[cabfpub] Ballot 121 (insurance)
Moudrick M. Dadashov
md at ssc.lt
Mon Jun 9 20:34:35 UTC 2014
Thanks, Rick
Just to summarize where are we now, I see four different approaches:
1) Leave it as is;
2) State a "business" requirement that potentially can be resolved by
appropriate insurance provisions (no absolute figures, ETSI style);
3) Ballot 121;
4) decrease existing absolute figures, how about 3 mln. Euro ok?
Obviously 3) can be combined with 2) but not with 1) or 3).
Also worth mentioning, for some CAs insurance is a measure of "product
quality", if we eliminate it, those CAs may have a negative "side effect".
To my surprise PCI DSS doesn't state any direct insurance requirements.
Any other ideas?
Thanks,
M.D.
On 6/9/2014 10:49 PM, Rick Andrews wrote:
>
> A Timely article (pun intended):
>
> Cyberattack Insurance a Challenge for Business
>
> *http://nyti.ms/1oLGfqR *
> <http://p.nytimes.com/email/re?location=InCMR7g4BCKC2wiZPkcVUkfBKD0WxM+9&user_id=c619a85212e2206d7323c9ed8f4e42e9&email_type=eta&task_id=1402342739914133®i_id=0>
>
> -Rick
>
> *From:*public-bounces at cabforum.org
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben Wilson
> *Sent:* Thursday, June 05, 2014 5:55 AM
> *To:* 'Moudrick M. Dadashov'; i-barreira at izenpe.net;
> kirk_hall at trendmicro.com; gerv at mozilla.org; public at cabforum.org
> *Subject:* Re: [cabfpub] Ballot 121 (insurance)
>
> Thanks. Let's keep this discussion moving toward an amendment that
> provides a more reasonable, but objective, uniform, and auditable
> standard to be applied and implemented globally to address cyber risks
> and reduce potential loss to third parties. I've found about 100
> academic papers that mention cyber insurance and about 200 web pages
> in the .com space that discuss cyber coverage. I'm sifting through
> those now. I'm happy to make them available to anyone who wants to
> participate in this review.
>
> *From:*public-bounces at cabforum.org
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Moudrick M. Dadashov
> *Sent:* Thursday, June 5, 2014 4:43 AM
> *To:* Ben Wilson; i-barreira at izenpe.net; kirk_hall at trendmicro.com;
> gerv at mozilla.org; public at cabforum.org
> *Subject:* Re: [cabfpub] Ballot 121 (insurance)
>
> Hi,
>
> looks like we are not alone on this planet:
>
> http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nations-critical-infrastructure/
>
> Is EV SSL issuance a part of NCI?
>
> Thanks,
> M.D.
>
> On 6/3/2014 4:43 AM, Ben Wilson wrote:
>
> Thanks, Moudrick, Kirk and Iñigo,
>
> For those who haven't looked up this ETSI document, Section 7.5
> says, "(d) Adequate arrangements to cover liabilities arising from
> its operations and/or activities; (e) Financial stability and
> resources required to operate in conformity with this policy; and
> (f) Policies and procedures for the resolution of complaints and
> disputes received from customers or other parties about the
> provisioning of electronic trust services." This appears to be
> based, somewhat, on the liability structure set up in Art.6 of of
> EU Directive 1999/93/EC and subsection (h) of Annex II,
> http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093,
> the latter of which reads, "(h) maintain sufficient financial
> resources to operate in conformity with the requirements laid down
> in the Directive, in particular to bear the risk of liability for
> damages, for example, by obtaining appropriate insurance;"
>
> CAs are supposed to address their responsibility under Art. 6.
> This can be written in their CP/CPS either under Section 2.3 (RFC
> 2527) or Section 9.2 (RFC 3647) -- maybe more explicit
> requirements in the BRs are needed about what must be written in
> those sections? Also, I see that "risk" is noted in Annex II, but
> not in section 7.5 (too hard to audit?), an insurance or financial
> stability requirement is a much easier way to address risks to
> third parties than other methods, and it more fairly distributes
> the loss potential. See e.g.
> http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.pdf
>
>
> According to
> http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%20Aspects%20of%20Electronic%20Signatures.pdf
>
> most EU countries have simply copied this text from Annex II into
> their own laws without further requirements. However, some, like
> Spain, have set forth specific insurance amounts for " Cobertura
> de seguro u otras garantías para los terceros de buena fe cuando
> incumpla las obligaciones que impone la Ley 59/2003, de 19 de
> diciembre, de Firma Electrónica" - from what I can tell, the
> amount is 3 million Euros.
> http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf So, in
> order to be more fair to non-US CAs, what about that
> 3-million-Euro amount instead that just said "third party cyber
> coverage"? (I have Betterley's 2014 Cyber Insurance Report that I
> can use to create a definition of "third party cyber coverage".)
> Given the facts above, I can't see any reason to replace our
> objective rule with something as subjective as "adequate
> arrangements" or "sufficient financial resources," which are
> subjective and impossible to audit, let alone eliminate it altogether.
