<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.gmail-
{mso-style-name:gmail-;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Has anyone ever established a loss as a result of a mis-issued certificate?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The point of insurance is that an insurer is like an auditor except that they have skin in the game. An auditor rarely suffers as a result of a negligent audit. Arthur Andersen survived Sunbeam, DeLorean and numerous others before Enron sunk them. An insurer is required to back their assessment of risk with actual dollars.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Nothing gives perfect security but insurance is a tool we need to learn how to use as an industry.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Public [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ryan Sleevi via Public<br><b>Sent:</b> Monday, October 23, 2017 11:26 AM<br><b>To:</b> Gervase Markham <gerv@mozilla.org><br><b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org>; Virginia Fournier <vfournier@apple.com><br><b>Subject:</b> Re: [cabfpub] Limitation of Liability and Indemnification<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Oct 23, 2017 at 10:54 AM, Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal><span class=gmail->On 23/10/17 14:55, Ryan Sleevi wrote:</span><br><span class=gmail->> I don't believe this is correct or supported by fact, Gerv, nor</span><br><span class=gmail->> supported by the limits of liability if you review CA's CP/CPS.</span><br><br>I'm not sure what you mean. If you mean the limits I'm suggesting are<br>currently not offered by CAs, well of course they aren't.<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>No, I mean both with respect to the misissuance of EV (I can think of several CAs that have done so) and to the terms of claiming liability (I encourage you to read the CP/CPSes of those who have).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm curious whether there has ever been a successful claim of liability. Certainly, the claims of insurance to date have been rejected.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal><span class=gmail->> We are very much opposed to increasing liability, and I'm surprised to</span><br><span class=gmail->> see Mozilla advocating it, given its past votes to abolish liability</span><br><span class=gmail->> requirements from EV given the practical challenges they face. </span><br><br>Reminder?<br><br>You mean Google sees CA liability for misissuance as a paper tiger?<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Ballot 141 - <a href="https://cabforum.org/2015/01/19/ballot-141-elimination-ev-insurance-requirement-financial-responsibility-mis-issued-certificates/">https://cabforum.org/2015/01/19/ballot-141-elimination-ev-insurance-requirement-financial-responsibility-mis-issued-certificates/</a> - and Ballot 142 - <a href="https://cabforum.org/2015/01/19/ballot-142-elimination-ev-insurance-requirement/">https://cabforum.org/2015/01/19/ballot-142-elimination-ev-insurance-requirement/</a><o:p></o:p></p></div></div></div></div></div></div></body></html>