<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Atilla,<br>
<br>
I agree, in worst case scenario existing insurance provisions
remain unchanged. <br>
<br>
A possible solution to prevent this IMO would be if we amend the
latest ballot wording so that it ends up with one of two choices
being approved. Maybe ballot 121 is a candidate alternative? In
case there is a consensus, ballot 133 should say something like
vote for A (as proposed in ballot 133) or B (as in ballot 121).<br>
<br>
Thanks,<br>
M.D.<br>
<br>
<br>
On 10/9/2014 3:49 PM, N. Atilla Biler wrote:<br>
</div>
<blockquote
cite="mid:!&!AAAAAAAAAAAYAAAAAAAAAL3CdQgzs%2FJNlmjQWb22CzfCgAAAEAAAAJHqj0CVq7VItFCBF7agCC4BAAAAAA==@turktrust.com.tr"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dear
All,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Following
the discussions below this message between Digicert and
Google on the insurance ballot and reading the recent
thoughts of Mozilla today, I would like to express my
concern about the final situation of the insurance
requirement in the EV Guidelines.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You
will all remember we had ballot on this issue in May 2014,
Ballot 121 below, suggesting a flexible wording for the
insurance requirement where an insurance should be
maintained related to CAs respective performance and
obligations under the EV Guidelines in accordance with the
law of their jurisdiction of incorporation or registration.
This is the common approach for the CAs following the EU
legislation in terms of qualified electronic certificate
services as well. Ballot 121 was supposed to be a
compromising solution among the parties who favored the
existing BR provisions and the other parties who tended to
release the insurance requirements from the EV Guidelines at
all.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Unfortunately,
Ballot 121 had failed as it couldn’t get enough support from
browsers whereas the 2/3 majority of CAs had been obtained.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Afterwards,
what we have been trying to do for the last few months,
finalized through the discussions at the Beijing F2F, is to
find a new and acceptable compromising solution for the
insurance issue. Actually, trying to find a middle way for
the opponents and supporters of an insurance requirement. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
we are going to have a totally new ballot for eliminating
the EV insurance requirement at all, fine, let’s do it. Then
if it happens that we still have an insurance requirement
supported by the sufficient majority of the Forum, we may
then vote for a compromising solution like the one we are
trying to propose in the current Ballot 133. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Otherwise,
the current Ballot 133 should be supported, in my opinion,
at least by the browsers and the CAs that supported Ballot
121 as well to build a consensus that will be expected from
the CAB Forum as a consensus based and democratic platform.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
not, I’m afraid we will be back to the worst case position
(I may tell after all these discussions) where the existing
EV Guidelines provisions for insurance will remain
unchanged, despite all the browser tendencies to remove the
insurance requirement, and many CAs supporting a change (in
a solid way) to the existing provisions…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Best
regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">N. Atilla BILER<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">Business Development Manager<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">TURKTRUST Inc.<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">Address: Hollanda Cad. 696.Sok. No:7 Yildiz 06550
Cankaya / ANKARA - TURKEY<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">Phone : +90 (312) 439 10 00<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">Mobile : +90 (530) 314 24 05<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">Fax : +90 (312) 439 10 01<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">E-mail : <a moz-do-not-send="true"
href="mailto:atilla.biler@turktrust.com.tr"><span
style="color:#1F497D">atilla.biler@turktrust.com.tr</span></a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="TR">Web : <a moz-do-not-send="true"
href="http://www.turktrust.com.tr/"><span
style="color:#1F497D">www.turktrust.com.tr</span></a> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">“<o:p></o:p></span></p>
<p class="MsoNormal"><b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ben
Wilson<br>
<b>Sent:</b> 8 Mayıs 2014 Perşembe 21:14<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 121 - EVGL Insurance
Requirements<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Voting closed
yesterday on Ballot 121.</span><span
style="font-size:11.0pt;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">“Yes” votes
were cast by Buypass, Disig, Firmaprofesional, GlobalSign,
GoDaddy, Izenpe, OpenTrust, SSC, Trend Micro, Turktrust, and
WoSign.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">“No” votes were
cast by Actalis, DigiCert, QuoVadis, Symantec, and Mozilla.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Abstentions
were submitted by StartCom, Visa, and Google. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Therefore,
Ballot 121 failed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Wednesday, April 23, 2014 6:17 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] Ballot 121 - EVGL Insurance
Requirements<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="line867" style="margin:0cm;margin-bottom:.0001pt"><strong><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN">Ballot 121 – EVGL Insurance Requirements</span></strong><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN"> <o:p></o:p></span></p>
<p class="line874" style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""
lang="EN">The EV Guidelines Working Group is considering
updating the EV Guidelines in a number of areas. Kirk Hall
of Trend Micro hereby makes the following motion, and
Moudrick Dadashov from </span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";border:none
windowtext 1.0pt;padding:0cm">Skaitmeninio sertifikavimo
centras (SSC)</span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">
</span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""
lang="EN">and Richard Wang from WoSign have endorsed it. <o:p></o:p></span></p>
<p class="line862" style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN"><o:p> </o:p></span></p>
<p class="line874" style="margin:0cm;margin-bottom:.0001pt"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">This
ballot is to amend the current EV Guidelines (EVGL) Sec. 8.4
requirements as stated below. </span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN">The reasons in favor of the Ballot are stated
