<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
line-height:normal;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
margin-bottom:.1in;
margin-left:0in;
line-height:120%;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
line-height:normal;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
line-height:normal;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
line-height:normal;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
line-height:normal;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.u
{mso-style-name:u;}
span.strike
{mso-style-name:strike;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1423406610;
mso-list-type:hybrid;
mso-list-template-ids:-1409662186 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Trend Micro votes no. Here are the reasons why:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Insurance is not designed to protect the public (i.e., customers and relying parties), but is only designed to protect the insured – the CA. If the insurer can protect a bad or negligent CA by defeating all claims from customers
and relying parties from a breach and paying nothing to them, it will. Based on the incomplete information we have, it appears a court in The Netherlands allowed Diginotar to deny coverage on its insurance and not pay claims.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The ballot is very specific as to what insurance must be obtained. Cyber insurance, etc. keeps changing, so the requirements of this ballot could soon be out of date and the required insurance could be unobtainable at any time
in the future.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The insurance is probably not obtainable in some non-US jurisdictions.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The price could be prohibitively high, which could drive some CAs from the business.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Most important, if we adopt this ballot, all of us (CAs and browsers) will be delegating to insurance companies the decision of which CAs get to issue EV certs, and which do not. A CA that can’t get the specific insurance required
under this ballot will have to stop issuing EV certs, even though the CA has passed all audits and complies with all rules.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Don Sheehy, our WebTrust representative, has said the insurance requirements of this ballot are “unauditable”.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>This ballot creates a new and significant barrier to entry for new CAs (including non-US CAs), which is not a proper reason for adding a requirement to the EV Guidelines.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u>Previous Ballot 121</u></b> was part of our effort to clean up the EV Guidelines, and would have eliminated the current insurance requirements under EVGL Sec. 8.4 and instead require only that CAs maintain whatever insurance is required
(if any) by their jurisdiction of incorporation. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ballot 121 was <u>approved</u> by CAs by a vote of 11-4, but failed among browsers by a vote of 0-1 (only Mozilla voted among the browsers, and it voted no). Gerv then checked with Mozilla lawyers who said the current insurance requirements
were useless, and said he will vote yes if I bring back the ballot – which I will do after this ballot is completed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The CAs who voted yes on the previous Ballot 121 to <u>eliminate</u> the insurance requirement were Buypass, Disig, Firmaprofesional, <span style="border:none windowtext 1.0pt;padding:0in">GlobalSign</span>, <span style="border:none windowtext 1.0pt;padding:0in">GoDaddy</span>,
Izenpe, <span style="border:none windowtext 1.0pt;padding:0in">OpenTrust</span>, SSC, Trend Micro, Turktrust, and <span style="border:none windowtext 1.0pt;padding:0in">WoSign</span>.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Wednesday, October 08, 2014 9:08 AM<br>
<b>To:</b> CABFPub<br>
<b>Subject:</b> [cabfpub] Ballot 133 - Insurance Requirements for EV Issuers<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="line867"><strong>Ballot 133 - Insurance Requirements for EV Issuers</strong>
<o:p></o:p></p>
<p class="line874">The following motion has been proposed by Ben Wilson of Digicert and endorsed by Atilla Biler of Turktrust and Dean Coclin of Symantec.<b><span style="color:#1F497D"><o:p></o:p></span></b></p>
<p class="line874"><b>Purpose <o:p></o:p></b></p>
<p class="line874">The purpose of this ballot is to simplify the insurance requirements in section 8.4 of the EV Guidelines by replacing commercial general liability in (A) with an ordinary property casualty insurance requirement and to simplify third party
liability coverage in (B) and reduce the required amount of that coverage down to $3 million. This should make it easier for CAs to obtain insurance required by the EV Guidelines.
