[cabfpub] Ballot 142 - Elimination of EV Insurance Requirement

Dean Coclin Dean_Coclin at symantec.com
Wed Dec 3 17:59:03 UTC 2014


It was my suggestion that we have a discussion on next week's call to try
and get some consensus on these issues. I didn't think a week was too much
time to wait on a non-critical issue such as this.  Let's keep the
discussion civil and sort things out on the next call (Dec 11th).




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Moudrick M. Dadashov
Sent: Wednesday, December 03, 2014 12:46 PM
To: Ryan Sleevi; Jeremy Rowley
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement


I fully agree with Ryan, we should move on with Gerv's proposal (ballot
142). Indeed, elimination of insurance is a separate issue.

That said, I also support Kirk's efforts on financial stability, possibly
business continuity and cancellation provisions.  

In addition to the ballot 141, I'm working with Kirk on financial
responsibility, including making arrangements to continue its CRLs and OCSP
responders and its vetting records for certificates issued, after the CA
terminates its operations.


On 12/3/2014 4:48 PM, Ryan Sleevi wrote:

Thanks for pointing this out Jeremy. Looks like my calendar got confused by
the invites sent to the management list. 


In that case, it's less clear to me where we are at with this discussion.
Kirk has suggested twice we delay this discussion until Thursday, but if our
calls are not this Thursday, t hen such a delay seems unnecessary.


For an issue that has been presented as causing ongoing pain for CAs (c.f.
https://cabforum.org/pipermail/public/2014-October/004148.html ), and that
we should vote to make SOME progress on it, I feel like delaying up to
another month (a week for a call, up to a week for any ballot modifications,
a week for review, and a week for voting) would be unwise.


On Wed, Dec 3, 2014 at 2:38 PM, Jeremy Rowley <jeremy.rowley at digicert.com>

Just to clarify - this week is not the CAB Forum call - it's the working
group calls.  Next week is the Forum call.



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ryan Sleevi
Sent: Wednesday, December 3, 2014 7:25 AM
To: kirk_hall at trendmicro.com
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement




On Wed, Dec 3, 2014 at 2:44 AM, kirk_hall at trendmicro.com
<kirk_hall at trendmicro.com> wrote:

So it looks like there were hurt feelings on both parts - I was unhappy that
Mozilla would not honor my request for time to post my ballot on the issue
(which covered both insurance and new financial responsibility requirements,
which are linked in my mind, as previously explained), and Gerv was unhappy
that I would not post his ballot for him upon request.  (Others could have
posted the ballot for Gerv as well.)


To move past that, I'll remove Section 1 of my Ballot (relating to
elimination of the EV insurance requirement) so Gerv's ballot will be the
exclusive one on that topic.  Both ballots can proceed together, but I would
urge members to vote yes on both, as we are removing one intended financial
responsibility safeguard (EV insurance, which we have come to see is not
very effective) and should substitute another  more valuable financial
responsibility safeguard (limiting a CA's ability to disclaim all liability
for its mis-issued certs that cause damage to subscribers and the public).  


The new requirement in Ballot certainly is not a "pointless barrier to
entry" as suggested below, but a very valuable safeguard to the public that
will help reinforce the value of public CAs over self-signed certs and
should be a no-brainer for browsers -- it clearly protects their users from
CA errors -- and very valuable for CAs as well to establish their worth.  


I'll be happy to discuss this further on our call Thursday and on this list.



Regrettably, I won't be able to make this Thursday's call. I think the way
these ballots have been handled is deeply unfortunate, and I'm disappointed
that I won't be able to make the discussion on how we to avoid these sort of
situations of competing interests in the future.


To the ballots at hand, it should come as no surprise that we share Gerv's
concerns that this is, indeed, a "pointless barrier to entry" as it has been
called. We do not believe it will provide any meaningful protection for our
users - or indeed, for ANY users - from CA errors, as Kirk has suggested,
and that's a point we've repeatedly expressed and discussed in the past, on
the list and on the calls.


As I'll be unable to make and discuss these points further - although I
think at this point it's clear that the discussion on adding liabilities is
not meaningfully or productively making progress - I'd like to request that
whomever is taking minutes to take detailed minutes so that the discussion
can be reviewed following the call.





Public mailing list
Public at cabforum.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141203/61ee9f47/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141203/61ee9f47/attachment-0001.p7s>

More information about the Public mailing list