[cabfpub] Breach Insurance

Richard Wang richard at wosign.com
Fri Dec 19 03:29:46 UTC 2014

Hi all,


When can we have a conclusion for EV insurance issues?  My insurance broker is chasing me to renew 2015 insurance now. I need to decide if we renew it or not.




Best Regards,




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Friday, December 19, 2014 10:07 AM
To: Phillip
Cc: Dean Coclin; CABFPub
Subject: Re: [cabfpub] Breach Insurance


On Dec 18, 2014 5:31 PM, "Phillip Hallam-Baker" <philliph at comodo.com <mailto:philliph at comodo.com> > wrote:
> On Dec 18, 2014, at 6:50 PM, Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote:
>> Isn't the skin in the game from insurers to ensure that they can find as many ways as possible to disqualify the policy, rather than actually secure the insured?
> I have yet to meet an insurer who will take that approach when issuing a policy.

That is the whole point of actuaries - to determine the risk the insurer takes on and the odds of payment, which is then applied to what the market will purchase and possible reward - at least within the unregulated spheres of insurance.

> Though I will accept that they are likely to do so in the case that a claim is brought. But even that is a losing game in the long run.

I don't know what you envision as "the long run", but if it there is significant portion of short-term gain until the industry figures out what to expect of insurers, any sensible company will take it.

That is, work hard to deny every claim - until you no longer find people willing to purchase/demanding better protections - then offer them.

> The pre-eminent position of Lloyds of London was established by Cuthbert Heath's famous cable in the wake of the 1906 San Francisco earthquake: “pay all of our policyholders in full, irrespective of the terms of their policies”.

And that's great for 1906, but I think it falls far short of being relevant today.

>> After all, the article shows that the Cyberbreach insurance Target had was "useless", in as much as the claims were disqualified because of actions of the insured. This is exactly what we saw of DigiNotar as well - the insurance claim was denied because of actions of DigiNotar
> In the case of DigiNotar it seems that none of the browser providers noticed that the audit did not apply to the WebPKI system so it is hardly surprising that the insurance was not applicable as well.
> One of the reasons for establishing the BR rules is precisely the fact that there was a lot of inconsistency in the application of the rules and uncertainty as to what the rules were or the purpose.
>> Indeed, in the history of events that have done the most to undermine the faith in the CA ecosystem, they have been systemic issues that any insurance agency - especially when looking at large scale liability as proposed by 141 - would seek to use to disqualify the policy and reject the claim.
> If the thieves broke in by picking the lock on the door should we fit a stronger lock or take the door off its hinges and let everyone in?

Yes, but let's not pretend our lovely garden hedge is fit to keep out the Mongolian horde, nor our quarter-meter deep most enough to keep out foreign legions.

Or, perhaps a more pop-culture reference, let us not assume that from the lack of tiger attacks in Britain that tiger repelling rocks are a sensible mitigation strategy.

> I am not averse to going through a complete redesign of the system of WebPKI controls. But just removing random controls because the purpose is not immediately apparent seems like a very bad approach to me.

No, the purpose is quite apparent. We have had lengthy discussions of purpose, both past and present.

The question is whether the proposal is fit for purpose, or indeed, whether the purpose is relevant to the threats we face and the mitigations we employ.

More to the topic at hand, I think it is entirely relevant to see what examples there are where this insurance was meaningful for any situation similar to the attacks we have seen in the past decade. This is just another example of where the insurance was not meaningful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141219/73a4eeed/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5075 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141219/73a4eeed/attachment-0001.p7s>

More information about the Public mailing list