[cabfpub] Reasons in support of Ballot 141

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Dec 10 21:48:45 UTC 2014


I want to summarize my reasons behind "Ballot 141 - Elimination of EV Insurance Requirement; Financial Responsibility for Mis-Issued Certificates<https://www.cabforum.org/wiki/141%20-%20Elimination%20of%20EV%20Insurance%20Requirement%3B%20Financial%20Responsibility%20for%20Mis-Issued%20Certificates>" to make our discussion tomorrow on the CABF call shorter.

Background

The EV Guidelines have required CAs to maintain Commercial General Liability (CGL) and Errors & Omissions (E&O) insurance since 2008.  As a new CA in 2010 (with no customers) I resented this requirement because (1) I didn't feel our CA needed it and so it was a waste of money, (2) the CGL coverage was not relevant to running a CA, and (3) the E&O requirement would, at best, help protect the CA, but had no duty to protect customers or relying parties.

As you recall, Trend Micro proposed Ballot 121 to eliminate the EV insurance requirement, and just require that CAs comply with whatever insurance requirements existed in their governing jurisdiction.  The ballot passed among CAs, but failed among browsers.

Ben Wilson then did a great job of trying to update the insurance requirements to be more relevant to running a CA and proposed Ballot 133.  (Trend Micro did not support this ballot in large part because we were concerned the insurance might not be available in all markets, and could become unavailable in North America in the future - perhaps we were wrong.)  The ballot passed among CAs, but failed among browsers.

There is general agreement that the current EV insurance requirements should be dropped.  However, during the drafting and balloting of Ben's Ballot 133, I came to think it would be a bad idea to eliminate one CA requirement that was intended to protect the public (even if it was not well designed) unless we simultaneously added new CA requirements for the protection of the public.

Some weeks ago, Trend Micro proposed two financial responsibility concepts for CAs: (1) the concept that CAs should have to keep at least a portion of their potential legal liability for all their issued certs (DV, OV, and EV) so there could at least be some potential recourse for customers and relying parties for mis-issued certs, and (2) the concept that a CA should maintain some minimum capital to help it deal with emergencies (breaches, etc.) and also fund necessary operations during any termination period (e.g., maintaining CRLs and OCSP responders for outstanding certs, maintaining past vetting files, etc.).  I presented conceptual ballots for these ideas, and they were discussed on one CABF conference call.

Current Situation

Trend Micro still believes it would be best (and would convey the best message to the public) if the elimination of the CA insurance requirement were linked with new CA financial responsibility requirements, but other members disagree.  I won't discuss that issue any further.

Here are my reasons to CAs and to browsers why they should support Ballot 141 requiring CAs to keep at least a small portion of whatever liability their local jurisdiction would assess against them for a mis-issued cert.  (Remember, my ballot is not trying to change whatever local law says a CA's liability for a mis-issued cert should be - the ballot would instead only prevent a CA from denying 100% of its existing legal liability through its Subscriber Agreement and Relying Party Agreement.)

Reasons for CAs to support Ballot 141

Over the past year, we CAs have heard comments to the effect that CAs are useless, CAs make lots of mistakes and/or alter data in certs to avoid requirements, identity in certificates isn't important, OV certs don't matter, etc.  I disagree 100% with these comments, but it's hard to oppose them through discussion alone.

In my opinion, the best way for CAs to counter these mis-impressions is to step up and demonstrate the value of public CA certificates by standing behind our products.  Over the past decade CAs have continuously improved the security of their certificates through higher and higher standards that we have imposed on ourselves through the CA/Browser Forum, and we deserve some recognition for that.  I think it's time to go further.

The best way for us CAs to show the public the ongoing value of our SSL certs generally in the internet infrastructure is for CAs to retain some portion of our liability for mis-issued certificates, at all levels.

The best way for us to show the public that identity does matter is for us to retain higher levels of potential liability for certs with higher levels of identity verification - so, under Ballot 141, CAs must retain minimum potential liability for DV certs of at least $2,000, for OV certs $5,000, and for EV certs $10,000.

I would point out that most or all software vendors and browsers disclaim 100% of their potential liability to users and the public in their EULAs - even for serious bugs and flaws in the software - so CAs can distinguish themselves in the internet world by standing behind their products and taking on some liability.  As a practical matter, there have been few mis-issued certs out of the millions of certs issued each year, so I suspect the potential liability to CAs under Ballot 141 is manageable.

Reasons for Browsers to support Ballot 141

As I said in an earlier email, it should be a no-brainer for Browsers to support Ballot 141, as it creates financial responsibility among CAs and potential recourse for browser users in event of a mis-issued cert that causes harm to browser users.

Is Ballot 141 a potential barrier to entry for new CAs?

In a word, no.

Ballot 141 does not cost a new CA - or an existing CA - one penny.  It simply raises the bar on certificate quality - and is only an expansion of current EV Guideline Section 18 which already requires CAs to keep at least $2,000 in potential liability for mis-issued EV certs (that number was set in 2008 or earlier, and is too low today.)  EVGL Section 18 has been a requirement for all CAs since 2008, but has not proven to be a barrier to entry for new CAs since that time.  (My own CA, AffirmTrust, was formed in 2010, and this requirements was not even a consideration.)

In my mind, a "barrier to entry" is only something that costs a new CA money without delivering any real benefit to anyone.  Ballot 141 is not in that category.  In fact, the "burden" imposed by Ballot 141 is minimal, and scales in proportion to the number and type of certificates that a new or established CA issues, which is a pretty fair result.

For these reasons, I hope CAs and browsers together will support Ballot 141, and I would still recommend we link these new financial responsibility requirements with any vote on dropping the EV insurance requirements so we can show the public that CAs are not dropping public protection requirements, but are instead increasing them.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141210/87dd1971/attachment-0002.html>


More information about the Public mailing list