<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think Gerv is entitled to have his ballot on insurance run in isolation if that’s the way he wants it, but I see the existing insurance requirements as a pragmatic safeguard to ensure that a CA is well run and that it is a going concern which is likely to be about long enough to manage the lifecycle of the certificates it issues through to their expiry (or later, for code-signing).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think Gerv has stuck his neck out with his ballot which really does crystalize down to the issue of whether or not you consider the insurance requirement to be a ‘pointless barrier to entry’.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t consider the insurance requirement to be a ‘pointless barrier to entry’.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I can see that the insurance requirement has a positive effect of protecting the operation of a CA in a financial way from a number of events that could befall it.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That protection filters through as a benefit to the subscribers and relying parties because they don’t have to deal with a CA dropping off its perch because it finds itself unable to replace a fire-damaged server rack or unable to meet a financial claim made against it.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you are running a CA you are required to have policies and procedures for business continuity and having insurance of some sort in there is low-hanging fruit for that aspect of running any business.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Could that protection be better? – Quite probably.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Is there something better than insurance that could provide some guarantee of a CA being able to continue to operate and to continue to provide service to its subscribers and relying parties? – Quite possibly.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But a ballot to rip out insurance and replace it with nothing seems like a poor option to me compared with a ballot to replace an insurance requirement which some CAs find expensive and inconvenient with another measures or set of measures that might provide better protection or even provide the same protection at less cost or effort.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you’re going to run a CA you will be running a business which has costs and liabilities and should be able to bear the financial responsibility and be able to handle the associated risks which might otherwise cause you to fail to meet the practical standards required to continue in operation. That holds true even if you choose not to charge for the provision of end entity certificates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regards<br>Robin<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Moudrick M. Dadashov<br><b>Sent:</b> 03 December 2014 17:46<br><b>To:</b> Ryan Sleevi; Jeremy Rowley<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I fully agree with Ryan, we should move on with Gerv's proposal (ballot 142). Indeed, elimination of insurance is a separate issue.<br><br>That said, I also support Kirk's efforts on financial stability, possibly business continuity and cancellation provisions. <br><br><span style='color:windowtext'>In addition to the ballot 141, I'm working with Kirk on financial responsibility, including making arrangements to continue its CRLs and OCSP responders and its vetting records for certificates issued, after the CA terminates its operations.</span><br><br>Thanks,<br>M.D.<br><br>On 12/3/2014 4:48 PM, Ryan Sleevi wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>Thanks for pointing this out Jeremy. Looks like my calendar got confused by the invites sent to the management list. <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In that case, it's less clear to me where we are at with this discussion. Kirk has suggested twice we delay this discussion until Thursday, but if our calls are not this Thursday, t hen such a delay seems unnecessary.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For an issue that has been presented as causing ongoing pain for CAs (c.f. <a href="https://cabforum.org/pipermail/public/2014-October/004148.html">https://cabforum.org/pipermail/public/2014-October/004148.html</a> ), and that we should vote to make SOME progress on it, I feel like delaying up to another month (a week for a call, up to a week for any ballot modifications, a week for review, and a week for voting) would be unwise.<o:p></o:p></p></div><div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Dec 3, 2014 at 2:38 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Just to clarify - this week is not the CAB Forum call – it’s the working group calls. Next week is the Forum call.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="14a10968aa8458a0__MailEndCompose"><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></a><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Wednesday, December 3, 2014 7:25 AM<br><b>To:</b> <a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a><br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>On Wed, Dec 3, 2014 at 2:44 AM, <a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a> <<a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a>> wrote:<o:p></o:p></span></p><div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p><span lang=EN-US>So it looks like there were hurt feelings on both parts – I was unhappy that Mozilla would not honor my request for time to post my ballot on the issue (which covered both insurance and new financial responsibility requirements, which are linked in my mind, as previously explained), and Gerv was unhappy that I would not post his ballot for him upon request. (Others could have posted the ballot for Gerv as well.)<o:p></o:p></span></p><p><span lang=EN-US> <o:p></o:p></span></p><p><span lang=EN-US>To move past that, I’ll <u>remove</u> Section 1 of my Ballot (relating to elimination of the EV insurance requirement) so Gerv’s ballot will be the exclusive one on that topic. Both ballots can proceed together, but I would urge members to vote yes on both, as we are removing one intended financial responsibility safeguard (EV insurance, which we have come to see is not very effective) and should substitute another more valuable financial responsibility safeguard (limiting a CA’s ability to disclaim all liability for its mis-issued certs that cause damage to subscribers and the public). <o:p></o:p></span></p><p><span lang=EN-US> <o:p></o:p></span></p><p><span lang=EN-US>The new requirement in Ballot certainly is not a "pointless barrier to entry" as suggested below, but a very valuable safeguard to the public that will help reinforce the value of public CAs over self-signed certs and should be a no-brainer for browsers -- it clearly protects their users from CA errors -- and very valuable for CAs as well to establish their worth. <o:p></o:p></span></p><p><span lang=EN-US> <o:p></o:p></span></p><p><span lang=EN-US>I'll be happy to discuss this further on our call Thursday and on this list.<o:p></o:p></span></p><p><span lang=EN-US> <o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Regrettably, I won't be able to make this Thursday's call. I think the way these ballots have been handled is deeply unfortunate, and I'm disappointed that I won't be able to make the discussion on how we to avoid these sort of situations of competing interests in the future.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>To the ballots at hand, it should come as no surprise that we share Gerv's concerns that this is, indeed, a "pointless barrier to entry" as it has been called. We do not believe it will provide any meaningful protection for our users - or indeed, for ANY users - from CA errors, as Kirk has suggested, and that's a point we've repeatedly expressed and discussed in the past, on the list and on the calls.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>As I'll be unable to make and discuss these points further - although I think at this point it's clear that the discussion on adding liabilities is not meaningfully or productively making progress - I'd like to request that whomever is taking minutes to take detailed minutes so that the discussion can be reviewed following the call.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Cheers,<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Ryan<o:p></o:p></span></p></div></div></div></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></div><p class=MsoNormal><br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Public mailing list<o:p></o:p></pre><pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre></blockquote><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>