after the proposed amendments.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><u><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Motion
begins</span></u><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Amend
EV Guideline Section 8.4 to read as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-autospace:none"><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">EV
Guideline Section 8.4 - Insurance<o:p></o:p></span></b></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-autospace:none"><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></b></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Each
CA SHALL maintain <s>the following</s> insurance related to
<s>their</s> <b><u>its</u></b> respective performance and
obligations under these Guidelines <b><u>in accordance with
the the minimum insurance requirements (if any) as are
applicable to the CA under the law of its jurisdiction
of incorporation or registration.</u></b> <s>:<o:p></o:p></s></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-left:72.0pt;text-autospace:none"><s><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">(A)
Commercial General Liability insurance (occurrence form)
with policy limits of at least two million US dollars in
coverage; and<span style="color:black"><o:p></o:p></span></span></s></p>
<p class="MsoNormal"
style="margin-left:72.0pt;text-autospace:none"><s><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p><span
style="text-decoration:none"> </span></o:p></span></s></p>
<p class="MsoNormal"
style="margin-left:72.0pt;text-autospace:none"><s><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">(B)
Professional Liability/Errors and Omissions insurance,
with policy limits of at least five million US dollars in
coverage, and including coverage for (i) claims for
damages arising out of an act, error, or omission,
unintentional breach of contract, or neglect in issuing or
maintaining EV Certificates, and (ii) claims for damages
arising out of infringement of the proprietary rights of
any third party (excluding copyright, and trademark
infringement), and invasion of privacy and advertising
injury.<o:p></o:p></span></s></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-autospace:none"><s><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p><span
style="text-decoration:none"> </span></o:p></span></s></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-autospace:none"><s><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Such
insurance MUST be with a company rated no less than A- as
to Policy Holder’s Rating in the current edition of Best’s
Insurance Guide (or with an association of companies each
of the members of which are so rated).<o:p></o:p></span></s></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-autospace:none"><s><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p><span
style="text-decoration:none"> </span></o:p></span></s></p>
<p class="MsoNormal" style="margin-left:36.0pt"><s><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">A
CA MAY self-insure for liabilities that arise from such
party's performance and obligations under these Guidelines
provided that it has at least five hundred million US
dollars in liquid assets based on audited financial
statements in the past twelve months, and a quick ratio
(ratio of liquid assets to current liabilities) of not
less than 1.0.<o:p></o:p></span></s></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="line874" style="margin:0cm;margin-bottom:.0001pt"><u><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN">Motion Ends <o:p></o:p></span></u></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">“<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ben
Wilson<br>
<b>Sent:</b> 9 Ekim 2014 Perşembe 09:20<br>
<b>To:</b> Ryan Sleevi<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Ballot 133 - Insurance
Requirements for EV Issuers<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">A
preexisting relationship isn't necessary for duty,
breach, causation, damages. And the duty doesn't have
to be written in black and white. If some drives
carelessly and causes another car to hit you, they are
liable and you'd better hope they have insurance. <br>
<br>
I think it's clear that this has turned into a debate
over whatever you can come up with to throw at me rather
than an opportunity for me to explain the merits of my
position, so I'm not going to respond.<br>
<br>
Cheers, <br>
Ben<o:p></o:p></span></p>
</div>
</div>
<div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="2" width="100%"></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a
moz-do-not-send="true" href="mailto:sleevi@google.com">Ryan
Sleevi</a></span><br>
<b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sent:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">10/8/2014
11:52 PM</span><br>
<b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">To:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a
moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com">Ben Wilson</a></span><br>
<b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Cc:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a
moz-do-not-send="true" href="mailto:public@cabforum.org">CABFPub</a>;
<a moz-do-not-send="true" href="mailto:gerv@mozilla.org">Gervase
Markham</a></span><br>
<b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Subject:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">RE:
[cabfpub] Ballot 133 - Insurance Requirements for EV
Issuers</span><o:p></o:p></p>
</div>
<div>
<p><br>
On Oct 9, 2014 1:32 AM, "Ben Wilson" <<a
moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>
wrote:<br>
><br>
> Any lawyer would challenge the validity of the CP/CPS
disclaimer on the basis of inadequate notice. <br>
><br>
> Everyone in the world who suffers harm caused by the
breach of a duty that a CA was supposed to perform has a
claim. <br>
><br>
> It’s basic tort law – duty, a breach of that duty,
which breach is a cause of measureable harm. <br>
><o:p></o:p></p>
<p>A cursory examination will show you that no provisions
exist for UAs in terms of liability, nor for server
operators, nor for any RP using any modern client unless
configured in such a way as to make the web unusable, which
no client will do.<o:p></o:p></p>
<p>The CA has no relationship with <a moz-do-not-send="true"
href="http://example.com">example.com</a>, only the
Subscriber/Applicant, which may not be <a
moz-do-not-send="true" href="http://example.com">example.com</a>
(in the all to common case of misissuance), so no duty has
been breached.<o:p></o:p></p>
<p>Similarly, establishing any basis of claims for an RP
requires establishing how they were harmed by the failure to
perform. How do quantify a cost for a privacy breach? How is
the RP to demonstrate that their password was compromised?
