[cabfpub] Ballot 142 - Elimination of EV Insurance Requirement

Gervase Markham gerv at mozilla.org
Tue Dec 2 21:14:57 UTC 2014

On 02/12/14 09:58, kirk_hall at trendmicro.com wrote:
> Rich -- actually, most members post their own ballots when ready --
> it's not the job of the Chair or the Vice Chair. 

While the bylaws allow anyone to post a ballot, convention has been that
people take advantage of the skill of Ben or Jeremy in preparing them
according to proper form.

If you had no intention of posting my ballot after I asked you twice,
you could perhaps have let me know?

> And to be blunt, I was disappointed that Mozilla was pushing forward
> with its proposal to drop the EV insurance requirement by itself,
> when I  had publicly stated for some weeks that I was working on new
> financial responsibility requirements for CAs to substitute for the
> insurance requirements we were planning to remove.  I think it sends
> a bad message to the public otherwise.  

I'm sure each CA will make their own decision on that. As I said in a
previous email, I think it's the opposite: it will send a bad message to
the public for CAs to retain a requirement with no user benefit but with
clear effects on the ease of entry for new market participants.

Regardless, as Rich has noted, your lack of support for the ballot is
something to express in the voting, rather than in the (lack of) posting.

> Plus, the insurance
> requirement is a CA issue, not a browser issue, and I'm having
> trouble understanding why Mozilla is pushing this so hard.

Mozilla is interested (and has always been interested) in ubiquitous
privacy and security. In the current technology landscape, that involves
broadening access to certificates in all their forms. That's why Mozilla
helped start Let's Encrypt, and also why I am keen to remove barriers to
entry in the EV market (which Let's Encrypt has no intention whatsoever
to enter, as far as I understand it; and, of course, I do not speak or
advocate for them). I think that if more sites had EV certificates, that
would be a good thing. A "CA pay to play" unnecessary cost of multiple
tens of thousands of dollars works against that.

> Having said that, both ballots will result in dropping the insurance
> requirement, and one ballot will add new financial responsibility
> requirements so CAs will retain some liability for mis-issued certs,
> which I assume all browsers including Mozilla will be in favor of to
> protect their users.

I have not yet had a chance to study your proposal, but I would not be
in favour of removing one pointless barrier to entry only to erect
another one. So we will indeed be looking carefully to see if it
provides significant user benefit.


More information about the Public mailing list