[cabfpub] Breach Insurance

Moudrick Dadashov md at ssc.lt
Mon Dec 22 16:05:28 MST 2014


Kirk, up to the new Regulation all ETSI was about el. signatures.

The new Regulation says anyone in trust services is a TSP. And trust services now include CA business which also  includes issuing web site authentication certificates.

So far insurance requirements, at least at national level, were applicable to issuing QCs only. But as the Regulation comes into full power, this will change.

As some of my colleagues noted, the details of insurance requirements are subject to national law.

Thanks,
M.D.

kirk_hall at trendmicro.com wrote:

>Moudrick -- under ETSI and national law, it sounds like a CA must have insurance and/or minimum capital to issue Qualified Certificates (including EV Qualified Certificates?).
>
>Can you tell me -- do the ETSI/national government requirements for insurance and/or minimum capital apply also to CAs who only issue SSL certificates (and not Qualified Certificates)?  
>
>Or are the requirements limited to CAs that issue SSL certificates only?
>
>-----Original Message-----
>From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov
>Sent: Monday, December 22, 2014 10:09 AM
>To: Gervase Markham; Stephen Davidson; Ben Wilson; i-barreira at izenpe.net; Dean_Coclin at symantec.com; public at cabforum.org
>Subject: Re: [cabfpub] Breach Insurance
>
>Sorry for  confusion, Gerv, I was responding to Stephen's skepticism.
>
>In regard to Qualified SSL Arno an Inigo know this better but I don't expect any significant shift even if someday today's EVCP becomes Qualified SSL. If they declare it is equal to EV SSL that means all EVG requirements apply without any exceptions. However this doesn't prevent them to have extra requirements for Qualified SSL.
>
>Thanks,
>M.D.
>
>On 12/22/2014 7:25 PM, Gervase Markham wrote:
>> On 22/12/14 17:05, Moudrick M. Dadashov wrote:
>>> I'm afraid this is not an accurate assumption, actually the auditors 
>>> require ***full*** EVG compliance.
>> I'm afraid I don't understand your point.
>>
>> I am saying that if I decide to have "Gerv EV", which requires all CAs 
>> implementing it to change their logos to include a picture of a 
>> banana, then there is no requirement whatsoever for the CAB Forum to 
>> update the EV Guidelines to make the banana thing a requirement for 
>> all CAs. That remains true even if (say) over half of the CAs in the 
>> forum choose to implement Gerv EV and so implement the banana-logo requirement.
>>
>> What I do (or anyone else does) with CAB Forum standards, external to 
>> the CAB Forum, cannot force the CAB Forum's hand about what it should do.
>>
>> Does that make sense?
>>
>> Gerv
>>
>>> On 12/22/2014 6:46 PM, Gervase Markham wrote:
>>>> On 22/12/14 16:34, Stephen Davidson wrote:
>>>>> An observation that may or may not sway your opinion:  the goal of 
>>>>> EV was to create uniform requirements across CAs, and this proposal 
>>>>> will introduce variation. As I understand it, the "qualified SSL" 
>>>>> under eIDAS are likely to be based on EV.  Thus, a "qualified EV" 
>>>>> would have an insurance level that "normal EV" may not have.
>>>> If other people want to build standards on EV, we aren't going to 
>>>> stop them. But if they add additional requirements, we can't let 
>>>> that force us to add those requirements also - because otherwise, 
>>>> everyone else would be making the CAB Forum's decisions for us.
>>>>
>>>> Gerv
>>>>
>>>> _______________________________________________
>>>> Public mailing list
>>>> Public at cabforum.org
>>>> https://cabforum.org/mailman/listinfo/public
>>>
>
>
>
><table class="TM_EMAIL_NOTICE"><tr><td><pre>
>TREND MICRO EMAIL NOTICE
>The information contained in this email and any attachments is confidential 
>and may be subject to copyright or other intellectual property protection. 
>If you are not the intended recipient, you are not authorized to use or 
>disclose this information, and we request that you notify us by reply mail or
>telephone and delete the original message from your mail system.
></pre></td></tr></table>


More information about the Public mailing list