Or that they even accessed the site via the attackers
control?<o:p></o:p></p>
<p>This isn't hypothetical. You (DigiCert) are a prime example
of disclaiming any warranty unless the RP (the user visiting
a site with a certificate issued by DigiCert) has read your
RP Agreement, as documented at <a moz-do-not-send="true"
href="https://www.digicert.com/ssl-cps-repository.htm">https://www.digicert.com/ssl-cps-repository.htm</a><o:p></o:p></p>
<p>Just reading that policy and any lay person can see Section
3.2 alone disqualifies virtually every RP out there from
making a claim against you. Heck, Section 3.2, (iv) alone
exempts you from any compromises that were not directly part
of a financial transaction.<o:p></o:p></p>
<p>For example, if you misissued a cert for <a
moz-do-not-send="true" href="http://mail.google.com">mail.google.com</a>,
and every single GMail user's password was compromised, and
the attacker then used that to exploit password resets
against (banks, Mint, Amazon, etc), and then ordered
merchandise using you're stored financial information, not a
single one of those users would be entitled to a claim
against DigiCert, based on the RPA they never would have
read anyways.<o:p></o:p></p>
<p>This is precisely why insurance is a silly and unnecessary
thing - because it has enough holes to drive a truck
through, and ignores the most pressing concerns with the CA
ecosystem, all in favor of "cost of doing business"<o:p></o:p></p>
<p>Since the questions I'm asking are going continually
unanswered (and I have tried to rephrase them repeatedly, so
that there is no confusion as to what I am asking or trying
to understand), I don't think I'll have any chance at
understanding your position, not for lack of trying, but
because it hasn't been clearly articulated<o:p></o:p></p>
<p>To save time, I have tried to reduce things down to a yes
or no question:<o:p></o:p></p>
<p>Would Digicert support a ballot that removed the insurance
requirement entirely, as a means of addressing the concerns
over type and quantity of insurance? Yes or No?<o:p></o:p></p>
<p>> <br>
><br>
> From: Ryan Sleevi [mailto:<a moz-do-not-send="true"
href="mailto:sleevi@google.com">sleevi@google.com</a>] <br>
> Sent: Wednesday, October 8, 2014 10:59 PM<br>
><br>
> To: Ben Wilson<br>
> Cc: Gervase Markham; CABFPub<br>
> Subject: RE: [cabfpub] Ballot 133 - Insurance
Requirements for EV Issuers<br>
><br>
> <br>
><br>
> Ben,<br>
><br>
> The question is not "why the ballot", and hasn't been
for some time. You've repeatedly provided ample explanation
why this ballot.<br>
><br>
> The question is "Why insurance at all". The only
meaningful explanation provided yet is to keep CRLs and OCSP
operational, and yet that is demonstrably insufficient
(DigiNotar maintaining OCSP capability would NOT have
protected RPs, even those with hard fail OCSP)<br>
><br>
> As to who, your explanation still ignores my previous
email, which is that the vast majority of CP/CPS effectively
disclaim any such liability in the Web PKI.<br>
><br>
> For sake of simplicity, since we keep ending up in the
weeds, it might be easier if you provided 1-3 examples of "
real world" scenarios you think that insurance should pay
out, and to whom, and then we can figure out how much.<br>
><br>
> For example:<br>
> - If CA 1 misissues a cert for <a
moz-do-not-send="true" href="http://example.com">example.com</a>
because they failed to check DNS, does anyone have a claim?<br>
><br>
> - If CA 2 misissues a cert for <a
moz-do-not-send="true" href="http://example.com">example.com</a>
because they decided that hiring a small plane to write in
the sky "please give Jane a cert for <a
moz-do-not-send="true" href="http://example.com">example.com</a>"
constituted an 'equivalent method' of validating
authorization for a domain, does anyone have a claim?<br>
><br>
> - If CA 3 accidentally revokes a certificate for <a
moz-do-not-send="true" href="http://example.com">example.com</a>
because they thought it was being used to serve malware, but
it wasn't, does anyone have a claim?<br>
><br>
> - If CA 4 misissues a certificate for <a
moz-do-not-send="true" href="http://example.com">example.com</a>,
but then revokes it, and this act gets picked up in the
press as '<a moz-do-not-send="true"
href="http://example.com">example.com</a> gets hacked',
does anyone have a claim?<br>
><br>
> I am providing concrete examples that, save for Jane's
skywriting adventure, very much happen, and the answer to
all of these is "No, no one has any guaranteed chance of a
claim" under the current BRs.<br>
><br>
> Is there _any_ real world situation where the presence
of insurance and the requirements set forth in the BR have
even a chance of a claim?<br>
><br>
> I'm quite aware that you've proposed a set of aggregate
categories and a lengthy discussion of the types of
insurance employed. But frankly, I see nothing that would
actually do anything to improve security in any concrete
form (e.g. as guaranteed by the BRs, the lowest common
denominator for cert issuance)<br>
><br>
> On Oct 9, 2014 12:42 AM, "Ben Wilson" <<a
moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>
wrote:<br>
><br>
> Who? Insurance under the ballot primarily protects the
