<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Calibri">I concur with Robin.<br>
<br>
Regards<br>
Adriano<br>
<br>
<br>
</font>
<div class="moz-cite-prefix">Il 03/12/2014 19:24, Robin Alden ha
scritto:<br>
</div>
<blockquote cite="mid:169c01d00f26$713e0c10$53ba2430$@comodo.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
think Gerv is entitled to have his ballot on insurance run
in isolation if that’s the way he wants it, but I see the
existing insurance requirements as a pragmatic safeguard to
ensure that a CA is well run and that it is a going concern
which is likely to be about long enough to manage the
lifecycle of the certificates it issues through to their
expiry (or later, for code-signing).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
think Gerv has stuck his neck out with his ballot which
really does crystalize down to the issue of whether or not
you consider the insurance requirement to be a ‘pointless
barrier to entry’.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t consider the insurance requirement to be a ‘pointless
barrier to entry’.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
can see that the insurance requirement has a positive effect
of protecting the operation of a CA in a financial way from
a number of events that could befall it.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That
protection filters through as a benefit to the subscribers
and relying parties because they don’t have to deal with a
CA dropping off its perch because it finds itself unable to
replace a fire-damaged server rack or unable to meet a
financial claim made against it.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
you are running a CA you are required to have policies and
procedures for business continuity and having insurance of
some sort in there is low-hanging fruit for that aspect of
running any business.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Could
that protection be better? – Quite probably.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Is
there something better than insurance that could provide
some guarantee of a CA being able to continue to operate and
to continue to provide service to its subscribers and
relying parties? – Quite possibly.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But
a ballot to rip out insurance and replace it with nothing
seems like a poor option to me compared with a ballot to
replace an insurance requirement which some CAs find
expensive and inconvenient with another measures or set of
measures that might provide better protection or even
provide the same protection at less cost or effort.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
you’re going to run a CA you will be running a business
which has costs and liabilities and should be able to bear
the financial responsibility and be able to handle the
associated risks which might otherwise cause you to fail to
meet the practical standards required to continue in
operation. That holds true even if you choose not to charge
for the provision of end entity certificates.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards<br>
Robin<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm
0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of
</b>Moudrick M. Dadashov<br>
<b>Sent:</b> 03 December 2014 17:46<br>
<b>To:</b> Ryan Sleevi; Jeremy Rowley<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Ballot 142 - Elimination
of EV Insurance Requirement<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I fully agree with Ryan, we should move
on with Gerv's proposal (ballot 142). Indeed, elimination
of insurance is a separate issue.<br>
<br>
That said, I also support Kirk's efforts on financial
stability, possibly business continuity and cancellation
provisions. <br>
<br>
<span style="color:windowtext">In addition to the ballot
141, I'm working with Kirk on financial responsibility,
including making arrangements to continue its CRLs and
OCSP responders and its vetting records for certificates
issued, after the CA terminates its operations.</span><br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 12/3/2014 4:48 PM, Ryan Sleevi wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Thanks for pointing this out Jeremy.
Looks like my calendar got confused by the invites sent
to the management list. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In that case, it's less clear to me
where we are at with this discussion. Kirk has
suggested twice we delay this discussion until
Thursday, but if our calls are not this Thursday, t
hen such a delay seems unnecessary.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For an issue that has been
presented as causing ongoing pain for CAs (c.f. <a
moz-do-not-send="true"
href="https://cabforum.org/pipermail/public/2014-October/004148.html">https://cabforum.org/pipermail/public/2014-October/004148.html</a>
), and that we should vote to make SOME progress on
it, I feel like delaying up to another month (a week
for a call, up to a week for any ballot modifications,
a week for review, and a week for voting) would be
unwise.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Dec 3, 2014 at 2:38 PM,
Jeremy Rowley <<a moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com"
target="_blank">jeremy.rowley@digicert.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Just to clarify - this week is
not the CAB Forum call – it’s the working
group calls. Next week is the Forum call.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a
moz-do-not-send="true"
name="14a10968aa8458a0__MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"> </span></a><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> <a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Wednesday, December 3, 2014
7:25 AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:kirk_hall@trendmicro.com"
target="_blank">kirk_hall@trendmicro.com</a><br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Ballot 142 -
Elimination of EV Insurance Requirement</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">On Wed, Dec 3, 2014 at
2:44 AM, <a moz-do-not-send="true"
href="mailto:kirk_hall@trendmicro.com"
target="_blank">kirk_hall@trendmicro.com</a>
<<a moz-do-not-send="true"
href="mailto:kirk_hall@trendmicro.com"
target="_blank">kirk_hall@trendmicro.com</a>>
wrote:<o:p></o:p></span></p>
<div>
<div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<p><span lang="EN-US">So it
looks like there were hurt
feelings on both parts – I
was unhappy that Mozilla
would not honor my request
for time to post my ballot
on the issue (which covered
both insurance and new
financial responsibility
requirements, which are
linked in my mind, as
previously explained), and
Gerv was unhappy that I
would not post his ballot
for him upon request.
(Others could have posted
the ballot for Gerv as
well.)<o:p></o:p></span></p>
<p><span lang="EN-US"> <o:p></o:p></span></p>
<p><span lang="EN-US">To move
past that, I’ll <u>remove</u>
Section 1 of my Ballot
(relating to elimination of
the EV insurance
requirement) so Gerv’s
ballot will be the exclusive
one on that topic. Both
ballots can proceed
together, but I would urge
members to vote yes on both,
as we are removing one
intended financial
responsibility safeguard (EV
insurance, which we have
come to see is not very
effective) and should
substitute another more
valuable financial
responsibility safeguard
(limiting a CA’s ability to
disclaim all liability for
its mis-issued certs that
cause damage to subscribers
and the public). <o:p></o:p></span></p>
<p><span lang="EN-US"> <o:p></o:p></span></p>
<p><span lang="EN-US">The new
requirement in Ballot
certainly is not a
"pointless barrier to entry"
as suggested below, but a
very valuable safeguard to
the public that will help
reinforce the value of
public CAs over self-signed
certs and should be a
no-brainer for browsers --
it clearly protects their
users from CA errors -- and
very valuable for CAs as
well to establish their
worth. <o:p></o:p></span></p>
<p><span lang="EN-US"> <o:p></o:p></span></p>
<p><span lang="EN-US">I'll be
happy to discuss this
further on our call Thursday
and on this list.<o:p></o:p></span></p>
<p><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">Regrettably, I
won't be able to make this
Thursday's call. I think the way
these ballots have been handled
is deeply unfortunate, and I'm
disappointed that I won't be
able to make the discussion on
how we to avoid these sort of
situations of competing
interests in the future.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">To the ballots at
hand, it should come as no
surprise that we share Gerv's
concerns that this is, indeed, a
"pointless barrier to entry" as
it has been called. We do not
believe it will provide any
meaningful protection for our
users - or indeed, for ANY users
- from CA errors, as Kirk has
suggested, and that's a point
we've repeatedly expressed and
discussed in the past, on the
list and on the calls.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">As I'll be unable
to make and discuss these points
further - although I think at
this point it's clear that the
discussion on adding liabilities
is not meaningfully or
productively making progress -
I'd like to request that
whomever is taking minutes to
take detailed minutes so that
the discussion can be reviewed
following the call.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">Cheers,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="EN-US">Ryan<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<i><span style="font-family: Serif">Adriano Santoni</span></i>
</div>
</body>
</html>