[cabfpub] Ballot 121 (insurance)

[Moudrick M. Dadashov]

Hi,

looks like we are not alone on this planet:

http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nations-critical-infrastructure/

Is EV SSL issuance a part of NCI?

Thanks,
M.D.

On 6/3/2014 4:43 AM, Ben Wilson wrote:
> Thanks, Moudrick, Kirk and Iñigo,
>
> For those who haven't looked up this ETSI document, Section 7.5 says, 
> "(d) Adequate arrangements to cover liabilities arising from its 
> operations and/or activities; (e) Financial stability and resources 
> required to operate in conformity with this policy; and (f) Policies 
> and procedures for the resolution of complaints and disputes received 
> from customers or other parties about the provisioning of electronic 
> trust services."  This appears to be based, somewhat, on the liability 
> structure set up in Art.6  of of EU Directive 1999/93/EC and 
> subsection (h) of Annex II, 
> http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093, 
> the latter of which reads, "(h) maintain sufficient financial 
> resources to operate in conformity with the requirements laid down in 
> the Directive, in particular to bear the risk of liability for 
> damages, for example, by obtaining appropriate insurance;"
>
> CAs are supposed to address their responsibility under Art. 6. This 
> can be written in their CP/CPS either under Section 2.3 (RFC 2527) or 
> Section 9.2 (RFC 3647) -- maybe more explicit requirements in the BRs 
> are needed about what must be written in those sections?  Also, I see 
> that "risk" is noted in Annex II, but not in section 7.5 (too hard to 
> audit?), an insurance or financial stability requirement is a much 
> easier way to address risks to third parties than other methods, and 
> it more fairly distributes the loss potential.  See e.g. 
> http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf 
>
>
> According to 
> http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf 
>
> most EU countries have simply copied this text from Annex II into 
> their own laws without further requirements.  However, some, like 
> Spain, have set forth specific insurance amounts for " Cobertura de 
> seguro u otras garantías para los terceros de buena fe cuando incumpla 
> las obligaciones que impone la Ley 59/2003, de 19 de diciembre, de 
> Firma Electrónica" - from what I can tell, the amount is 3 million 
> Euros. http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf So, 
> in order to be more fair to non-US CAs, what about that 3-million-Euro 
> amount instead that just said "third party cyber coverage"?  (I have 
> Betterley's 2014 Cyber Insurance Report that I can use to create a 
> definition of "third party cyber coverage".) Given the facts above, I 
> can't see any reason to replace our objective rule with something as 
> subjective as "adequate arrangements" or "sufficient financial 
> resources," which are subjective and impossible to audit, let alone 
> eliminate it altogether.
>
> Financial stability is a key component of being a CA, especially one 
> that issues Extended Validation certificates.  It certainly seems that 
> any European CA wanting to issue the "qualified website" equivalent of 
> an EV certificate will have to meet Art 6 / Annex II requirements in 
> any event.
>
> Also, we require insurance for banks and automobile owners/drivers.  
> Not for first-party coverage, but for third-party coverage--we do not 
> want innocent third parties left holding the bag--it's what economists 
> call "negative externality".   Banks, for example, have great 
> security, but they also have to handle the risk that all of that 
> security won't protect against everything--nothing works perfectly 
> 100%.  Banks are required by regulators to have financial reserves, 
> deposit insurance, and other risk-mitigating processes.  See 
> http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf Under the EU 
> Directive on capital adequacy of investment ...firms and credit 
> institutions, this means coverage of EUR 20 000 for each depositor, 
> minimum start-up-capital of EUR 5 million, and then ongoing solvency 
> ratios per Basel requirements.
>
> Ben
>
>
>
>
> On 6/2/2014 1:40 AM, i-barreira at izenpe.net wrote:
>>
>> Hi,
>>
>> The TS 102 042 is the one for EV and BR certs and also indicates in 
>> 7.5 what Mou has stated.
>>
>> This "control" was included to let the CA to set the requirements 
>> appropriate to its needs and according to national legislation.
>>
>> Regards
>>
>> *Iñigo Barreira*
>> Responsable del Área técnica