CA when liability is questionable, but it protects anyone
with a covered claim when the CA is negligent. Insurance
proceeds, in the case of liability insurance, are paid to
the injured party. If members all want a more direct path
to compensation without regard to the CA, then a different
ballot would have to propose a bond or surety payable to a
browser, victim compensation fund, or whomever. <br>
><br>
> Why is the current language (liability insurance)
necessary? A CA with $500 million in current assets and a
current asset-to-debt ratio of 1 or greater does not need
insurance. CAs like Symantec, TrendMicro, and Wells Fargo
have those kinds of assets, the rest of us do not. As
explained, the insurance protects the CA with a legal
defense if the case is litigated – that is the duty to
defend part of the policy. However, if the CA is liable for
damages because of negligence, then the insurance pays the
amount of the loss up to the policy limits. It is money
that the CA does not have to pay, and therefore enables the
CA to stay in business and continue providing services. The
alternative is an environment with survival of the
fitness—CAs who fail go out of business and pretty soon no
one trusts CAs—I am strongly opposed to that scenario. <br>
><br>
> <br>
><br>
> From: Ryan Sleevi [mailto:<a moz-do-not-send="true"
href="mailto:sleevi@google.com">sleevi@google.com</a>] <br>
> Sent: Wednesday, October 8, 2014 10:19 PM<br>
> To: Ben Wilson<br>
> Cc: CABFPub; Gervase Markham<br>
> Subject: RE: [cabfpub] Ballot 133 - Insurance
Requirements for EV Issuers<br>
><br>
> <br>
><br>
> If any decision has been made, it's been because of a
lack of convincing evidence, not because there isn't an
honest and genuine desire to understand the issues at play
here.<br>
><br>
> If this ballot fails, then the concerns you and other
members have raised goes unaddressed. That would be
unfortunate, if only because it's always unfortunate when
members concerns are unaddressed. You've provided ample
evidence as to why the current language is a concern, and
why the Forum should attempt to resolve this concern. Trust
me, I'm sold on this.<br>
><br>
> The question is, if not this, then how do we attempt to
resolve those concerns? A ballot to remove the insurance
requirement altogether would meet that requirement, but its
unclear whether or not that would succeed.<br>
><br>
> Your messages suggest you would be opposed to such a
ballot. I am trying to understand why. If this ballot
doesn't succeed because the browsers view insurance as
unnecessary, and I'd a ballot to remove it doesn't succeed
because CAs view it as necessary, then we aren't really
making progress.<br>
><br>
> So please help me understand your position by working
from the core question - why is insurance necessary and who
does it protect?<br>
><br>
> If we can establish that there is any possibility of it
having value, then the natural next questions are "how do we
ensure that value is realized" (e.g. that it is not wholly
disclaimed via an unreasonable CP/CPS) and how much of it is
necessary?<br>
><br>
> But let's not presume that if $10 million of insurance
is bad, $3 million is better. What you're hearing is that
$10 million is bad for multiple reasons, and $3 million is
still bad too.<br>
><br>
> On Oct 9, 2014 12:06 AM, "Ben Wilson" <<a
moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>
wrote:<br>
><br>
> You have already made up your mind to oppose this
ballot, so why should I put forth any more effort to try to
convince you?<br>
><br>
> <br>
><br>
> From: Ryan Sleevi [mailto:<a moz-do-not-send="true"
href="mailto:sleevi@google.com">sleevi@google.com</a>] <br>
> Sent: Wednesday, October 8, 2014 10:04 PM<br>
> To: Ben Wilson<br>
> Cc: Gervase Markham; CABFPub<br>
> Subject: RE: [cabfpub] Ballot 133 - Insurance
Requirements for EV Issuers<br>
><br>
> <br>
><br>
><br>
> On Oct 8, 2014 11:56 PM, "Ben Wilson" <<a
moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>
wrote:<br>
> ><br>
> > The part you quote me as saying, “to maintain CRL
and OCSP infrastructure,” comes from others who argued for
it back in 2005, so it wasn’t me who said it.<br>
> ><br>
><br>
> It was the only justification you gave for the original
requirements, and which you quoted specifically in the
context of trying to answer why.<br>
><br>
> What I asked of you in the previous message, and which
remains unanswered, is why you feel insurance is meaningful,
since you're ardently defending it here.<br>
><br>
> If you don't feel it is (and that would both surprise
and please me), then we should be removing, not reducing.<br>
><br>
> > Your argument about the current CP/CPS language as
the only situation where insurance comes into play is a
convenient strawman that you put up just to knock down.<br>
> ><br>
> > “Who” can make a claim and ”why” is up to you – I
don’t know why you’re asking me.<br>
><br>
> It's not a straw man, and that isn't an answer.<br>
><br>
> As we discussed in past calls, why is the ballot simply
not to remove it as a requirement - which you've heard two
browsers express support for.<br>
><br>
> I don't care about the why is this language reducing,
because ANY such requirement presumes insurance is valuable.
