<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
My understanding of EIDAS is that a "qualified EV" might not have
any insurance level at all, depending on country.<br>
In fact, EIDAS does not exactly mandate member states to establish
the insurance level that CAs are required to maintain.<br>
Actually, the EIDAS regulation requires CAs to "... maintain
sufficient financial resources and/or obtain appropriate liability
insurance, in accordance with national law". So, whether CAs are
required to have an insurance (be it "appropriate" or not),
eventually depends on national law.<br>
In some EU countries a minimum acceptable insurance level exists,
but not in all.<br>
In Italy, for instance, CAs must have a minimum capital of 6.3 mln
EUR, and an insurance as well, but the insurance level is up to the
CA to decide.<br>
<br>
Adriano<br>
<br>
<br>
<div class="moz-cite-prefix">Il 22/12/2014 17:34, Stephen Davidson
ha scritto:<br>
</div>
<blockquote
cite="mid:CAA5A5DD4103604CBCF5A9DFEA0E75D19F16AF12@qvgoex01.qvglobal.local"
type="cite">
<pre wrap="">An observation that may or may not sway your opinion: the goal of EV was to create uniform requirements across CAs, and this proposal will introduce variation.
As I understand it, the "qualified SSL" under eIDAS are likely to be based on EV. Thus, a "qualified EV" would have an insurance level that "normal EV" may not have.
Best, Stephen
-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On Behalf Of Ben Wilson
Sent: Monday, December 22, 2014 12:09 PM
To: Gervase Markham; <a class="moz-txt-link-abbreviated" href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>; <a class="moz-txt-link-abbreviated" href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>; <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a>
Subject: Re: [cabfpub] Breach Insurance
Understood. I just need to talk with Iņigo and any other European CAs to understand better about their concerns.
-----Original Message-----
From: Gervase Markham [<a class="moz-txt-link-freetext" href="mailto:gerv@mozilla.org">mailto:gerv@mozilla.org</a>]
Sent: Monday, December 22, 2014 8:37 AM
To: Ben Wilson; <a class="moz-txt-link-abbreviated" href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>; <a class="moz-txt-link-abbreviated" href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>; <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a>
Subject: Re: [cabfpub] Breach Insurance
On 22/12/14 15:24, Ben Wilson wrote:
</pre>
<blockquote type="cite">
<pre wrap="">My proposal is all about making more information publicly available.
</pre>
</blockquote>
<pre wrap="">
Right. That wasn't a dig at your proposal. I don't think a disclosure requirement is particularly onerous (open to arguments...), so I'm OK with that.
Gerv
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<i><span style="font-family: Serif">Adriano Santoni</span></i>
</div>
</body>
</html>