>> i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
>>
>> 945067705
>>
>> Descripción: cid:image001.png at 01CE3152.B4804EB0
>>
>> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta 
>> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada 
>> (helbidea gaizki idatzi, transmisioak huts egin) eman abisu 
>> igorleari, korreo honi erantzuna. KONTUZ!
>> ATENCION! Este mensaje contiene informacion privilegiada o 
>> confidencial a la que solo tiene derecho a acceder el destinatario. 
>> Si usted lo recibe por error le agradeceriamos que no hiciera uso de 
>> la informacion y que se pusiese en contacto con el remitente.
>>
>> *De:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
>> *En nombre de *Moudrick M. Dadashov
>> *Enviado el:* sábado, 31 de mayo de 2014 2:30
>> *Para:* ben at digicert.com; kirk_hall at trendmicro.com; 'Gervase 
>> Markham'; 'public >> CABFPub'
>> *Asunto:* Re: [cabfpub] Ballot 121 (insurance)
>>
>> On 5/31/2014 2:46 AM, Ben Wilson wrote:
>>
>>     Do you have a proposal that addresses the concerns about financial
>>
>>     stability?
>>
>> Please see ETSI TS 101 456 V1.4.3 section 7.5 specifically points d), 
>> e) and f) - IMO they are close to what you are looking for.
>>
>> As a standardization body ETSI doesn't set its requirements in terms 
>> of absolute amounts, this is left to implementers - in this case to 
>> MS Governments.
>>
>> FYI:
>> http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf
>>
>> Given the fact that EVG is incorporated into ETSI "as is", I see 
>> potential conflict between the two approaches.
>>
>> Thanks.
>> M.D.
>>
>>
>>   
>>   
>> -----Original Message-----
>> From:kirk_hall at trendmicro.com  <mailto:kirk_hall at trendmicro.com>  [mailto:kirk_hall at trendmicro.com]
>> Sent: Friday, May 30, 2014 5:20 PM
>> To:ben at digicert.com  <mailto:ben at digicert.com>; 'Gervase Markham'; 'public >> CABFPub'
>> Subject: RE: [cabfpub] Ballot 121 (insurance)
>>   
>> Ben -- as I indicated to the EV Working Group in an email recently, I have
>> definitely changed my mind about the EVGL insurance requirement based on my
>> own experience in starting AffirmTrust in 2010.  (As a reminder to all,
>> AffirmTrust was acquired by Trend Micro in 2011, and Trend is big enough and
>> has a strong enough balance sheet and treasury that under the EVGL we are
>> entirely exempt from the insurance requirements -- so we have no personal
>> stake in this.)
>>   
>> While starting my own company, the insurance brokers kept asking me why I
>> wanted the insurance coverages -- they clearly didn't think I needed them --
>> and they warned me that the E&O coverage in particular probably wasn't going
>> to provide me with any meaningful protection for anything (given that it
>> generally doesn't cover contractual liability for a bad cert, return of
>> fees, etc.)  So it felt like a very big waste of money.
>>   
>> Plus we now know from eight years of experience (plus the anecdotal evidence
>> of Trend Micro's legal counsel from his decade at VeriSign) that there
>> simply aren't claims from customers or relying parties for mis-issued certs
>> and that the need for insurance (even if it did cover the mis-issuance of EV
>> certs) is minimal at best.  The one case of catastrophic failure and breach,
>> DigiNotar, apparently resulted in a court ruling that the insurer would be
>> allowed to deny all coverage.
>>   
>> When we collectively were brainstorming in 2005-6 to create the first EV
>> Guidelines, we were trying to come up with lots and lots of requirements to
>> try to set EV certs apart from other certs.  As I recall, we considered even
>> more complex verification steps for EV to make it similar to the closing of
>> a major corporate transaction (e.g., getting Board of Directors
>> authorizations, Secretary's Certificates, etc.) -- fortunately, common sense
>> prevailed and we slimmed down the requirements so they are very thorough,
>> but achievable.
>>   
>> Finally, the Forum has learned through eight years of experience that these
>> insurance requirements are even harder and more expensive for
>> non-US/Canadian CAs to satisfy, and that their brokers also tell them the
>> coverages won't provide them with any meaningful protection.  We don't want
>> the EV Guidelines to be weighted in favor of US/Canadian CAs.
>>   
>> The Forum hasn't hesitated from changing other EVGL requirements when we
>> think justified -- such as recently allowing the use of the automatic email
>> verification method to upgrade domains to the EV level (using the same
