[cabfpub] Ballot 142 - Elimination of EV Insurance Requirement

Ryan Sleevi sleevi at google.com
Wed Dec 3 14:25:08 UTC 2014


On Wed, Dec 3, 2014 at 2:44 AM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:

>  So it looks like there were hurt feelings on both parts – I was unhappy
> that Mozilla would not honor my request for time to post my ballot on the
> issue (which covered both insurance and new financial responsibility
> requirements, which are linked in my mind, as previously explained), and
> Gerv was unhappy that I would not post his ballot for him upon request.
> (Others could have posted the ballot for Gerv as well.)
>
>
>
> To move past that, I’ll *remove* Section 1 of my Ballot (relating to
> elimination of the EV insurance requirement) so Gerv’s ballot will be the
> exclusive one on that topic.  Both ballots can proceed together, but I
> would urge members to vote yes on both, as we are removing one intended
> financial responsibility safeguard (EV insurance, which we have come to see
> is not very effective) and should substitute another  more valuable
> financial responsibility safeguard (limiting a CA’s ability to disclaim all
> liability for its mis-issued certs that cause damage to subscribers and the
> public).
>
>
>
> The new requirement in Ballot certainly is not a "pointless barrier to
> entry" as suggested below, but a very valuable safeguard to the public that
> will help reinforce the value of public CAs over self-signed certs and
> should be a no-brainer for browsers -- it clearly protects their users from
> CA errors -- and very valuable for CAs as well to establish their worth.
>
>
>
> I'll be happy to discuss this further on our call Thursday and on this
> list.
>
>
>
Regrettably, I won't be able to make this Thursday's call. I think the way
these ballots have been handled is deeply unfortunate, and I'm disappointed
that I won't be able to make the discussion on how we to avoid these sort
of situations of competing interests in the future.

To the ballots at hand, it should come as no surprise that we share Gerv's
concerns that this is, indeed, a "pointless barrier to entry" as it has
been called. We do not believe it will provide any meaningful protection
for our users - or indeed, for ANY users - from CA errors, as Kirk has
suggested, and that's a point we've repeatedly expressed and discussed in
the past, on the list and on the calls.

As I'll be unable to make and discuss these points further - although I
think at this point it's clear that the discussion on adding liabilities is
not meaningfully or productively making progress - I'd like to request that
whomever is taking minutes to take detailed minutes so that the discussion
can be reviewed following the call.

Cheers,
Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141203/b6ec6ed1/attachment-0003.html>


More information about the Public mailing list