[cabfpub] Ballot 121 (insurance)
Moudrick M. Dadashov
md at ssc.lt
Thu Jun 5 10:42:42 UTC 2014
Hi,
looks like we are not alone on this planet:
http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nations-critical-infrastructure/
Is EV SSL issuance a part of NCI?
Thanks,
M.D.
On 6/3/2014 4:43 AM, Ben Wilson wrote:
> Thanks, Moudrick, Kirk and Iñigo,
>
> For those who haven't looked up this ETSI document, Section 7.5 says,
> "(d) Adequate arrangements to cover liabilities arising from its
> operations and/or activities; (e) Financial stability and resources
> required to operate in conformity with this policy; and (f) Policies
> and procedures for the resolution of complaints and disputes received
> from customers or other parties about the provisioning of electronic
> trust services." This appears to be based, somewhat, on the liability
> structure set up in Art.6 of of EU Directive 1999/93/EC and
> subsection (h) of Annex II,
> http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093,
> the latter of which reads, "(h) maintain sufficient financial
> resources to operate in conformity with the requirements laid down in
> the Directive, in particular to bear the risk of liability for
> damages, for example, by obtaining appropriate insurance;"
>
> CAs are supposed to address their responsibility under Art. 6. This
> can be written in their CP/CPS either under Section 2.3 (RFC 2527) or
> Section 9.2 (RFC 3647) -- maybe more explicit requirements in the BRs
> are needed about what must be written in those sections? Also, I see
> that "risk" is noted in Annex II, but not in section 7.5 (too hard to
> audit?), an insurance or financial stability requirement is a much
> easier way to address risks to third parties than other methods, and
> it more fairly distributes the loss potential. See e.g.
> http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf
>
>
> According to
> http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf
>
> most EU countries have simply copied this text from Annex II into
> their own laws without further requirements. However, some, like
> Spain, have set forth specific insurance amounts for " Cobertura de
> seguro u otras garantías para los terceros de buena fe cuando incumpla
> las obligaciones que impone la Ley 59/2003, de 19 de diciembre, de
> Firma Electrónica" - from what I can tell, the amount is 3 million
> Euros. http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf So,
> in order to be more fair to non-US CAs, what about that 3-million-Euro
> amount instead that just said "third party cyber coverage"? (I have
> Betterley's 2014 Cyber Insurance Report that I can use to create a
> definition of "third party cyber coverage".) Given the facts above, I
> can't see any reason to replace our objective rule with something as
> subjective as "adequate arrangements" or "sufficient financial
> resources," which are subjective and impossible to audit, let alone
> eliminate it altogether.
>
> Financial stability is a key component of being a CA, especially one
> that issues Extended Validation certificates. It certainly seems that
> any European CA wanting to issue the "qualified website" equivalent of
> an EV certificate will have to meet Art 6 / Annex II requirements in
> any event.
>
> Also, we require insurance for banks and automobile owners/drivers.
> Not for first-party coverage, but for third-party coverage--we do not
> want innocent third parties left holding the bag--it's what economists
> call "negative externality". Banks, for example, have great
> security, but they also have to handle the risk that all of that
> security won't protect against everything--nothing works perfectly
> 100%. Banks are required by regulators to have financial reserves,
> deposit insurance, and other risk-mitigating processes. See
> http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf Under the EU
> Directive on capital adequacy of investment ...firms and credit
> institutions, this means coverage of EUR 20 000 for each depositor,
> minimum start-up-capital of EUR 5 million, and then ongoing solvency
> ratios per Basel requirements.
>
> Ben
>
>
>
>
> On 6/2/2014 1:40 AM, i-barreira at izenpe.net wrote:
>>
>> Hi,
>>
>> The TS 102 042 is the one for EV and BR certs and also indicates in
>> 7.5 what Mou has stated.
>>
>> This "control" was included to let the CA to set the requirements
>> appropriate to its needs and according to national legislation.
