<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">On Dec 18, 2014, at 6:50 PM, Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<br><div><blockquote type="cite"><p dir="ltr">Isn't the skin in the game from insurers to ensure that they can find as many ways as possible to disqualify the policy, rather than actually secure the insured?</p></blockquote><div>I have yet to meet an insurer who will take that approach when issuing a policy. Though I will accept that they are likely to do so in the case that a claim is brought. But even that is a losing game in the long run. The pre-eminent position of Lloyds of London was established by Cuthbert Heath's famous cable in the wake of the 1906 San Francisco earthquake: “pay all of our policyholders in full, irrespective of the terms of their policies”.</div><div><br></div><blockquote type="cite"><p dir="ltr">After all, the article shows that the Cyberbreach insurance Target had was "useless", in as much as the claims were disqualified because of actions of the insured. This is exactly what we saw of DigiNotar as well - the insurance claim was denied because of actions of DigiNotar</p></blockquote><div>In the case of DigiNotar it seems that none of the browser providers noticed that the audit did not apply to the WebPKI system so it is hardly surprising that the insurance was not applicable as well.</div><div><br></div><div>One of the reasons for establishing the BR rules is precisely the fact that there was a lot of inconsistency in the application of the rules and uncertainty as to what the rules were or the purpose.</div><br><blockquote type="cite"><p dir="ltr">Indeed, in the history of events that have done the most to undermine the faith in the CA ecosystem, they have been systemic issues that any insurance agency - especially when looking at large scale liability as proposed by 141 - would seek to use to disqualify the policy and reject the claim.</p>
</blockquote></div>If the thieves broke in by picking the lock on the door should we fit a stronger lock or take the door off its hinges and let everyone in?<div><br></div><div>I am not averse to going through a complete redesign of the system of WebPKI controls. But just removing random controls because the purpose is not immediately apparent seems like a very bad approach to me.</div></body></html>