What I'm asking is why do we even have it.<br>
><br>
> Your previous message said "cost of doing business,"
but failed to express why such a cost existed. The original
justification given - which you quoted - doesn't hold. The
provided explanation "that it protects people", fails to
deal with the very real issue that the set of people it
protects is virtually zero. So it doesn't protect "people"
as an abstract, it protects a near-zero sum population.<br>
><br>
> So why have it? And who should it be for?<br>
><br>
> These aren't straw man arguments - these are key to
establishing why there should be any proposal other than
"remove it".<br>
><br>
> ><br>
> > <br>
> ><br>
> > From: Ryan Sleevi [mailto:<a
moz-do-not-send="true" href="mailto:sleevi@google.com">sleevi@google.com</a>]
<br>
> > Sent: Wednesday, October 8, 2014 9:44 PM<br>
> > To: Ben Wilson<br>
> > Cc: CABFPub; Gervase Markham<br>
> > Subject: RE: [cabfpub] Ballot 133 - Insurance
Requirements for EV Issuers<br>
> ><br>
> > <br>
> ><br>
> > Ben,<br>
> ><br>
> > No investigation into DigiNotar's insurance is
necessary, so I'm shocked you would think it is. The facts
exist that the purpose of insurance, as you stated (to
maintain CRL and OCSP infrastructure) was unnecessary,
because the infrastructure was so thoroughly compromised. NO
amount of insurance can deal with that.<br>
> ><br>
> > As such, browsers have systems in place for such
complete compromise, which is equally sufficient for _less_
complete compromises.<br>
> ><br>
> > I don't see how you can claim it promotes good
security, since its insufficient for dealing with the things
browsers care most about. At best, it seems to be a tool to
try and establish liability - but browser's are clearly
telling CAs that liability exists, insurance or not.<br>
> ><br>
> > I can't see how, in the same message, you can
suggest "For many industries, CAs included, insurance is
just a cost of doing business" and then simultaneously
assert you're not using insurance as a barrier for entry.<br>
> ><br>
> > Let's take a step back. You've talked at extreme
length about the challenges with the current language, the
problems CAs face in obtaining it, etc, but are ignoring the
two extremely pertinent and relevant questions.<br>
> ><br>
> > It is NOT about "what" and "how much" (which you
have devoted great time to), but about "why" and "for who"?
I'm very much challenging your statements about "why" (and
'just because', which is what 'cost of doing business' reads
as, is not a good answer) and "who"<br>
> ><br>
> > Under the current CP/CPS, if someone issues a
fraudulent cert for <a moz-do-not-send="true"
href="http://example.com">example.com</a>, <a
moz-do-not-send="true" href="http://example.com">example.com</a>
can't claim damages. The browser cannot claim damages. Only
the users who visited <a moz-do-not-send="true"
href="http://example.com">example.com</a> can claim
damages, and only if they used an application in a
configuration that does not exist in the real world, save
for some very baroque and unusable conditions. Even if there
was a "why" that made sense, the "who" is, under current
terms, extremely questionable.<br>
> ><br>
> > Let's stop focusing on terminology appendices for
the type of insurance, and focus on first principles. What
reasons, beyond OCSP/CRL serving infrastructure, is it meant
to address, and who, in the real world of applications and
Internet browsers and servers, can make a claim?<br>
> ><br>
> > On Oct 8, 2014 11:29 PM, "Ben Wilson" <<a
moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>
wrote:<br>
> ><br>
> > Whether browser security methods, systems, etc.
are good enough remains to be seen in the long term. Citing
Diginotar is insufficient proof of failure for the
insurance-based risk-mitigation method-- unless you have
investigated and can elaborate on all of the facts and
circumstances about the particular insurance coverage,
denial of coverage, etc., and whether appropriate inquiries
for insurance coverage were denied and then challenged for
bad faith denial of coverage. My argument is that insurance
goes hand-in-hand with promoting good security practices,
and along with compliance audits they establish an
integrated risk management strategy. Browsers will do
whatever browsers do, but these three things are within a
CA’s control, and the best place to mitigate risk is always
with those who are in the best position with the ability to
do something about it. <br>
> ><br>
> > <br>
> ><br>
> > Ballot 133 removes the specifics of that type of
liability insurance requirement because some have said it
was too difficult to obtain in areas with emerging
economies—so even if you perceive an insurance requirement
as a mere barrier to entry, that barrier is dropping, and
more because there will only be $3 million in liability
coverage required, although some might argue that $3 million
is not enough. For many industries, CAs included, insurance
is just a cost of doing business, and the new language is
balanced and allows plenty of flexibility, in several
different ways, including an unlimited retention amount.