>>
>> Regards
>>
>> *Iñigo Barreira*
>> Responsable del Área técnica
>> i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
>>
>> 945067705
>>
>> Descripción: cid:image001.png at 01CE3152.B4804EB0
>>
>> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta
>> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada
>> (helbidea gaizki idatzi, transmisioak huts egin) eman abisu
>> igorleari, korreo honi erantzuna. KONTUZ!
>> ATENCION! Este mensaje contiene informacion privilegiada o
>> confidencial a la que solo tiene derecho a acceder el destinatario.
>> Si usted lo recibe por error le agradeceriamos que no hiciera uso de
>> la informacion y que se pusiese en contacto con el remitente.
>>
>> *De:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> *En nombre de *Moudrick M. Dadashov
>> *Enviado el:* sábado, 31 de mayo de 2014 2:30
>> *Para:* ben at digicert.com; kirk_hall at trendmicro.com; 'Gervase
>> Markham'; 'public >> CABFPub'
>> *Asunto:* Re: [cabfpub] Ballot 121 (insurance)
>>
>> On 5/31/2014 2:46 AM, Ben Wilson wrote:
>>
>> Do you have a proposal that addresses the concerns about financial
>>
>> stability?
>>
>> Please see ETSI TS 101 456 V1.4.3 section 7.5 specifically points d),
>> e) and f) - IMO they are close to what you are looking for.
>>
>> As a standardization body ETSI doesn't set its requirements in terms
>> of absolute amounts, this is left to implementers - in this case to
>> MS Governments.
>>
>> FYI:
>> http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf
>>
>> Given the fact that EVG is incorporated into ETSI "as is", I see
>> potential conflict between the two approaches.
>>
>> Thanks.
>> M.D.
>>
>>
>>
>>
>> -----Original Message-----
>> From:kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com> [mailto:kirk_hall at trendmicro.com]
>> Sent: Friday, May 30, 2014 5:20 PM
>> To:ben at digicert.com <mailto:ben at digicert.com>; 'Gervase Markham'; 'public >> CABFPub'
>> Subject: RE: [cabfpub] Ballot 121 (insurance)
>>
>> Ben -- as I indicated to the EV Working Group in an email recently, I have
>> definitely changed my mind about the EVGL insurance requirement based on my
>> own experience in starting AffirmTrust in 2010. (As a reminder to all,
>> AffirmTrust was acquired by Trend Micro in 2011, and Trend is big enough and
>> has a strong enough balance sheet and treasury that under the EVGL we are
>> entirely exempt from the insurance requirements -- so we have no personal
>> stake in this.)
>>
>> While starting my own company, the insurance brokers kept asking me why I
>> wanted the insurance coverages -- they clearly didn't think I needed them --
>> and they warned me that the E&O coverage in particular probably wasn't going
>> to provide me with any meaningful protection for anything (given that it
>> generally doesn't cover contractual liability for a bad cert, return of
>> fees, etc.) So it felt like a very big waste of money.
>>
>> Plus we now know from eight years of experience (plus the anecdotal evidence
>> of Trend Micro's legal counsel from his decade at VeriSign) that there
>> simply aren't claims from customers or relying parties for mis-issued certs
>> and that the need for insurance (even if it did cover the mis-issuance of EV
>> certs) is minimal at best. The one case of catastrophic failure and breach,
>> DigiNotar, apparently resulted in a court ruling that the insurer would be
>> allowed to deny all coverage.
>>
>> When we collectively were brainstorming in 2005-6 to create the first EV
>> Guidelines, we were trying to come up with lots and lots of requirements to
>> try to set EV certs apart from other certs. As I recall, we considered even
>> more complex verification steps for EV to make it similar to the closing of
>> a major corporate transaction (e.g., getting Board of Directors
>> authorizations, Secretary's Certificates, etc.) -- fortunately, common sense
>> prevailed and we slimmed down the requirements so they are very thorough,
>> but achievable.
>>
>> Finally, the Forum has learned through eight years of experience that these
>> insurance requirements are even harder and more expensive for
>> non-US/Canadian CAs to satisfy, and that their brokers also tell them the
>> coverages won't provide them with any meaningful protection. We don't want
>> the EV Guidelines to be weighted in favor of US/Canadian CAs.
