[cabfpub] Reasons in support of Ballot 141
N. Atilla Biler
atilla.biler at turktrust.com.tr
Thu Dec 11 10:11:22 UTC 2014
Dear Kirk,
Thank you for explaining your arguments once more for all of us by your e-mail message below. We also think that a CA should be liable for its operations and the general public should be protected in an appropriate way. That is why we had supported the two previous ballots, namely Ballot 121 and Ballot 133, both of which did not pass.
Nevertheless, we need more clarification about your proposal for creating financial responsibility on the CA side. What kind of a responsibility exactly will the statement that you use in your ballot as “… – so, under Ballot 141, CAs must retain minimum potential liability for DV certs of at least $2,000, for OV certs $5,000, and for EV certs $10,000.” put on CAs? What does “CAs must retain minimum potential liability for…” mean?
If a CA has 1000 OV certs issued to 1000 different clients, does this statement imply, for instance, that
* the CA should put aside some liquid assets that would sum up to 5 million USD for their liability? or alternatively
* the CA should have an insurance of 5 million USD for their liability?
In any case, the cost of this liability to that CA will be more than “one penny” if the above understanding is true. Again this means, for instance, a bigger CA which has 100.000 active OV SSLs in the market will need to be liable for 500 million USD. If we even consider the relying parties for this CA, say 1 million end users as a minimum, the liability amount will be 5 billion USDs where the things become ridiculous.
Hence, I would appreciate a lot if you clarify this point before our conference call today so that everyone on the call will have the same understanding about your proposal.
Best regards,
N. Atilla BILER
Business Development Manager
TURKTRUST Inc.
Address: Hollanda Cad. 696.Sok. No:7 Yildiz 06550 Cankaya / ANKARA - TURKEY
Phone : +90 (312) 439 10 00
Mobile : +90 (530) 314 24 05
Fax : +90 (312) 439 10 01
E-mail : <mailto:atilla.biler at turktrust.com.tr> atilla.biler at turktrust.com.tr
Web : <http://www.turktrust.com.tr/> www.turktrust.com.tr
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: 10 Aralık 2014 Çarşamba 23:49
To: CABFPub (public at cabforum.org)
Subject: [cabfpub] Reasons in support of Ballot 141
I want to summarize my reasons behind “Ballot <https://www.cabforum.org/wiki/141%20-%20Elimination%20of%20EV%20Insurance%20Requirement%3B%20Financial%20Responsibility%20for%20Mis-Issued%20Certificates> 141 - Elimination of EV Insurance Requirement; Financial Responsibility for Mis-Issued Certificates” to make our discussion tomorrow on the CABF call shorter.
Background
The EV Guidelines have required CAs to maintain Commercial General Liability (CGL) and Errors & Omissions (E&O) insurance since 2008. As a new CA in 2010 (with no customers) I resented this requirement because (1) I didn’t feel our CA needed it and so it was a waste of money, (2) the CGL coverage was not relevant to running a CA, and (3) the E&O requirement would, at best, help protect the CA, but had no duty to protect customers or relying parties.
As you recall, Trend Micro proposed Ballot 121 to eliminate the EV insurance requirement, and just require that CAs comply with whatever insurance requirements existed in their governing jurisdiction. The ballot passed among CAs, but failed among browsers.
Ben Wilson then did a great job of trying to update the insurance requirements to be more relevant to running a CA and proposed Ballot 133. (Trend Micro did not support this ballot in large part because we were concerned the insurance might not be available in all markets, and could become unavailable in North America in the future – perhaps we were wrong.) The ballot passed among CAs, but failed among browsers.
There is general agreement that the current EV insurance requirements should be dropped. However, during the drafting and balloting of Ben’s Ballot 133, I came to think it would be a bad idea to eliminate one CA requirement that was intended to protect the public (even if it was not well designed) unless we simultaneously added new CA requirements for the protection of the public.