With CAs I’ve talked to, after a little research with their
broker, they understand better what is available in the
market. I’ve also been told by brokers that pricing for
this type of coverage is very competitive. Members can use
their search engine of preference to look for “technology
e&o” and to see what is available. So, as a practical
matter, I don’t see it as any barrier to entry. I’ve also
uploaded some of my insurance research to the wiki here: <a
moz-do-not-send="true"
href="https://cabforum.org/wiki/Insurance">https://cabforum.org/wiki/Insurance</a>
. I think a thorough reading of this material disproves the
claim that this insurance requirement is of miniscule
benefit. <br>
> ><br>
> > <br>
> ><br>
> > Moreover, this is not a barrier to entry for
entities desiring to become publicly trusted CAs. This is a
requirement of the Extended Validation Guidelines, not the
Baseline Requirements and not browser root programs.
Browsers are free to allow a CA into their trust stores
without any financial ability, responsibility, or insurance
whatsoever--you can still accept them and rely on
browser-based security measures, but Extended Validation
certificates have a known level of quality, which shouldn’t
be devalued or deprecated by encouraging a new race to the
bottom. I am not saying that insurance is the best answer,
but no one has put forward a serious proposal for financial
guarantees, performance bonds, escrow deposits, or other
financial responsibility mechanisms, recently. I think I’ve
shown sufficient reasoning for amending the financial
responsibility / insurance requirement as one way to force
the internalization of risk, and it’s also an established
method used in other areas such as automobile insurance,
commercial products, banking, etc.<br>
> ><br>
> > <br>
> ><br>
> > <br>
> ><br>
> > From: Ryan Sleevi [mailto:<a
moz-do-not-send="true" href="mailto:sleevi@google.com">sleevi@google.com</a>]
<br>
> > Sent: Wednesday, October 8, 2014 3:34 PM<br>
> > To: Ben Wilson<br>
> > Cc: Gervase Markham; CABFPub<br>
> > Subject: Re: [cabfpub] Ballot 133 - Insurance
Requirements for EV Issuers<br>
> ><br>
> > <br>
> ><br>
> > <br>
> ><br>
> > <br>
> ><br>
> > On Tue, Oct 7, 2014 at 6:39 PM, Ben Wilson <<a
moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>
wrote:<br>
> ><br>
> > All,<br>
> > Proposed Ballot 133 represents a substantial
reduction in the amount of and a change in the type of
insurance that is needed to be qualified as an issuer of an
EV certificate. This proposal reduces the required coverage
amount to a little over $3 million (counting coverage for
property casualty loss)—less than half of what it is today.
Those arguing against an insurance requirement have
generally centered their arguments on opinions about whether
premiums paid for insurance coverage provide a meaningful
ROI. So not only does this ballot reduce the coverage
amount, but it also fine-tunes the type of coverage required
in order to align better with the types of risks that we
should be concerned about.<br>
> ><br>
> > Those involved during the drafting of the EV
Guidelines should agree that EV Certificates represent the
highest degree of quality for SSL/TLS certificate services
commercially available in contrast to other types of SSL/TLS
certificate services offered. The quality of service for
EV can be gauged in several important aspects, detailed in
the EV Guidelines. Those measures include the degree of
identity verification performed on the domain registrant, CA
quality controls, CA/subscriber warranties, and importantly,
the financial responsibility of a CA. Concerning financial
stability, the EV Guidelines require that a CA stand behind
each EV certificate it issues--to an amount of at least
$2,000 for monetary loss to each Subscriber or Relying
Party. This is one of the reasons that the EV Guidelines
have required an EV-issuing CA to be sufficiently able, not
just to maintain ongoing EV certificate operations and
maintenance, but also to ensure that CA warranties and
representations do not become empty promises.<br>
> ><br>
> > Because requirements were needed to provide
assurances to users that a certain level of recourse would
be available in the event that a CA failed to exercise
reasonable care in approving a certificate application,
financial responsibility was a key requirement for the EV
Guidelines. In 2005 and 2006 we debated amounts required
for insurance. At the time, most CAs felt that $10 million
was the maximum, and we settled on the $5 million and $2
million amounts. Today, $3 million in insurance coverage is
a very reasonable amount for a CA to carry.<br>
> > Since Day 1 of the CA/Browser Forum, insurance has
been an important requirement for EV. Back in May 2005,
GeoTrust proposed that every CA and auditor have a $10
million professional liability / errors and omissions
insurance policy. The minutes of the May 2006 meeting
indicate, “The chief purpose of financial stability
requirements was to avoid the risk of catastrophic financial
collapse and compromise of the roots and inability to
maintain current OCSPs/CRLs.” As I’ve mentioned previously,
throughout 2006 we discussed the need for insurance and the
question was not “if” there was an insurance requirement,
but what it should be. Finally, in August 2006 we settled
on what is currently Section 8.4 (Insurance Requirements)
and decided that the language chosen at that time was the
most efficient way to ensure the financial responsibility of
CAs. The proposed language of Ballot 133 does the same
thing today as what we intended the insurance language to do
back in August 2006—provide a backstop that mitigates the
risk of catastrophic CA failure. <br>
> ><br>
> > <br>
> ><br>