>> verification methods as for DV and OV certs).  For the first seven years of
>> the EVGL, we were all required to do manual vetting of domains with a WhoIs
>> lookup and deal with any mis-match of the registration.
>>   
>> So for all these reasons, I think Gerv is right and it's time to drop the
>> insurance requirements.   Let CAs follow any insurance requirements that
>> their applicable local jurisdiction(s) may impose, but otherwise don't
>> create an additional insurance requirement through the EV Guidelines.
>>   
>> Gerv, thanks for sharing your thoughtful and well informed opinion.  It
>> really helps.
>>   
>> Kirk
>>   
>> -----Original Message-----
>> From:public-bounces at cabforum.org  <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org] On
>> Behalf Of Ben Wilson
>> Sent: Friday, May 30, 2014 3:15 PM
>> To: 'Gervase Markham'; 'public >> CABFPub'
>> Subject: Re: [cabfpub] Ballot 121 (insurance)
>>   
>> Gerv and all,
>>   
>> If people want to save money, they can stick to issuing DV or OV
>> certificates.  EV certificates need to remain different, and this proposed
>> move is contrary to the first goal we all agreed upon when we began working
>> on the guidelines for issuing Extended Validation Certificates, which my
>> notes indicates was to "increase online trust."
>>   
>> If the ballot is re-introduced and passes, then CAs will not be required to
>> have insurance for any negligence in issuing or maintaining EV Certificates.
>> It increases the likelihood that another Diginotar won't be held
>> accountable, and I believe the insurance is currently available at
>> affordable cost, approximately $10,000 per $1 million coverage.  I have
>> attached a sample cyber-insurance policy, which is available in similar form
>> from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,
>> etc.
>>   
>> The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,
>> which took place during 2006.  For example, attached is Kirk Hall's memo to
>> the group from June 2006 in which he recommends "indemnity insurance
>> coverage (e.g. "errors and omissions," "cyber coverage," "network computer
>> liability," "professional liability," or other similar coverage) for
>> Extended Validation Certificates [in the amount of $10 million]."
>>   
>> Opponents of insurance requirements cannot simply erase these historical
>> choices without proposing viable alternatives.  (It's always easier to
>> complain and to poke holes at things than to work on real solutions.)  And
>> finally, if the EV Guidelines do not contain some form of financial
>> responsibility, then we might as well delete the Section 7 warranties, and
>> the other EV provisions to which they refer, because they will just become
>> empty promises.
>>   
>> Ben
>>   
>> -----Original Message-----
>> From:public-bounces at cabforum.org  <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org] On
>> Behalf Of Gervase Markham
>> Sent: Friday, May 30, 2014 12:41 PM
>> To: public >> CABFPub
>> Subject: [cabfpub] Ballot 121 (insurance)
>>   
>> I talked to our lawyer this morning. Mozilla is now willing to support the
>> proposal in Ballot 121 (removal of the insurance requirement from the EV
>> Guidelines).
>>   
>> We feel that this requirement provides no significant protection in practice
>> for either users, for whom CAs can limit liability to $2000 anyway, or for
>> browsers, for whom clause 18.2 which indemnifies them is much more relevant.
>>   
>> We encourage other CAs and browsers to support this ballot also, and let the
>> CAs put the $N,000 saved towards making their products better and/or cheaper
>> for users.
>>   
>> Gerv
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org  <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
>> TREND MICRO EMAIL NOTICE
>> The information contained in this email and any attachments is confidential
>> and may be subject to copyright or other intellectual property protection.
>> If you are not the intended recipient, you are not authorized to use or
>> disclose this information, and we request that you notify us by reply mail
>> or telephone and delete the original message from your mail system.
>> </pre></td></tr></table>
>>
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org  <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140605/5eec0052/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19121 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140605/5eec0052/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20140605/5eec0052/attachment-0001.bin