[cabfpub] Ballot 142 - Elimination of EV Insurance Requirement

Robin Alden robin at comodo.com
Wed Dec 3 18:24:57 UTC 2014

I think Gerv is entitled to have his ballot on insurance run in
isolation if that's the way he wants it, but I see the existing
insurance requirements as a pragmatic safeguard to ensure that a CA is
well run and that it is a going concern which is likely to be about long
enough to manage the lifecycle of the certificates it issues through to
their expiry (or later, for code-signing).


I think Gerv has stuck his neck out with his ballot which really does
crystalize down to the issue of whether or not you consider the
insurance requirement to be a 'pointless barrier to entry'.


I don't consider the insurance requirement to be a 'pointless barrier to


I can see that the insurance requirement has a positive effect of
protecting the operation of a CA in a financial way from a number of
events that could befall it.

That protection filters through as a benefit to the subscribers and
relying parties because they don't have to deal with a CA dropping off
its perch because it finds itself unable to replace a fire-damaged
server rack or unable to meet a financial claim made against it.

If you are running a CA you are required to have policies and procedures
for business continuity and having insurance of some sort in there is
low-hanging fruit for that aspect of running any business.


Could that protection be better? - Quite probably.

Is there something better than insurance that could provide some
guarantee of a CA being able to continue to operate and to continue to
provide service to its subscribers and relying parties? - Quite


But a ballot to rip out insurance and replace it with nothing seems like
a poor option to me compared with a ballot to replace an insurance
requirement which some CAs find expensive and inconvenient with another
measures or set of measures that might provide better protection or even
provide the same protection at less cost or effort.


If you're going to run a CA you will be running a business which has
costs and liabilities and should be able to bear the financial
responsibility  and be able to handle the associated risks which might
otherwise cause you to fail to meet the practical standards required to
continue in operation.  That holds true even if you choose not to charge
for the provision of end entity certificates.





From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
On Behalf Of Moudrick M. Dadashov
Sent: 03 December 2014 17:46
To: Ryan Sleevi; Jeremy Rowley
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance


I fully agree with Ryan, we should move on with Gerv's proposal (ballot
142). Indeed, elimination of insurance is a separate issue.

That said, I also support Kirk's efforts on financial stability,
possibly business continuity and cancellation provisions.  

In addition to the ballot 141, I'm working with Kirk on financial
responsibility, including making arrangements to continue its CRLs and
OCSP responders and its vetting records for certificates issued, after
the CA terminates its operations.


On 12/3/2014 4:48 PM, Ryan Sleevi wrote:

Thanks for pointing this out Jeremy. Looks like my calendar got confused
by the invites sent to the management list. 


In that case, it's less clear to me where we are at with this
discussion. Kirk has suggested twice we delay this discussion until
Thursday, but if our calls are not this Thursday, t hen such a delay
seems unnecessary.


For an issue that has been presented as causing ongoing pain for CAs
(c.f. https://cabforum.org/pipermail/public/2014-October/004148.html ),
and that we should vote to make SOME progress on it, I feel like
delaying up to another month (a week for a call, up to a week for any
ballot modifications, a week for review, and a week for voting) would be


On Wed, Dec 3, 2014 at 2:38 PM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:

Just to clarify - this week is not the CAB Forum call - it's the working
group calls.  Next week is the Forum call.



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
On Behalf Of Ryan Sleevi
Sent: Wednesday, December 3, 2014 7:25 AM
To: kirk_hall at trendmicro.com
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance




On Wed, Dec 3, 2014 at 2:44 AM, kirk_hall at trendmicro.com
<kirk_hall at trendmicro.com> wrote:

So it looks like there were hurt feelings on both parts - I was unhappy
that Mozilla would not honor my request for time to post my ballot on
the issue (which covered both insurance and new financial responsibility
requirements, which are linked in my mind, as previously explained), and
Gerv was unhappy that I would not post his ballot for him upon request.
(Others could have posted the ballot for Gerv as well.)


To move past that, I'll remove Section 1 of my Ballot (relating to
elimination of the EV insurance requirement) so Gerv's ballot will be
the exclusive one on that topic.  Both ballots can proceed together, but
I would urge members to vote yes on both, as we are removing one
intended financial responsibility safeguard (EV insurance, which we have
come to see is not very effective) and should substitute another  more
valuable financial responsibility safeguard (limiting a CA's ability to
disclaim all liability for its mis-issued certs that cause damage to
subscribers and the public).  


The new requirement in Ballot certainly is not a "pointless barrier to
entry" as suggested below, but a very valuable safeguard to the public
that will help reinforce the value of public CAs over self-signed certs
and should be a no-brainer for browsers -- it clearly protects their
users from CA errors -- and very valuable for CAs as well to establish
their worth.  


I'll be happy to discuss this further on our call Thursday and on this



Regrettably, I won't be able to make this Thursday's call. I think the
way these ballots have been handled is deeply unfortunate, and I'm
disappointed that I won't be able to make the discussion on how we to
avoid these sort of situations of competing interests in the future.


To the ballots at hand, it should come as no surprise that we share
Gerv's concerns that this is, indeed, a "pointless barrier to entry" as
it has been called. We do not believe it will provide any meaningful
protection for our users - or indeed, for ANY users - from CA errors, as
Kirk has suggested, and that's a point we've repeatedly expressed and
discussed in the past, on the list and on the calls.


As I'll be unable to make and discuss these points further - although I
think at this point it's clear that the discussion on adding liabilities
is not meaningfully or productively making progress - I'd like to
request that whomever is taking minutes to take detailed minutes so that
the discussion can be reviewed following the call.





Public mailing list
Public at cabforum.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141203/eead7d1a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5857 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141203/eead7d1a/attachment-0001.p7s>

More information about the Public mailing list