> > And this is where the debate about whether or not
insurance provides any value.<br>
> ><br>
> > <br>
> ><br>
> > If a CA is compromised, through hostile act or
negligence, there are several ways in which the
infrastructure necessary to maintain current OCSPs and CRLs
can be rendered untrustworthy. DigiNotar is a prime example
of this, in which the misissued certificates were not even
known by DigiNotar, because they were not adequately logged.<br>
> ><br>
> > <br>
> ><br>
> > As such, because this risk exists in the system
(and recall that they were indeed audited), Relying Parties
MUST accept that OCSP/CRLs are INSUFFICIENT to deal with the
risk of compromise or collapse.<br>
> ><br>
> > <br>
> ><br>
> > As such, browsers have developed programs to deal
with this out of band. CRLSets. OneCRL. Certificate Distrust
Lists.<br>
> ><br>
> > <br>
> ><br>
> > If such systems are good enough for the
catastrophic failures where the OCSP/CRL system is rendered
unreliable, why are they not good enough for the failures
when the OCSP/CRL system is still viewed as "reliable" (or
at least, in which the signing keys have not been
compromised?)<br>
> ><br>
> > <br>
> ><br>
> > Between the RP agreements in most CP/CPSes, and
the language itself regarding the practices, you've heard
from several browsers that have, under advice, been given
the opinion that such insurance does not provide meaningful
recourse for them.<br>
> ><br>
> > <br>
> ><br>
> > To this end, why does it make sense to enforce a
requirement that is not technically fit for purpose (as
demonstrated by DigiNotar), nor actionable (as advised by
counsel), but which encumbers members?<br>
> ><br>
> > <br>
> ><br>
> > I can certainly understand that some CAs would
prefer a "cost of doing business" be imposed on new
entrants. However, that's of dubious nature.<br>
> ><br>
> > <br>
> ><br>
> > I can certainly understand a desire to prevent
"fly by night" operators. But that's incumbent upon the root
store programs, and you've heard from at least two that
believe this doesn't meaningfully prevent such "fly by
night".<br>
> ><br>
> > <br>
> ><br>
> > So while it's great to understand why the Forum
introduced it, what we do know is that it's failed to meet
the Forum's goals. So why should we pretend it does? Simply
for historic reasons?<br>
> ><br>
> > <br>
> >><br>
> >><br>
> >> Why do we have an EV insurance requirement?
An effective information security risk management program
consists of risk avoidance, risk reduction, risk spreading,
risk transfer, and risk acceptance. There is no such thing
as 100% perfect information security, so risk will remain
with any system, even after applying industry best-practice
controls that aim to avoid, reduce, or spread risk. With
unmitigated risks present in any CA system, the remaining
options are (1) transfer risk or (2) accept risk.
CA/Browser Forum members should still be concerned about an
unjustified acceptance of risk by a “fly-by-night” CA that
simply treats residual risk as its own “risk of doing
business” without regard to the negative consequences to
third parties. Thus, the “transfer of risk” approach has
been adopted with this insurance requirement.
Contemporaneously with the Forum’s adoption of the insurance
provision, an exception was added for any CA that was
essentially self-insured because it had “five hundred
million US dollars in liquid assets” – that was the bar that
was set for CAs choosing strictly the risk-acceptance
approach. (Actually, this provision should have stated
“five hundred million US dollars in current assets” which is
the correct terminology for calculating a quick ration, but
that error also is proposed for correction in this Ballot
133.) CAs who prefer a risk-acceptance approach can still
have a hybrid with the insurance-based “transfer of risk”
approach and “hedge their bets” by increasing the “retention
amount” when negotiating the price of insurance with $3
million coverage. A retention amount is like a
deductible—it is the amount of risk that is retained by the
CA. So, because the EV Guidelines do not limit
risk-retention amounts, there is plenty of flexibility for
any CA in obtaining the coverage required by the proposed
ballot.<br>
> >><br>
> >> Again, insurance goes hand-in-hand with
security controls and the guidelines of the CA/Browser
Forum—by following and being audited to standards, CAs are
in the best position to control risks and because of this,
insurers should be willing to insure the residual risk
because the CA’s loss will be occasioned by chance-- not due
to the carelessness or indifference about maintaining CA
system security.<br>
> >><br>
> >> Ballot 133 is in response to requests of CAs
which have been:<br>
> >> 1- These types of insurance are too
difficult to obtain in my country<br>
> >> 2- Insurance is too expensive<br>
> >> 3- The current insurance requirement does
not cover anticipated incidents<br>
> >><br>
> >> As a result, I have researched insurance and
interviewed insurance company representatives on changes to
the language that would be best, based on the situations
that we face as CAs and Browsers concerned about the utility
and reliability of SSL certificates. The feedback has been
that it is not easy to phrase a global standard because of
the differences in legal systems and insurance environments
around the globe. Conversely, we know that the Internet is
global in reach, and a CA located in one country can affect
the lives of persons globally. Another challenge has been
that if the policy wording is switched from the current
language to something else it will be too difficult to
change policies mid-term. The proposal that offered
transition dates was too confusing, which lead to the
