[cabfpub] Ballot 142 - Elimination of EV Insurance Requirement

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Dec 3 02:44:49 UTC 2014

So it looks like there were hurt feelings on both parts – I was unhappy that Mozilla would not honor my request for time to post my ballot on the issue (which covered both insurance and new financial responsibility requirements, which are linked in my mind, as previously explained), and Gerv was unhappy that I would not post his ballot for him upon request.  (Others could have posted the ballot for Gerv as well.)

To move past that, I’ll remove Section 1 of my Ballot (relating to elimination of the EV insurance requirement) so Gerv’s ballot will be the exclusive one on that topic.  Both ballots can proceed together, but I would urge members to vote yes on both, as we are removing one intended financial responsibility safeguard (EV insurance, which we have come to see is not very effective) and should substitute another  more valuable financial responsibility safeguard (limiting a CA’s ability to disclaim all liability for its mis-issued certs that cause damage to subscribers and the public).

The new requirement in Ballot certainly is not a "pointless barrier to entry" as suggested below, but a very valuable safeguard to the public that will help reinforce the value of public CAs over self-signed certs and should be a no-brainer for browsers -- it clearly protects their users from CA errors -- and very valuable for CAs as well to establish their worth.

I'll be happy to discuss this further on our call Thursday and on this list.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Tuesday, December 02, 2014 1:15 PM
To: Kirk Hall (RD-US); richard.smith at comodo.com; 'CABFPub'
Cc: 'Dean Coclin'
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement

On 02/12/14 09:58, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> wrote:

> Rich -- actually, most members post their own ballots when ready --

> it's not the job of the Chair or the Vice Chair.

While the bylaws allow anyone to post a ballot, convention has been that people take advantage of the skill of Ben or Jeremy in preparing them according to proper form.

If you had no intention of posting my ballot after I asked you twice, you could perhaps have let me know?

> And to be blunt, I was disappointed that Mozilla was pushing forward

> with its proposal to drop the EV insurance requirement by itself, when

> I  had publicly stated for some weeks that I was working on new

> financial responsibility requirements for CAs to substitute for the

> insurance requirements we were planning to remove.  I think it sends a

> bad message to the public otherwise.

I'm sure each CA will make their own decision on that. As I said in a previous email, I think it's the opposite: it will send a bad message to the public for CAs to retain a requirement with no user benefit but with clear effects on the ease of entry for new market participants.

Regardless, as Rich has noted, your lack of support for the ballot is something to express in the voting, rather than in the (lack of) posting.

> Plus, the insurance

> requirement is a CA issue, not a browser issue, and I'm having trouble

> understanding why Mozilla is pushing this so hard.

Mozilla is interested (and has always been interested) in ubiquitous privacy and security. In the current technology landscape, that involves broadening access to certificates in all their forms. That's why Mozilla helped start Let's Encrypt, and also why I am keen to remove barriers to entry in the EV market (which Let's Encrypt has no intention whatsoever to enter, as far as I understand it; and, of course, I do not speak or advocate for them). I think that if more sites had EV certificates, that would be a good thing. A "CA pay to play" unnecessary cost of multiple tens of thousands of dollars works against that.

> Having said that, both ballots will result in dropping the insurance

> requirement, and one ballot will add new financial responsibility

> requirements so CAs will retain some liability for mis-issued certs,

> which I assume all browsers including Mozilla will be in favor of to

> protect their users.

I have not yet had a chance to study your proposal, but I would not be in favour of removing one pointless barrier to entry only to erect another one. So we will indeed be looking carefully to see if it provides significant user benefit.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141203/52da9a50/attachment-0003.html>

More information about the Public mailing list