<o:p></o:p></p>
<p class="line874"><b>-- MOTION BEGINS -- <o:p></o:p></b></p>
<p class="line874">1. Amend the second paragraph of Section 8.1 as follows: <o:p>
</o:p></p>
<p class="line862">If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal
<span class="u"><u>or would conflict with local law</u></span>, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations<span class="u">,</span>
<span class="strike"><s>or</s></span><s> </s>certificate issuances, <span class="u">
<u>or insurance requirements</u></span><u> </u>that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines
accordingly. <o:p></o:p></p>
<p class="line874">2. Amend Section 8.4 as follows:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:5.75pt;margin-right:2.2in;margin-bottom:4.3pt;margin-left:0in;text-align:justify">
<a name="_Ref232572161"></a><a name="_Ref232572179"></a><a name="_Ref232573627"></a><a name="_Toc378600287"></a><b><span style="font-size:14.0pt;font-family:"Times New Roman","serif"">8.4. Insurance
<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:2.2in;margin-bottom:12.25pt">
<span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Each CA SHALL maintain the following insurance related to
<s>their</s> <u>its </u>respective performance and obligations under these Guidelines:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;text-indent:-.25in">
<u><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">(A) Property insurance for casualty/perils of fire, water, electrical failure, and natural disaster in sufficient amount to cover damage or loss to physical assets used to issue and maintain
EV Certificates</span></u><s><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">,</span></s><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<s>Commercial General Liability insurance (occurrence form) with policy limits of at least two million US dollars in coverage</s>; and<s>
<o:p></o:p></s></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;text-indent:-.25in">
<span style="font-size:12.0pt;font-family:"Times New Roman","serif"">(B) <s>Professional</s> Liability<s>, Errors and Omissions</s> insurance, with policy limits of at least
<s>five</s> <u>three </u>million US dollars in coverage<u>, per claim and in the aggregate</u>,
<s>and including coverage</s> for <s>(i) claims for</s> <u>direct </u>damages arising out of a<s>n</s>
<u>negligent</u> act, error, or omission, <s>unintentional breach of contract, or neglect</s> in issuing or maintaining EV Certificates<s>, and (ii) claims for damages arising out of infringement of the proprietary rights of any third party (excluding copyright,
and trademark infringement), and invasion of privacy and advertising injury</s>.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
<u>(1)</u> Such insurance<u> MUST NOT exclude coverage when providing cryptographic, digital signature, or public key infrastructure services;
<o:p></o:p></u></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
<u>and<o:p></o:p></u></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
<u>(2) Such insurance </u><span style="text-transform:uppercase">must</span>:<o:p></o:p></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
<u>(i) be maintained for all periods during which an EV Certificate issued by the CA is still valid (and if coverage is canceled or not renewed, the CA shall purchase an extended reporting period for such periods);<o:p></o:p></u></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
<u>(ii) include coverage for those territories where the CA provides EV Certificates; and<o:p></o:p></u></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
<u>(iii)</u> be with a company rated <u>good or better by Standard & Poor's, A.M.</u>
<s>no less than A- as to Policy Holder’s Rating in the current edition of</s> Best<s>'s Insurance Guide</s><u>, Fitch, Moody's, DBRS, Japan Credit Rating Agency, Creditreform, Scope Ratings, or another similarly recognized insurance rating agency
</u><s>(or with an association of companies each of the members of which are so rated)</s>.<o:p></o:p></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
<u>If available at reasonable cost, a CA SHOULD maintain coverage for damage or loss to data, software, systems, and for business interruption due to IT security failure, malware, network attack, criminal hacker, or theft.
<o:p></o:p></u></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:2.2in;margin-bottom:12.25pt;margin-left:.5in;line-height:normal">
A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that it has at least five hundred million US dollars in
<s>liquid</s> <u>current </u>assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of
<s>liquid</s> <u>current</u> assets to current liabilities) of not less than 1.0.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">-- MOTION ENDS --
<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">The review period for this ballot shall commence at 2200 UTC on Wednesday, 8 October 2014, and will close at
2200 UTC on Wednesday, 15 October 2014. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Wednesday, 22 October 2014. Votes must be cast by posting an on-list reply to
this thread. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear
'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting
members are listed here: <a href="https://cabforum.org/members/">https://cabforum.org/members/</a>
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and
greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members– at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.
<o:p></o:p></span></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>