approach taken here, which was to make compliance easier,
although there still might be questions on whether certain
types of coverage or policies meet the proposed
requirement. Also, some CAs have indicated that they are
shopping in the insurance market right now, and they need to
know what coverage will be appropriate. This is another
reason why this ballot should go forward and be voted upon.<br>
> >><br>
> >> As additional background, Commercial General
Liability (CGL) insurance was named in Section 8.4 because
it was a type of insurance well-known in the U.S. that would
cover all common types of insurance that an operating
business would need, and which a CA’s business partners
would expect it to have. It includes property and casualty
losses and public liability coverage for
personal/bodily/physical injuries and/or property damage to
the public for claims arising out of operations. However,
over the last several years court cases have held that it
doesn’t cover certain types of damage to intangibles, unless
the language in the policy is specific that it does. So
even though many CAs will still maintain CGL coverage, it is
no longer worth having as an EV requirement.<br>
> >><br>
> >> Another response to opponents of an insurance
requirement is that for centuries insurance has served as a
global mechanism to re-distribute risk associated with
global commerce. If the right insurance is selected, and if
the CA makes good faith efforts to follow common industry
security practices, it is unlikely that an insurer will deny
coverage, provided that the type of peril is acknowledged in
the insurance policy, which is why Ballot 133 makes clear
that the policy must not exclude coverage when providing
cryptographic, digital signature, or public key
infrastructure services. Insurance companies have over $25
trillion in assets under management; in the case of claims
against a CA with clear liability and catastrophic loss, it
is likely that the insurer would rather tender the policy
limits than defend the case. The argument that the
insurance requirement will not prevent a CA from closing up
shop and disappearing during the night runs contrary to the
good will that a CA intending to stay in operation should
seek to engender. A CA worth its salt will maintain a
certain level of insurance, and third parties relying on the
services of the CA should have assurance that it will.
Also, in the event of bankruptcy, receivership, or whatever,
the insurance will either be an asset of the estate or the
bankruptcy court can abstain and a direct obligation of the
insurer and liability can be established in court, see
Landry v. Exxon Pipeline Co., 260 B.R. 769 (<a
moz-do-not-send="true" href="http://Bkrtcy.M.D.La">Bkrtcy.M.D.La</a>.
2001), or an interpleader/adversary proceeding could take
place as the trustee, judge, or administrator determines how
proceeds are distributed--whether claims are paid pro rata,
on a first-come basis, or for damage mitigation, e.g. to
ensure that the CA “fails gracefully.”<br>
> >><br>
> >> I could go on with my discourse, but I’ll
spare you the trouble … unless anyone wants to consider
additional resources, which I’m happy to provide.<br>
> >><br>
> >> For additional benefit, here is an overview of
some insurance terms:<br>
> >><br>
> >> Property insurance – Covers damage to physical
property<br>
> >><br>
> >> Liability Insurance – Protects against third
party claims, i.e., payment is not typically made to the
insured, but rather to someone suffering loss who is not a
party to the insurance contract and it usually does not
cover damage caused intentionally or agreed to by contract
(the latter requires contractual liability insurance)<br>
> >><br>
> >> Casualty insurance -- Covers injuries
resulting solely from an inevitable accident and not from
negligence, something that cannot be foreseen or guarded
against.<br>
> >><br>
> >> Commercial General Liability insurance –
“covers bodily injury and property damage arising out of
premises, operations, products, and completed operations;
and advertising and personal injury liability” (evolved from
“general liability” and “corporate general liability” forms
and is what has been common in the United States for most
businesses for the past 30+ years).<br>
> >><br>
> >> Technology E&O insurance - covers both
liability and property loss exposures . Liability part
covers losses resulting from: (a) technology services, (b)
technology products, (c) media content, and (d) network
security breaches. Property part covers damage mitigation
related to extortion threats, crisis management expenses,
and business interruption.<br>
> >><br>
> >><br>
> >> -----Original Message-----<br>
> >> From: Gervase Markham [mailto:<a
moz-do-not-send="true" href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>]<br>
> >> Sent: Friday, October 3, 2014 4:07 AM<br>
> >> To: Ryan Sleevi; Ben Wilson<br>
> >> Cc: CABFPub<br>
> >><br>
> >> Subject: Re: [cabfpub] Ballot 133 - Insurance
Requirements for EV Issuers<br>
> >><br>
> >> On 02/10/14 20:47, Ryan Sleevi wrote:<br>
> >> > It's likely we'd abstain from such a
ballot as presented, or support<br>
> >> > such a ballot that removed the
requirement.<br>
> >><br>
> >> This is likely to be our position also. /Pace/
Ben, but we maintain based on legal advice that this
particular insurance requirement (not the concept of
insurance in general!) is extremely unlikely to lead to
practical benefit for anyone. Its presence either has no
effect (if CAs are required to have the insurances already
by other bodies) or leads to increased and unnecessary costs
for CAs (if they are not).<br>
> >><br>
> >> Gerv<br>
> ><br>
> > <o:p></o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>