>>
>> The Forum hasn't hesitated from changing other EVGL requirements when we
>> think justified -- such as recently allowing the use of the automatic email
>> verification method to upgrade domains to the EV level (using the same
>> verification methods as for DV and OV certs). For the first seven years of
>> the EVGL, we were all required to do manual vetting of domains with a WhoIs
>> lookup and deal with any mis-match of the registration.
>>
>> So for all these reasons, I think Gerv is right and it's time to drop the
>> insurance requirements. Let CAs follow any insurance requirements that
>> their applicable local jurisdiction(s) may impose, but otherwise don't
>> create an additional insurance requirement through the EV Guidelines.
>>
>> Gerv, thanks for sharing your thoughtful and well informed opinion. It
>> really helps.
>>
>> Kirk
>>
>> -----Original Message-----
>> From:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On
>> Behalf Of Ben Wilson
>> Sent: Friday, May 30, 2014 3:15 PM
>> To: 'Gervase Markham'; 'public >> CABFPub'
>> Subject: Re: [cabfpub] Ballot 121 (insurance)
>>
>> Gerv and all,
>>
>> If people want to save money, they can stick to issuing DV or OV
>> certificates. EV certificates need to remain different, and this proposed
>> move is contrary to the first goal we all agreed upon when we began working
>> on the guidelines for issuing Extended Validation Certificates, which my
>> notes indicates was to "increase online trust."
>>
>> If the ballot is re-introduced and passes, then CAs will not be required to
>> have insurance for any negligence in issuing or maintaining EV Certificates.
>> It increases the likelihood that another Diginotar won't be held
>> accountable, and I believe the insurance is currently available at
>> affordable cost, approximately $10,000 per $1 million coverage. I have
>> attached a sample cyber-insurance policy, which is available in similar form
>> from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,
>> etc.
>>
>> The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,
>> which took place during 2006. For example, attached is Kirk Hall's memo to
>> the group from June 2006 in which he recommends "indemnity insurance
>> coverage (e.g. "errors and omissions," "cyber coverage," "network computer
>> liability," "professional liability," or other similar coverage) for
>> Extended Validation Certificates [in the amount of $10 million]."
>>
>> Opponents of insurance requirements cannot simply erase these historical
>> choices without proposing viable alternatives. (It's always easier to
>> complain and to poke holes at things than to work on real solutions.) And
>> finally, if the EV Guidelines do not contain some form of financial
>> responsibility, then we might as well delete the Section 7 warranties, and
>> the other EV provisions to which they refer, because they will just become
>> empty promises.
>>
>> Ben
>>
>> -----Original Message-----
>> From:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On
>> Behalf Of Gervase Markham
>> Sent: Friday, May 30, 2014 12:41 PM
>> To: public >> CABFPub
>> Subject: [cabfpub] Ballot 121 (insurance)
>>
>> I talked to our lawyer this morning. Mozilla is now willing to support the
>> proposal in Ballot 121 (removal of the insurance requirement from the EV
>> Guidelines).
>>
>> We feel that this requirement provides no significant protection in practice
>> for either users, for whom CAs can limit liability to $2000 anyway, or for
>> browsers, for whom clause 18.2 which indemnifies them is much more relevant.
>>
>> We encourage other CAs and browsers to support this ballot also, and let the
>> CAs put the $N,000 saved towards making their products better and/or cheaper
>> for users.
>>
>> Gerv
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
>> TREND MICRO EMAIL NOTICE
>> The information contained in this email and any attachments is confidential
>> and may be subject to copyright or other intellectual property protection.
>> If you are not the intended recipient, you are not authorized to use or
>> disclose this information, and we request that you notify us by reply mail
>> or telephone and delete the original message from your mail system.
>> </pre></td></tr></table>
>>
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140605/5eec0052/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19121 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140605/5eec0052/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140605/5eec0052/attachment-0001.p7s>
More information about the Public
mailing list