>
> Financial stability is a key component of being a CA, especially
> one that issues Extended Validation certificates. It certainly
> seems that any European CA wanting to issue the "qualified
> website" equivalent of an EV certificate will have to meet Art 6 /
> Annex II requirements in any event.
>
> Also, we require insurance for banks and automobile
> owners/drivers. Not for first-party coverage, but for third-party
> coverage--we do not want innocent third parties left holding the
> bag--it's what economists call "negative externality". Banks,
> for example, have great security, but they also have to handle the
> risk that all of that security won't protect against
> everything--nothing works perfectly 100%. Banks are required by
> regulators to have financial reserves, deposit insurance, and
> other risk-mitigating processes. See
> http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf Under the
> EU Directive on capital adequacy of investment ...firms and credit
> institutions, this means coverage of EUR 20 000 for each
> depositor, minimum start-up-capital of EUR 5 million, and then
> ongoing solvency ratios per Basel requirements.
>
> Ben
>
>
> On 6/2/2014 1:40 AM, i-barreira at izenpe.net
> <mailto:i-barreira at izenpe.net> wrote:
>
> Hi,
>
> The TS 102 042 is the one for EV and BR certs and also
> indicates in 7.5 what Mou has stated.
>
> This "control" was included to let the CA to set the
> requirements appropriate to its needs and according to
> national legislation.
>
> Regards
>
> *Iñigo Barreira*
> Responsable del Área técnica
> i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
>
> 945067705
>
> Descripción: cid:image001.png at 01CE3152.B4804EB0
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez
> babestuta egotea. Mezua badu bere hartzailea. Okerreko
> helbidera heldu bada (helbidea gaizki idatzi, transmisioak
> huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o
> confidencial a la que solo tiene derecho a acceder el
> destinatario. Si usted lo recibe por error le agradeceriamos
> que no hiciera uso de la informacion y que se pusiese en
> contacto con el remitente.
>
> *De:*public-bounces at cabforum.org
> <mailto:public-bounces at cabforum.org>
> [mailto:public-bounces at cabforum.org] *En nombre de *Moudrick
> M. Dadashov
> *Enviado el:* sábado, 31 de mayo de 2014 2:30
> *Para:* ben at digicert.com <mailto:ben at digicert.com>;
> kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com>;
> 'Gervase Markham'; 'public >> CABFPub'
> *Asunto:* Re: [cabfpub] Ballot 121 (insurance)
>
> On 5/31/2014 2:46 AM, Ben Wilson wrote:
>
> Do you have a proposal that addresses the concerns about financial
>
> stability?
>
> Please see ETSI TS 101 456 V1.4.3 section 7.5 specifically
> points d), e) and f) - IMO they are close to what you are
> looking for.
>
> As a standardization body ETSI doesn't set its requirements in
> terms of absolute amounts, this is left to implementers - in
> this case to MS Governments.
>
> FYI:
> http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_101456v010403p.pdf
>
> Given the fact that EVG is incorporated into ETSI "as is", I
> see potential conflict between the two approaches.
>
> Thanks.
> M.D.
>
>
>
>
>
>
> -----Original Message-----
>
> From:kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com> [mailto:kirk_hall at trendmicro.com]
>
> Sent: Friday, May 30, 2014 5:20 PM
>
> To:ben at digicert.com <mailto:ben at digicert.com>; 'Gervase Markham'; 'public >> CABFPub'
>
> Subject: RE: [cabfpub] Ballot 121 (insurance)
>
>
>
> Ben -- as I indicated to the EV Working Group in an email recently, I have
>
> definitely changed my mind about the EVGL insurance requirement based on my
>
> own experience in starting AffirmTrust in 2010. (As a reminder to all,
>
> AffirmTrust was acquired by Trend Micro in 2011, and Trend is big enough and
>
> has a strong enough balance sheet and treasury that under the EVGL we are
>
> entirely exempt from the insurance requirements -- so we have no personal
>
> stake in this.)
>
>
>
> While starting my own company, the insurance brokers kept asking me why I
>
> wanted the insurance coverages -- they clearly didn't think I needed them --
>
> and they warned me that the E&O coverage in particular probably wasn't going
>
> to provide me with any meaningful protection for anything (given that it
>
> generally doesn't cover contractual liability for a bad cert, return of
>
> fees, etc.) So it felt like a very big waste of money.
>
>
>
> Plus we now know from eight years of experience (plus the anecdotal evidence
>
> of Trend Micro's legal counsel from his decade at VeriSign) that there
>
> simply aren't claims from customers or relying parties for mis-issued certs
>
> and that the need for insurance (even if it did cover the mis-issuance of EV
>
> certs) is minimal at best. The one case of catastrophic failure and breach,
>
> DigiNotar, apparently resulted in a court ruling that the insurer would be
>
> allowed to deny all coverage.
