<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>The BRs could state something along the lines of “CAs MUST disclose in section 9.2 of their CP/CPS (per RFC 3647) whether it maintains </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>insurance coverage for its liabilities to third parties and, if so, the amount.” </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Moudrick M. Dadashov<br><b>Sent:</b> Friday, December 19, 2014 8:37 AM<br><b>To:</b> Dean Coclin; Ryan Sleevi; Phillip<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Breach Insurance<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>+1<br><br>add to this business continuity, termination, archived data preservation requirements and we'll have a clear answer why ant what kind of insurance we need.<br><br>Thanks,<br>M.D. <br><br>On 12/19/2014 5:16 PM, Dean Coclin wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p>Isn't the skin in the game from insurers to ensure that they can find as many ways as possible to disqualify the policy, rather than actually secure the insured?<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>>Yes of course and if anyone has ever had the pleasure of filing a home insurance claim after a disaster, you quickly learn that it pays to hire your own insurance “advocate” who will work on your behalf to get the most from the insurance company.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p>Indeed, in the history of events that have done the most to undermine the faith in the CA ecosystem, they have been systemic issues that any insurance agency - especially when looking at large scale liability as proposed by 141 - would seek to use to disqualify the policy and reject the claim.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>>I don’t disagree with this but shouldn’t we be looking at not just “Diginotar type” events? There are a broad spectrum of events that insurance can cover as well as things they explicitly do not cover (just look at your homeowners policy). </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Perhaps a better solution is to do what we did with the CAA ballot. Mandate that the CA disclose its coverage in the CPS. If they don’t have any, just say so. A cert buyer (or relying party) can make a decision based on that. (Thanks to Ben for suggesting that to me!)</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Dean</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> Ryan Sleevi [</span><a href="mailto:sleevi@google.com"><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>mailto:sleevi@google.com</span></a><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>] <br><b>Sent:</b> Thursday, December 18, 2014 6:51 PM<br><b>To:</b> Phillip<br><b>Cc:</b> CABFPub; Dean Coclin<br><b>Subject:</b> Re: [cabfpub] Breach Insurance</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p>Isn't the skin in the game from insurers to ensure that they can find as many ways as possible to disqualify the policy, rather than actually secure the insured?<o:p></o:p></p><p>After all, the article shows that the Cyberbreach insurance Target had was "useless", in as much as the claims were disqualified because of actions of the insured. This is exactly what we saw of DigiNotar as well - the insurance claim was denied because of actions of DigiNotar.<o:p></o:p></p><p>Indeed, in the history of events that have done the most to undermine the faith in the CA ecosystem, they have been systemic issues that any insurance agency - especially when looking at large scale liability as proposed by 141 - would seek to use to disqualify the policy and reject the claim.<o:p></o:p></p><div><p class=MsoNormal>On Dec 18, 2014 3:36 PM, "Phillip Hallam-Baker" <<a href="mailto:philliph@comodo.com">philliph@comodo.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>I don’t particularly mind what type of insurance it is, provided that it means that the activities of the CA are going to be overseen by some party who would have skin in the game in the case of a breach.<o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Audits are fine but the auditors don’t have skin in the game. <o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p><div><div><p class=MsoNormal>On Dec 18, 2014, at 6:24 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><br><br><br><o:p></o:p></p><div><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Thanks Ben. I’m assuming you are posting this with regards to the recent insurance debate. Although I was initially opposed to dropping the EV Insurance requirement, my thinking has changed as others have posted facts about the type of insurance that the EVGL require and appropriateness to its intended use. Symantec’s current position would be in favor of ballot 142 (Gerv’s elimination ballot). The article you linked to below seems to favor a different type of insurance than what we currently require. Are you thinking of proposing a change to the insurance type (i.e. Cyberbreach/cyberliability insurance)?</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Dean</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p></div><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><div><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> </span><a href="mailto:public-bounces@cabforum.org" target="_blank"><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> [</span><a href="mailto:public-bounces@cabforum.org" target="_blank"><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>mailto:public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Thursday, December 18, 2014 10:42 AM<br><b>To:</b> CABFPub<br><b>Subject:</b> [cabfpub] Breach Insurance</span><o:p></o:p></p></div></div></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>Received this in my email today:</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p></div><div><p class=MsoNormal><a href="http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance-target/20011477/" target="_blank"><span style='font-size:11.0pt;font-family:"Arial",sans-serif;color:windowtext'>http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance-target/20011477/</span></a><o:p></o:p></p></div><p><span style='font-family:"Arial",sans-serif'>Cheers,</span><o:p></o:p></p><p><span style='font-size:11.0pt;font-family:"Arial",sans-serif'>Ben</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica",sans-serif'>_______________________________________________<br>Public mailing list<br></span><a href="mailto:Public@cabforum.org" target="_blank"><span style='font-size:13.5pt;font-family:"Helvetica",sans-serif'>Public@cabforum.org</span></a><span style='font-size:13.5pt;font-family:"Helvetica",sans-serif'><br></span><a href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style='font-size:13.5pt;font-family:"Helvetica",sans-serif'>https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div><p class=MsoNormal><br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Public mailing list<o:p></o:p></pre><pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre></blockquote><p class=MsoNormal><o:p> </o:p></p></div></body></html>