[cabfpub] Breach Insurance

Ryan Sleevi sleevi at google.com
Fri Dec 19 02:07:06 UTC 2014

On Dec 18, 2014 5:31 PM, "Phillip Hallam-Baker" <philliph at comodo.com> wrote:
> On Dec 18, 2014, at 6:50 PM, Ryan Sleevi <sleevi at google.com> wrote:
>> Isn't the skin in the game from insurers to ensure that they can find as
many ways as possible to disqualify the policy, rather than actually secure
the insured?
> I have yet to meet an insurer who will take that approach when issuing a

That is the whole point of actuaries - to determine the risk the insurer
takes on and the odds of payment, which is then applied to what the market
will purchase and possible reward - at least within the unregulated spheres
of insurance.

> Though I will accept that they are likely to do so in the case that a
claim is brought. But even that is a losing game in the long run.

I don't know what you envision as "the long run", but if it there is
significant portion of short-term gain until the industry figures out what
to expect of insurers, any sensible company will take it.

That is, work hard to deny every claim - until you no longer find people
willing to purchase/demanding better protections - then offer them.

> The pre-eminent position of Lloyds of London was established by Cuthbert
Heath's famous cable in the wake of the 1906 San Francisco earthquake: “pay
all of our policyholders in full, irrespective of the terms of their

And that's great for 1906, but I think it falls far short of being relevant

>> After all, the article shows that the Cyberbreach insurance Target had
was "useless", in as much as the claims were disqualified because of
actions of the insured. This is exactly what we saw of DigiNotar as well -
the insurance claim was denied because of actions of DigiNotar
> In the case of DigiNotar it seems that none of the browser providers
noticed that the audit did not apply to the WebPKI system so it is hardly
surprising that the insurance was not applicable as well.
> One of the reasons for establishing the BR rules is precisely the fact
that there was a lot of inconsistency in the application of the rules and
uncertainty as to what the rules were or the purpose.
>> Indeed, in the history of events that have done the most to undermine
the faith in the CA ecosystem, they have been systemic issues that any
insurance agency - especially when looking at large scale liability as
proposed by 141 - would seek to use to disqualify the policy and reject the
> If the thieves broke in by picking the lock on the door should we fit a
stronger lock or take the door off its hinges and let everyone in?

Yes, but let's not pretend our lovely garden hedge is fit to keep out the
Mongolian horde, nor our quarter-meter deep most enough to keep out foreign

Or, perhaps a more pop-culture reference, let us not assume that from the
lack of tiger attacks in Britain that tiger repelling rocks are a sensible
mitigation strategy.

> I am not averse to going through a complete redesign of the system of
WebPKI controls. But just removing random controls because the purpose is
not immediately apparent seems like a very bad approach to me.

No, the purpose is quite apparent. We have had lengthy discussions of
purpose, both past and present.

The question is whether the proposal is fit for purpose, or indeed, whether
the purpose is relevant to the threats we face and the mitigations we

More to the topic at hand, I think it is entirely relevant to see what
examples there are where this insurance was meaningful for any situation
similar to the attacks we have seen in the past decade. This is just
another example of where the insurance was not meaningful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141218/578cf923/attachment-0003.html>

More information about the Public mailing list