[cabfpub] Denial of all insurance coverage for Diginotar

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon May 5 12:03:53 MST 2014 

Ben – a strong maybe.

On the CGL coverage – probably never would cover a claim from a customer or the public for a bad cert.  CGL insurance covers things like bodily injury, personal injury, advertising injury and property damage – e.g., slip and fall in your office, employee’s torts (hitting other people), etc.

On the Professional Liability/Errors & Omissions – it might cover unintentional negligence by a vetter during issuance of a bad cert, but remember the insurer’s first duty and attempt will be to deny and defeat any claim from the public or a customer in order to protect the insured CA.  First line of defense will be “no duty” to the claimant, second line of defense will be “no causation” – just because the cert was bad does not mean there is any connection to your <alleged> harm as a customer or relying party.  How do we know you saw the cert and relied on it?  Were your own systems secure, or were you also negligent?  Did you reasonably rely on the bad cert when you sent $50,000 for some bitcoins <allegedly> because you thought you were dealing with Mt. Gox and not a fraudster, etc.  Usually the insurance policy coverage limits include defense costs which erode what is left to pay for claims, but an insurer often must defend the CA in order to protect the remaining limits and protect the insured.  Only if it appears the CA will lose at trial will the insurer consider paying money for the claim – so that is the (probably very rare) case where a member of the public or a customer will get paid something from insurance.

Also – these policies usually don’t cover “contract liabilities” like a customer’s cost of buying a replacement cert if the CA’s certs are all bad and revoked (like Diginotar).  So I’m guessing all of Diginotar’s old customers could never have recovered the cost of buying and installing replacement certs from other CAs from Diginotar’s insurer.

Finally, any bad acts will generally destroy the insurance coverage as well – as in Diginotar.

So any protection to customers and the public is illusory, for the most part, and the insurance requirements should be pruned from the EVGL.  For those who say the insurance requirements are good because they force a CA to spend some money and therefore have some “skin in the game” – we could just as well require proof of a charitable contribution of $25,000 per year if the goal is to make CAs spend some money.  I would say the cost of the CA infrastructure and programming, plus the cost of three annual WebTrust/ETSI audits, is sufficient to show seriousness and get some skin in the game.  Plus the current rules are US-centric, and therefore are unfair.

I really resented having to waste money on insurance when AffirmTrust was starting up, given that I knew the coverage had nothing to do with being a CA and would not protect customers or the public.

From: Ben Wilson [mailto:ben at digicert.com]
Sent: Monday, May 05, 2014 10:45 AM
To: 'Richard at WoSign'; Kirk Hall (RD-US); 'Adriano Santoni'; public at cabforum.org
Subject: RE: [cabfpub] Denial of all insurance coverage for Diginotar

So, had Diginotar been more responsive on the breach, taking action early on, there would have been insurance coverage?

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Richard at WoSign
Sent: Sunday, May 04, 2014 6:37 PM
To: kirk_hall at trendmicro.com; Adriano Santoni; CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] Denial of all insurance coverage for Diginotar

Yes, when I consult my insurance broker the each type cert warranty amount, my insurance broker told me that the reparation never happen, so you can write any amount in your website since it the lost really happen it should go to the court and the insurance company will have 100 reason to deny the claim.

Why WoSign  endorse this ballot is NOT for reason that WoSign can’t afford it, we think it don’t bring any benefit to end user and waste the money.


Regards,

Richard

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>
Sent: Monday, May 5, 2014 12:49 AM
To: Adriano Santoni; CABFPub (public at cabforum.org<mailto:public at cabforum.org>)
Subject: Re: [cabfpub] Denial of all insurance coverage for Diginotar

I don’t know.  I do know that (in the US and Canada) all policies have “cooperation,” “duty to report incidents,” and “bad acts” clauses which are conditions to providing any coverage.  If the insured (Diginotar) fails to comply with those contractual provisions, it makes things harder for the insurer to handle any claims (and remember, the first duty of the insurer is to defend the insured and try to defeat the claims, not to pay the claims…  claims are only paid after litigation, etc., so the insurance is not there to help the public or injured customers).

Here, it’s my understanding that the insurer walked away, with the court’s approval, maybe because Diginotar failed to take action early on.

From: Adriano Santoni [mailto:adriano.santoni at staff.aruba.it]
Sent: Saturday, May 03, 2014 11:34 PM
To: Kirk Hall (RD-US); CABFPub (public at cabforum.org<mailto:public at cabforum.org>)
Subject: R: [cabfpub] Denial of all insurance coverage for Diginotar

This automatic translation is rather difficult to understand, to me. Who was the Insurer in this case?


Inviato da Samsung Mobile.

-------- Messaggio originale --------
Da: kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>
Data:03/05/2014 23:02 (GMT+01:00)
A: "CABFPub (public at cabforum.org<mailto:public at cabforum.org>)"
Oggetto: [cabfpub] Denial of all insurance coverage for Diginotar


Jeremy, in response to your question below -- it was Bob Relyea who found the link during our last CABF meeting stating (in translation) that Diginotar’s insurer denied all coverage, so there was no possibility of any recovery for claims by the public or customers.  See link.  That’s why it makes sense to delete the current coverage requirements.



----- Forwarded Message -----

From: Bob Relyea <bob at relyea.com<mailto:bob at relyea.com>>

To: Robert Relyea <rrelyea at redhat.com<mailto:rrelyea at redhat.com>>

Sent: Wed, 19 Feb 2014 15:29:26 -0500 (EST)

Subject: Diginotar



http://translate.google.com/translate?hl=en&sl=nl&u=http://webwereld.nl/beveiliging/77898-curator-diginotar-haalt-bakzeil-in-zaak-tegen-opta&prev=/search%3Fq%3Ddiginotar%2Bcurator%26biw%3D1280%26bih%3D775





-----Original Message-----
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Friday, May 02, 2014 9:00 AM
To: Kirk Hall (RD-US); 'Gervase Markham'; public at cabforum.org<mailto:public at cabforum.org>
Subject: RE: [cabfpub] Ballot 121 - EVGL Insurance Requirements



Can you please send a link to the info about DigiNotar.  This is the first I've heard that the insurance company didn't have to pay anything to damaged end users and would like to investigate further.  My guess is that the claims were not being brought by the right party.







TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.






TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140505/6d23f7a5/attachment-0001.html

More information about the Public mailing list