[cabfpub] Breach Insurance

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon Dec 22 19:32:39 UTC 2014


Moudrick -- under ETSI and national law, it sounds like a CA must have insurance and/or minimum capital to issue Qualified Certificates (including EV Qualified Certificates?).

Can you tell me -- do the ETSI/national government requirements for insurance and/or minimum capital apply also to CAs who only issue SSL certificates (and not Qualified Certificates)?  

Or are the requirements limited to CAs that issue SSL certificates only?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov
Sent: Monday, December 22, 2014 10:09 AM
To: Gervase Markham; Stephen Davidson; Ben Wilson; i-barreira at izenpe.net; Dean_Coclin at symantec.com; public at cabforum.org
Subject: Re: [cabfpub] Breach Insurance

Sorry for  confusion, Gerv, I was responding to Stephen's skepticism.

In regard to Qualified SSL Arno an Inigo know this better but I don't expect any significant shift even if someday today's EVCP becomes Qualified SSL. If they declare it is equal to EV SSL that means all EVG requirements apply without any exceptions. However this doesn't prevent them to have extra requirements for Qualified SSL.

Thanks,
M.D.

On 12/22/2014 7:25 PM, Gervase Markham wrote:
> On 22/12/14 17:05, Moudrick M. Dadashov wrote:
>> I'm afraid this is not an accurate assumption, actually the auditors 
>> require ***full*** EVG compliance.
> I'm afraid I don't understand your point.
>
> I am saying that if I decide to have "Gerv EV", which requires all CAs 
> implementing it to change their logos to include a picture of a 
> banana, then there is no requirement whatsoever for the CAB Forum to 
> update the EV Guidelines to make the banana thing a requirement for 
> all CAs. That remains true even if (say) over half of the CAs in the 
> forum choose to implement Gerv EV and so implement the banana-logo requirement.
>
> What I do (or anyone else does) with CAB Forum standards, external to 
> the CAB Forum, cannot force the CAB Forum's hand about what it should do.
>
> Does that make sense?
>
> Gerv
>
>> On 12/22/2014 6:46 PM, Gervase Markham wrote:
>>> On 22/12/14 16:34, Stephen Davidson wrote:
>>>> An observation that may or may not sway your opinion:  the goal of 
>>>> EV was to create uniform requirements across CAs, and this proposal 
>>>> will introduce variation. As I understand it, the "qualified SSL" 
>>>> under eIDAS are likely to be based on EV.  Thus, a "qualified EV" 
>>>> would have an insurance level that "normal EV" may not have.
>>> If other people want to build standards on EV, we aren't going to 
>>> stop them. But if they add additional requirements, we can't let 
>>> that force us to add those requirements also - because otherwise, 
>>> everyone else would be making the CAB Forum's decisions for us.
>>>
>>> Gerv
>>>
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>



<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>


More information about the Public mailing list