Some weeks ago, Trend Micro proposed two financial responsibility concepts for CAs: (1) the concept that CAs should have to keep at least a portion of their potential legal liability for all their issued certs (DV, OV, and EV) so there could at least be some potential recourse for customers and relying parties for mis-issued certs, and (2) the concept that a CA should maintain some minimum capital to help it deal with emergencies (breaches, etc.) and also fund necessary operations during any termination period (e.g., maintaining CRLs and OCSP responders for outstanding certs, maintaining past vetting files, etc.). I presented conceptual ballots for these ideas, and they were discussed on one CABF conference call.
Current Situation
Trend Micro still believes it would be best (and would convey the best message to the public) if the elimination of the CA insurance requirement were linked with new CA financial responsibility requirements, but other members disagree. I won’t discuss that issue any further.
Here are my reasons to CAs and to browsers why they should support Ballot 141 requiring CAs to keep at least a small portion of whatever liability their local jurisdiction would assess against them for a mis-issued cert. (Remember, my ballot is not trying to change whatever local law says a CA’s liability for a mis-issued cert should be – the ballot would instead only prevent a CA from denying 100% of its existing legal liability through its Subscriber Agreement and Relying Party Agreement.)
Reasons for CAs to support Ballot 141
Over the past year, we CAs have heard comments to the effect that CAs are useless, CAs make lots of mistakes and/or alter data in certs to avoid requirements, identity in certificates isn’t important, OV certs don’t matter, etc. I disagree 100% with these comments, but it’s hard to oppose them through discussion alone.
In my opinion, the best way for CAs to counter these mis-impressions is to step up and demonstrate the value of public CA certificates by standing behind our products. Over the past decade CAs have continuously improved the security of their certificates through higher and higher standards that we have imposed on ourselves through the CA/Browser Forum, and we deserve some recognition for that. I think it’s time to go further.
The best way for us CAs to show the public the ongoing value of our SSL certs generally in the internet infrastructure is for CAs to retain some portion of our liability for mis-issued certificates, at all levels.
The best way for us to show the public that identity does matter is for us to retain higher levels of potential liability for certs with higher levels of identity verification – so, under Ballot 141, CAs must retain minimum potential liability for DV certs of at least $2,000, for OV certs $5,000, and for EV certs $10,000.
I would point out that most or all software vendors and browsers disclaim 100% of their potential liability to users and the public in their EULAs – even for serious bugs and flaws in the software – so CAs can distinguish themselves in the internet world by standing behind their products and taking on some liability. As a practical matter, there have been few mis-issued certs out of the millions of certs issued each year, so I suspect the potential liability to CAs under Ballot 141 is manageable.
Reasons for Browsers to support Ballot 141
As I said in an earlier email, it should be a no-brainer for Browsers to support Ballot 141, as it creates financial responsibility among CAs and potential recourse for browser users in event of a mis-issued cert that causes harm to browser users.
Is Ballot 141 a potential barrier to entry for new CAs?
In a word, no.
Ballot 141 does not cost a new CA – or an existing CA – one penny. It simply raises the bar on certificate quality – and is only an expansion of current EV Guideline Section 18 which already requires CAs to keep at least $2,000 in potential liability for mis-issued EV certs (that number was set in 2008 or earlier, and is too low today.) EVGL Section 18 has been a requirement for all CAs since 2008, but has not proven to be a barrier to entry for new CAs since that time. (My own CA, AffirmTrust, was formed in 2010, and this requirements was not even a consideration.)
In my mind, a “barrier to entry” is only something that costs a new CA money without delivering any real benefit to anyone. Ballot 141 is not in that category. In fact, the “burden” imposed by Ballot 141 is minimal, and scales in proportion to the number and type of certificates that a new or established CA issues, which is a pretty fair result.
For these reasons, I hope CAs and browsers together will support Ballot 141, and I would still recommend we link these new financial responsibility requirements with any vote on dropping the EV insurance requirements so we can show the public that CAs are not dropping public protection requirements, but are instead increasing them.
Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141211/254bb965/attachment-0003.html>
More information about the Public
mailing list