[cabfpub] Ballot 121 - EVGL Insurance Requirements

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon May 5 15:10:42 MST 2014

Gerv - my frustration is that the proponents of keeping the current EVGL insurance requirements the same have never said "we need to keep the current insurance requirements because the insurance will cover claims from the public and customers that may arise from a CA's bad practices".  In fact, the current insurance requirements are *not* relevant at all to claims from the public and customers from a bad cert -- and no one has said they are relevant.  I ran an insurance company for 12 years, so I have some familiarity with this area.  

There is *no connection* between the current insurance requirements and responding to claims from the public and customers.  Does anyone on the listserv disagree with that?

That's why I say the burden is on the people who want to keep the current insurance requirements to prove they are useful for protecting the public.  If no one will step forward with actual, substantive information, then the requirement should go.

The only true way to protect the public would be to require CAs to deposit money or securities with a third party escrow with instructions to use the money to independently investigate and pay claims...  which is not insurance.  But that would be expensive and difficult to do, and no one would support that.

By the way -- the same is (generally) true for browsers -- you don't have insurance that would directly respond to claims from members of the public of harm they suffered from using your browser....  Whatever insurance your browser maintains is solely for the purpose of protecting you, not the public.

One other point -- eliminating the (meaningless) EVGL insurance requirement does NOT eliminate any liability a CA may have to the public and to customers.  That liability would stay EXACTLY the same, so people would be mistaken in saying elimination of the insurance requirement was a way for CAs to avoid liability -- far from it, the two are entirely separate.  (If you fail to pay for auto coverage and then cause an accident, you are still personally liable for the harm you did and can be sued even though you don't have insurance.)

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, May 05, 2014 1:21 AM
To: Kirk Hall (RD-US); public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements

On 02/05/14 16:38, kirk_hall at trendmicro.com wrote:
> Gerv (and all) -- I can already tell you that there is no other 
> insurance that the Forum could require that is designed to protect the 
> public and consumers.  So I won't be able to come up with a 
> replacement for the current (nonsensical) requirements for CGL and E&O 
> coverage, which also don't protect the public or consumers.
> I would say the burden is on the proponents of keeping an insurance 
> requirement to come up with an alternative (but they won't be able to 
> do so).

I think the burden is only on them to come up with an alternative if there is general agreement that the current insurance requirements are not fit for purpose. That may indeed be so, but it cannot be established as so by assertion.

> In the meantime, we should eliminate the current requirement, which 
> has no meaning.  In the one case we know of where insurance might have 
> made a difference to customers (Diginotar), we know the insurer denied 
> all coverage because of Diginotar's bad acts, and the Dutch bankruptcy 
> court agreed with the insurer -- no coverage at all to respond to 
> claims.  What other information do we need?

This argument only holds if you think that, in the same position, every CA would behave like Diginotar did. Do you believe that?

> This doesn't affect my company -- we don't even have to buy insurance 
> under the rules -- but the current rule is very unfair to CAs outside 
> the US, and is really just a pointless barrier for many new CAs.

We are all for eliminating barriers to entry.

I think there's a lot of potential support in the Forum for your position; it just needs the case made a little more carefully.

The message that abolishing these requirements could send is: "CAs admit that if something goes wrong, it's not their problem". The way to avoid sending that message is having a good, written case for why they would never or very rarely help, and why the cons of their existence outweigh the pros.

One question which may be relevant (although there may be reasons we can't talk about it): how much do CAs have to pay for insurance to meet this requirement, that is over and above the insurances they already have or would choose to have? I know you said for you it's $0.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list