[cabfpub] Breach Insurance

i-barreira at izenpe.net i-barreira at izenpe.net
Tue Dec 23 15:34:12 UTC 2014


There´s a defined qualified certificate for web sites that can or cannot be typed "EV". It´s up to the CA to decide but in any case being a qualified one, will have to comply with the liability and insurance requirements set in the regulation according to every national law, so at the end, the majority of the European CAs must have an insurance (the quantity is less important but more or less are very similar in every country, we can collect some info around it) to issue these type of EVs even the CABF removes the requirement.
I´m not saying not dropping the requirement, just that some of us will need to still paying an insurance for issuing SSL EV certs.

Regarding ETSI, this is taken into account because of the regulation for those "qualified" ones.

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

-----Mensaje original-----
De: Moudrick M. Dadashov [mailto:md at ssc.lt] 
Enviado el: lunes, 22 de diciembre de 2014 19:09
Para: Gervase Markham; Stephen Davidson; Ben Wilson; Barreira Iglesias, Iñigo; Dean_Coclin at symantec.com; public at cabforum.org
Asunto: Re: [cabfpub] Breach Insurance

Sorry for  confusion, Gerv, I was responding to Stephen's skepticism.

In regard to Qualified SSL Arno an Inigo know this better but I don't 
expect any significant shift even if someday today's EVCP becomes 
Qualified SSL. If they declare it is equal to EV SSL that means all EVG 
requirements apply without any exceptions. However this doesn't prevent 
them to have extra requirements for Qualified SSL.


On 12/22/2014 7:25 PM, Gervase Markham wrote:
> On 22/12/14 17:05, Moudrick M. Dadashov wrote:
>> I'm afraid this is not an accurate assumption, actually the auditors
>> require ***full*** EVG compliance.
> I'm afraid I don't understand your point.
> I am saying that if I decide to have "Gerv EV", which requires all CAs
> implementing it to change their logos to include a picture of a banana,
> then there is no requirement whatsoever for the CAB Forum to update the
> EV Guidelines to make the banana thing a requirement for all CAs. That
> remains true even if (say) over half of the CAs in the forum choose to
> implement Gerv EV and so implement the banana-logo requirement.
> What I do (or anyone else does) with CAB Forum standards, external to
> the CAB Forum, cannot force the CAB Forum's hand about what it should do.
> Does that make sense?
> Gerv
>> On 12/22/2014 6:46 PM, Gervase Markham wrote:
>>> On 22/12/14 16:34, Stephen Davidson wrote:
>>>> An observation that may or may not sway your opinion:  the goal of EV
>>>> was to create uniform requirements across CAs, and this proposal will
>>>> introduce variation. As I understand it, the "qualified SSL" under
>>>> eIDAS are likely to be based on EV.  Thus, a "qualified EV" would
>>>> have an insurance level that "normal EV" may not have.
>>> If other people want to build standards on EV, we aren't going to stop
>>> them. But if they add additional requirements, we can't let that force
>>> us to add those requirements also - because otherwise, everyone else
>>> would be making the CAB Forum's decisions for us.
>>> Gerv
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list