<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Bradley Hand ITC";
panose-1:3 7 4 2 5 3 2 3 2 3;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:788888979;
mso-list-type:hybrid;
mso-list-template-ids:-1706781028 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">In our Forum call last week I raised the issue of possible new Financial Responsibility requirements for CAs as a substitute for the existing EV insurance requirements (which most people have concluded do not really help the Forum reach
any meaningful goals that relate to SSL and internet security).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I mentioned two ideas of my own for new financial responsibility requirements, and asked those on the call for their preliminary reactions, plus any ideas they might have for other financial responsibility ideas. Ben Wilson had some feedback,
but no one else spoke on the call so I promised to post the two ideas to the Public list for further discussion. If there is support, we can move later to a pre-ballot with specifics.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I will post each idea separately so we can have separate discussions.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u>First Idea – Minimum Capital Requirements<o:p></o:p></u></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The first idea is to establish new CA financial responsibility requirements in the Baseline Requirements for some sort of minimum capital requirements. Here are my two main reasons for seeking minimum capital requirements:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">1. It would help a CA respond to a serious security breach or emergency infrastructure problem – ready cash and net capital is always important to deal quickly with a serious problem.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">2. If the CA decides to exit the certificate business, it could help the CA continue the required revocation checking services (CRLs, OCSP responses), archives, etc.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal">In my mind, any minimum capital requirement we come up with should satisfy at least three goals:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraphCxSpFirst" style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>It should be reasonable and not punitive or prohibitive for small or new CAs,<o:p></o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>It should scale according to the level of activity for a CA, and<o:p></o:p></p>
<p class="MsoListParagraphCxSpLast" style="margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>It should use existing financial terms and measurements if possible so no CA or auditor has to do extra or complicated calculations to see whether or not the CA is in compliance.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I believe the minimum capital requirements should look at three elements: (1) total liquid assets (cash and cash-like assets), (2) the CA’s so-called “quick ratio”, which is a measurement of how much cash and cash-like assets the CA has
compared to its short term liabilities (so the quick ratio is a measure of how easily the CA can access its cash to deal with an emergency without being unable to pay current debts), and (3) net retained earnings (owner’s equity), which is a measurement of
how much capital a CA has after all its short and long term liabilities are subtracted from all its assets. These are common financial accounting concepts.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The CA/Browser Forum already uses these same capital tests in a different context, and we can recycle existing language if we choose. As you know, EVGL 8.4 currently requires two kinds of insurance, but allows larger CAs not to carry
insurance if they meet the following minimum capital tests:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><i><u>Current EVGL 8.4</u></i> *** A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-autospace:none">[1] It has at least five hundred million US dollars in
<u>liquid assets</u> based on audited financial statements in the past twelve months, and
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-autospace:none">[2] It has a <u>
quick ratio</u> (ratio of liquid assets to current liabilities) <u>of not less than 1.0</u>.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">So here is a possible new Financial Responsibility Baseline Requirement we can consider (we need to decide what amounts to put in the blanks below):<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><b>[<i>New</i>] Baseline Requirements Section X.X – Financial Responsibility<o:p></o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none">A CA must meet the following minimum financial responsibility tests:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none">(a) Liquid Assets (i.e., cash plus
<span style="color:#111111;background:white">assets that can be converted into cash quickly and with minimal impact to the price received)
</span>equal to or exceeding <u>$X</u> per certificate for the number of issued certificates outstanding , but not less than
<u>$Y</u>; <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none">(b) A quick ratio (ratio of liquid assets to current liabilities) of not less than
<u>x.x</u>; and<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none">(c) Retained Earnings (Owner’s Equity) of
<u>$A</u> per certificate for the number of issued certificates outstanding during the CA’s previous annual audit period, but not less than
<u>$B</u>. <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none">These tests will be confirmed by the CAs WebTrust or ETSI auditor [Alternative 1: as of the last day of each calendar month during the audit period] <or> [Alternative 2: as of the last day of
each calendar quarter during the audit year] <or>[Alternative 3: as of the last day of the audit year]. The auditor shall rely on the CA’s audited financial statements if available; otherwise the auditor may rely on the CA’s unaudited financial statements
that are verified in writing as accurate by the CA’s CEO or equivalent officer. This requirement shall not apply to government CAs.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">If we like this structure for a new Financial Responsibility BR, the question will be – what numbers should we use for X, Y, Z, A, and B above?<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">I have asked WebTrust auditor Don Sheehy to think about this issue, and each CA should consult its own financial department for comments and input.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">Any preliminary reaction?<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">I will post my second idea in a separate email.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><i><span style="font-size:14.0pt;font-family:"Bradley Hand ITC";color:#0F243E">Kirk R. Hall<o:p></o:p></span></i></b></p>
<p class="MsoNormal">Operations Director, Trust Services<o:p></o:p></p>
<p class="MsoNormal">Trend Micro<o:p></o:p></p>
<p class="MsoNormal">+1.503.753.3088<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>