[cabfpub] Ballot 121 - EVGL Insurance Requirements

Jeremy Rowley jeremy.rowley at digicert.com
Mon May 5 15:24:07 MST 2014 

Eliminating the insurance protection eliminates the potential path to
recovery from a CA who may not have the funds to pay for damages outside of
insurance.  Insurance may not sufficiently cover bankruptcy events but it
does cover events which do not end in the nuclear option.  That's why we
permit self-insured only with a substantial number of assets.

Jeremy

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Monday, May 5, 2014 4:11 PM
To: Gervase Markham; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements

Gerv - my frustration is that the proponents of keeping the current EVGL
insurance requirements the same have never said "we need to keep the current
insurance requirements because the insurance will cover claims from the
public and customers that may arise from a CA's bad practices".  In fact,
the current insurance requirements are *not* relevant at all to claims from
the public and customers from a bad cert -- and no one has said they are
relevant.  I ran an insurance company for 12 years, so I have some
familiarity with this area.  

There is *no connection* between the current insurance requirements and
responding to claims from the public and customers.  Does anyone on the
listserv disagree with that?

That's why I say the burden is on the people who want to keep the current
insurance requirements to prove they are useful for protecting the public.
If no one will step forward with actual, substantive information, then the
requirement should go.

The only true way to protect the public would be to require CAs to deposit
money or securities with a third party escrow with instructions to use the
money to independently investigate and pay claims...  which is not
insurance.  But that would be expensive and difficult to do, and no one
would support that.

By the way -- the same is (generally) true for browsers -- you don't have
insurance that would directly respond to claims from members of the public
of harm they suffered from using your browser....  Whatever insurance your
browser maintains is solely for the purpose of protecting you, not the
public.

One other point -- eliminating the (meaningless) EVGL insurance requirement
does NOT eliminate any liability a CA may have to the public and to
customers.  That liability would stay EXACTLY the same, so people would be
mistaken in saying elimination of the insurance requirement was a way for
CAs to avoid liability -- far from it, the two are entirely separate.  (If
you fail to pay for auto coverage and then cause an accident, you are still
personally liable for the harm you did and can be sued even though you don't
have insurance.)

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, May 05, 2014 1:21 AM
To: Kirk Hall (RD-US); public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements



On 02/05/14 16:38, kirk_hall at trendmicro.com wrote:
> Gerv (and all) -- I can already tell you that there is no other 
> insurance that the Forum could require that is designed to protect the 
> public and consumers.  So I won't be able to come up with a 
> replacement for the current (nonsensical) requirements for CGL and E&O 
> coverage, which also don't protect the public or consumers.
> 
> I would say the burden is on the proponents of keeping an insurance 
> requirement to come up with an alternative (but they won't be able to 
> do so).

I think the burden is only on them to come up with an alternative if there
is general agreement that the current insurance requirements are not fit for
purpose. That may indeed be so, but it cannot be established as so by
assertion.

> In the meantime, we should eliminate the current requirement, which 
> has no meaning.  In the one case we know of where insurance might have 
> made a difference to customers (Diginotar), we know the insurer denied 
> all coverage because of Diginotar's bad acts, and the Dutch bankruptcy 
> court agreed with the insurer -- no coverage at all to respond to 
> claims.  What other information do we need?

This argument only holds if you think that, in the same position, every CA
would behave like Diginotar did. Do you believe that?

> This doesn't affect my company -- we don't even have to buy insurance 
> under the rules -- but the current rule is very unfair to CAs outside 
> the US, and is really just a pointless barrier for many new CAs.

We are all for eliminating barriers to entry.

I think there's a lot of potential support in the Forum for your position;
it just needs the case made a little more carefully.

The message that abolishing these requirements could send is: "CAs admit
that if something goes wrong, it's not their problem". The way to avoid
sending that message is having a good, written case for why they would never
or very rarely help, and why the cons of their existence outweigh the pros.

One question which may be relevant (although there may be reasons we can't
talk about it): how much do CAs have to pay for insurance to meet this
requirement, that is over and above the insurances they already have or
would choose to have? I know you said for you it's $0.

Gerv

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list