<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">+1<br>
<br>
add to this business continuity, termination, archived data
preservation requirements and we'll have a clear answer why ant
what kind of insurance we need.<br>
<br>
Thanks,<br>
M.D. <br>
<br>
On 12/19/2014 5:16 PM, Dean Coclin wrote:<br>
</div>
<blockquote
cite="mid:14D026C7F297AD44AC82578DD818CDD037FF8A4585@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p>Isn't the skin in the game from insurers to ensure that they
can find as many ways as possible to disqualify the policy,
rather than actually secure the insured?<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>Yes
of course and if anyone has ever had the pleasure of filing
a home insurance claim after a disaster, you quickly learn
that it pays to hire your own insurance “advocate” who will
work on your behalf to get the most from the insurance
company.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p>Indeed, in the history of events that have done the most to
undermine the faith in the CA ecosystem, they have been
systemic issues that any insurance agency - especially when
looking at large scale liability as proposed by 141 - would
seek to use to disqualify the policy and reject the claim.<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>I
don’t disagree with this but shouldn’t we be looking at not
just “Diginotar type” events? There are a broad spectrum of
events that insurance can cover as well as things they
explicitly do not cover (just look at your homeowners
policy). <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Perhaps
a better solution is to do what we did with the CAA ballot.
Mandate that the CA disclose its coverage in the CPS. If
they don’t have any, just say so. A cert buyer (or relying
party) can make a decision based on that. (Thanks to Ben for
suggesting that to me!)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ryan Sleevi [<a moz-do-not-send="true"
href="mailto:sleevi@google.com">mailto:sleevi@google.com</a>]
<br>
<b>Sent:</b> Thursday, December 18, 2014 6:51 PM<br>
<b>To:</b> Phillip<br>
<b>Cc:</b> CABFPub; Dean Coclin<br>
<b>Subject:</b> Re: [cabfpub] Breach Insurance<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Isn't the skin in the game from insurers to ensure that they
can find as many ways as possible to disqualify the policy,
rather than actually secure the insured?<o:p></o:p></p>
<p>After all, the article shows that the Cyberbreach insurance
Target had was "useless", in as much as the claims were
disqualified because of actions of the insured. This is
exactly what we saw of DigiNotar as well - the insurance claim
was denied because of actions of DigiNotar.<o:p></o:p></p>
<p>Indeed, in the history of events that have done the most to
undermine the faith in the CA ecosystem, they have been
systemic issues that any insurance agency - especially when
looking at large scale liability as proposed by 141 - would
seek to use to disqualify the policy and reject the claim.<o:p></o:p></p>
<div>
<p class="MsoNormal">On Dec 18, 2014 3:36 PM, "Phillip
Hallam-Baker" <<a moz-do-not-send="true"
href="mailto:philliph@comodo.com">philliph@comodo.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">I don’t particularly mind what type of
insurance it is, provided that it means that the
activities of the CA are going to be overseen by some
party who would have skin in the game in the case of a
breach.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Audits are fine but the auditors
don’t have skin in the game. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Dec 18, 2014, at 6:24 PM,
Dean Coclin <<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com"
target="_blank">Dean_Coclin@symantec.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
Ben. I’m assuming you are posting this with
regards to the recent insurance debate.
Although I was initially opposed to dropping
the EV Insurance requirement, my thinking
has changed as others have posted facts
about the type of insurance that the EVGL
require and appropriateness to its intended
use. Symantec’s current position would be in
favor of ballot 142 (Gerv’s elimination
ballot). The article you linked to below
seems to favor a different type of insurance
than what we currently require. Are you
thinking of proposing a change to the
insurance type (i.e.
Cyberbreach/cyberliability insurance)?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><a
moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
[</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">mailto:public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">] <b>On
Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Thursday, December 18, 2014
10:42 AM<br>
<b>To:</b> CABFPub<br>
<b>Subject:</b> [cabfpub] Breach
Insurance</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif"">Received
this in my email today:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance-target/20011477/"
target="_blank"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:windowtext">http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance-target/20011477/</span></a><o:p></o:p></p>
</div>
<p><span
style="font-family:"Arial","sans-serif"">Cheers,</span><o:p></o:p></p>
<p><span
style="font-size:11.0pt;font-family:"Arial","sans-serif"">Ben</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Public mailing list<br>
</span><a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">Public@cabforum.org</span></a><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif""><br>
</span><a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">https://cabforum.org/mailman/listinfo/public</span></a><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif""><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>