>
>
>
> When we collectively were brainstorming in 2005-6 to create the first EV
>
> Guidelines, we were trying to come up with lots and lots of requirements to
>
> try to set EV certs apart from other certs. As I recall, we considered even
>
> more complex verification steps for EV to make it similar to the closing of
>
> a major corporate transaction (e.g., getting Board of Directors
>
> authorizations, Secretary's Certificates, etc.) -- fortunately, common sense
>
> prevailed and we slimmed down the requirements so they are very thorough,
>
> but achievable.
>
>
>
> Finally, the Forum has learned through eight years of experience that these
>
> insurance requirements are even harder and more expensive for
>
> non-US/Canadian CAs to satisfy, and that their brokers also tell them the
>
> coverages won't provide them with any meaningful protection. We don't want
>
> the EV Guidelines to be weighted in favor of US/Canadian CAs.
>
>
>
> The Forum hasn't hesitated from changing other EVGL requirements when we
>
> think justified -- such as recently allowing the use of the automatic email
>
> verification method to upgrade domains to the EV level (using the same
>
> verification methods as for DV and OV certs). For the first seven years of
>
> the EVGL, we were all required to do manual vetting of domains with a WhoIs
>
> lookup and deal with any mis-match of the registration.
>
>
>
> So for all these reasons, I think Gerv is right and it's time to drop the
>
> insurance requirements. Let CAs follow any insurance requirements that
>
> their applicable local jurisdiction(s) may impose, but otherwise don't
>
> create an additional insurance requirement through the EV Guidelines.
>
>
>
> Gerv, thanks for sharing your thoughtful and well informed opinion. It
>
> really helps.
>
>
>
> Kirk
>
>
>
> -----Original Message-----
>
> From:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On
>
> Behalf Of Ben Wilson
>
> Sent: Friday, May 30, 2014 3:15 PM
>
> To: 'Gervase Markham'; 'public >> CABFPub'
>
> Subject: Re: [cabfpub] Ballot 121 (insurance)
>
>
>
> Gerv and all,
>
>
>
> If people want to save money, they can stick to issuing DV or OV
>
> certificates. EV certificates need to remain different, and this proposed
>
> move is contrary to the first goal we all agreed upon when we began working
>
> on the guidelines for issuing Extended Validation Certificates, which my
>
> notes indicates was to "increase online trust."
>
>
>
> If the ballot is re-introduced and passes, then CAs will not be required to
>
> have insurance for any negligence in issuing or maintaining EV Certificates.
>
> It increases the likelihood that another Diginotar won't be held
>
> accountable, and I believe the insurance is currently available at
>
> affordable cost, approximately $10,000 per $1 million coverage. I have
>
> attached a sample cyber-insurance policy, which is available in similar form
>
> from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,
>
> etc.
>
>
>
> The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,
>
> which took place during 2006. For example, attached is Kirk Hall's memo to
>
> the group from June 2006 in which he recommends "indemnity insurance
>
> coverage (e.g. "errors and omissions," "cyber coverage," "network computer
>
> liability," "professional liability," or other similar coverage) for
>
> Extended Validation Certificates [in the amount of $10 million]."
>
>
>
> Opponents of insurance requirements cannot simply erase these historical
>
> choices without proposing viable alternatives. (It's always easier to
>
> complain and to poke holes at things than to work on real solutions.) And
>
> finally, if the EV Guidelines do not contain some form of financial
>
> responsibility, then we might as well delete the Section 7 warranties, and
>
> the other EV provisions to which they refer, because they will just become
>
> empty promises.
>
>
>
> Ben
>
>
>
> -----Original Message-----
>
> From:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On
>
> Behalf Of Gervase Markham
>
> Sent: Friday, May 30, 2014 12:41 PM
>
> To: public >> CABFPub
>
> Subject: [cabfpub] Ballot 121 (insurance)
>
>
>
> I talked to our lawyer this morning. Mozilla is now willing to support the
>
> proposal in Ballot 121 (removal of the insurance requirement from the EV
>
> Guidelines).
>
>
>
> We feel that this requirement provides no significant protection in practice
>
> for either users, for whom CAs can limit liability to $2000 anyway, or for
>
> browsers, for whom clause 18.2 which indemnifies them is much more relevant.
>
>
>
> We encourage other CAs and browsers to support this ballot also, and let the
>
> CAs put the $N,000 saved towards making their products better and/or cheaper
>
> for users.
>
>
>
> Gerv
>
> _______________________________________________
>
> Public mailing list
>
> Public at cabforum.org <mailto:Public at cabforum.org>
>
> https://cabforum.org/mailman/listinfo/public
>
> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential
>
> and may be subject to copyright or other intellectual property protection.
>
> If you are not the intended recipient, you are not authorized to use or
>
> disclose this information, and we request that you notify us by reply mail
>
> or telephone and delete the original message from your mail system.
>
> </pre></td></tr></table>
>
>
>
>
> _______________________________________________
>
> Public mailing list
>
> Public at cabforum.org <mailto:Public at cabforum.org>
>
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140609/dc872820/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19121 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140609/dc872820/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140609/dc872820/attachment-0001.p7s>
More information about the Public
mailing list