[cabfpub] Ballot 142 - Elimination of EV Insurance Requirement

Richard Wang richard at wosign.com
Thu Dec 4 09:56:19 UTC 2014

+1 Robin



Best Regards,




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Adriano Santoni
Sent: Thursday, December 4, 2014 5:34 PM
To: robin at comodo.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement


I concur with Robin.


Il 03/12/2014 19:24, Robin Alden ha scritto:

I think Gerv is entitled to have his ballot on insurance run in isolation if that’s the way he wants it, but I see the existing insurance requirements as a pragmatic safeguard to ensure that a CA is well run and that it is a going concern which is likely to be about long enough to manage the lifecycle of the certificates it issues through to their expiry (or later, for code-signing).


I think Gerv has stuck his neck out with his ballot which really does crystalize down to the issue of whether or not you consider the insurance requirement to be a ‘pointless barrier to entry’.


I don’t consider the insurance requirement to be a ‘pointless barrier to entry’.


I can see that the insurance requirement has a positive effect of protecting the operation of a CA in a financial way from a number of events that could befall it.

That protection filters through as a benefit to the subscribers and relying parties because they don’t have to deal with a CA dropping off its perch because it finds itself unable to replace a fire-damaged server rack or unable to meet a financial claim made against it.

If you are running a CA you are required to have policies and procedures for business continuity and having insurance of some sort in there is low-hanging fruit for that aspect of running any business.


Could that protection be better? – Quite probably.

Is there something better than insurance that could provide some guarantee of a CA being able to continue to operate and to continue to provide service to its subscribers and relying parties? – Quite possibly.


But a ballot to rip out insurance and replace it with nothing seems like a poor option to me compared with a ballot to replace an insurance requirement which some CAs find expensive and inconvenient with another measures or set of measures that might provide better protection or even provide the same protection at less cost or effort.


If you’re going to run a CA you will be running a business which has costs and liabilities and should be able to bear the financial responsibility  and be able to handle the associated risks which might otherwise cause you to fail to meet the practical standards required to continue in operation.  That holds true even if you choose not to charge for the provision of end entity certificates.





From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov
Sent: 03 December 2014 17:46
To: Ryan Sleevi; Jeremy Rowley
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement


I fully agree with Ryan, we should move on with Gerv's proposal (ballot 142). Indeed, elimination of insurance is a separate issue.

That said, I also support Kirk's efforts on financial stability, possibly business continuity and cancellation provisions.  

In addition to the ballot 141, I'm working with Kirk on financial responsibility, including making arrangements to continue its CRLs and OCSP responders and its vetting records for certificates issued, after the CA terminates its operations.


On 12/3/2014 4:48 PM, Ryan Sleevi wrote:

Thanks for pointing this out Jeremy. Looks like my calendar got confused by the invites sent to the management list. 


In that case, it's less clear to me where we are at with this discussion. Kirk has suggested twice we delay this discussion until Thursday, but if our calls are not this Thursday, t hen such a delay seems unnecessary.


For an issue that has been presented as causing ongoing pain for CAs (c.f. https://cabforum.org/pipermail/public/2014-October/004148.html ), and that we should vote to make SOME progress on it, I feel like delaying up to another month (a week for a call, up to a week for any ballot modifications, a week for review, and a week for voting) would be unwise.


On Wed, Dec 3, 2014 at 2:38 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

Just to clarify - this week is not the CAB Forum call – it’s the working group calls.  Next week is the Forum call.



From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Ryan Sleevi
Sent: Wednesday, December 3, 2014 7:25 AM
To: kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com> 
Subject: Re: [cabfpub] Ballot 142 - Elimination of EV Insurance Requirement




On Wed, Dec 3, 2014 at 2:44 AM, kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com>  <kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com> > wrote:

So it looks like there were hurt feelings on both parts – I was unhappy that Mozilla would not honor my request for time to post my ballot on the issue (which covered both insurance and new financial responsibility requirements, which are linked in my mind, as previously explained), and Gerv was unhappy that I would not post his ballot for him upon request.  (Others could have posted the ballot for Gerv as well.)


To move past that, I’ll remove Section 1 of my Ballot (relating to elimination of the EV insurance requirement) so Gerv’s ballot will be the exclusive one on that topic.  Both ballots can proceed together, but I would urge members to vote yes on both, as we are removing one intended financial responsibility safeguard (EV insurance, which we have come to see is not very effective) and should substitute another  more valuable financial responsibility safeguard (limiting a CA’s ability to disclaim all liability for its mis-issued certs that cause damage to subscribers and the public).  


The new requirement in Ballot certainly is not a "pointless barrier to entry" as suggested below, but a very valuable safeguard to the public that will help reinforce the value of public CAs over self-signed certs and should be a no-brainer for browsers -- it clearly protects their users from CA errors -- and very valuable for CAs as well to establish their worth.  


I'll be happy to discuss this further on our call Thursday and on this list.



Regrettably, I won't be able to make this Thursday's call. I think the way these ballots have been handled is deeply unfortunate, and I'm disappointed that I won't be able to make the discussion on how we to avoid these sort of situations of competing interests in the future.


To the ballots at hand, it should come as no surprise that we share Gerv's concerns that this is, indeed, a "pointless barrier to entry" as it has been called. We do not believe it will provide any meaningful protection for our users - or indeed, for ANY users - from CA errors, as Kirk has suggested, and that's a point we've repeatedly expressed and discussed in the past, on the list and on the calls.


As I'll be unable to make and discuss these points further - although I think at this point it's clear that the discussion on adding liabilities is not meaningfully or productively making progress - I'd like to request that whomever is taking minutes to take detailed minutes so that the discussion can be reviewed following the call.





Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 


Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 


Adriano Santoni 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141204/722fe864/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5075 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141204/722fe864/attachment-0001.p7s>

More information about the Public mailing list