelines).<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>We feel that this requirement provides no significant protection in practice<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>for either users, for whom CAs can limit liability to $2000 anyway, or for<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>browsers, for whom clause 18.2 which indemnifies them is much more relevant.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>We encourage other CAs and browsers to support this ballot also, and let the<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>CAs put the $N,000 saved towards making their products better and/or cheaper<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>for users.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'> <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Gerv<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>_______________________________________________<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Public mailing list<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'><table class="TM_EMAIL_NOTICE"><tr><td><pre><o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>TREND MICRO EMAIL NOTICE<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>The information contained in this email and any attachments is confidential<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>and may be subject to copyright or other intellectual property protection. <o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>If you are not the intended recipient, you are not authorized to use or<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>disclose this information, and we request that you notify us by reply mail<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>or telephone and delete the original message from your mail system.<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'></pre></td></tr></table><o:p></o:p></span></pre><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt'><span lang=EN-US><o:p> </o:p></span></p><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>_______________________________________________<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'>Public mailing list<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US style='font-size:10.0pt;line-height:115%;font-family:"Courier New"'><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></pre><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US> <o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-left:36.0pt;line-height:normal'><span lang=EN-US><o:p> </o:p></span></p></blockquote><p class=MsoNormal style='margin-left:36.0pt;line-height:normal'><span lang=EN-US><o:p> </o:p></span></p></div></body></html>