[cabfpub] Ballot 121 (insurance)
Ben Wilson
ben at digicert.com
Fri May 30 15:15:15 MST 2014
Gerv and all,
If people want to save money, they can stick to issuing DV or OV
certificates. EV certificates need to remain different, and this proposed
move is contrary to the first goal we all agreed upon when we began working
on the guidelines for issuing Extended Validation Certificates, which my
notes indicates was to "increase online trust."
If the ballot is re-introduced and passes, then CAs will not be required to
have insurance for any negligence in issuing or maintaining EV Certificates.
It increases the likelihood that another Diginotar won't be held
accountable, and I believe the insurance is currently available at
affordable cost, approximately $10,000 per $1 million coverage. I have
attached a sample cyber-insurance policy, which is available in similar form
from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,
etc.
The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,
which took place during 2006. For example, attached is Kirk Hall's memo to
the group from June 2006 in which he recommends "indemnity insurance
coverage (e.g. "errors and omissions," "cyber coverage," "network computer
liability," "professional liability," or other similar coverage) for
Extended Validation Certificates [in the amount of $10 million]."
Opponents of insurance requirements cannot simply erase these historical
choices without proposing viable alternatives. (It's always easier to
complain and to poke holes at things than to work on real solutions.) And
finally, if the EV Guidelines do not contain some form of financial
responsibility, then we might as well delete the Section 7 warranties, and
the other EV provisions to which they refer, because they will just become
empty promises.
Ben
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Friday, May 30, 2014 12:41 PM
To: public >> CABFPub
Subject: [cabfpub] Ballot 121 (insurance)
I talked to our lawyer this morning. Mozilla is now willing to support the
proposal in Ballot 121 (removal of the insurance requirement from the EV
Guidelines).
We feel that this requirement provides no significant protection in practice
for either users, for whom CAs can limit liability to $2000 anyway, or for
browsers, for whom clause 18.2 which indemnifies them is much more relevant.
We encourage other CAs and browsers to support this ballot also, and let the
CAs put the $N,000 saved towards making their products better and/or cheaper
for users.
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Security-Failure-Claims-Made-and-Reported-Policy.pdf
Type: application/pdf
Size: 93219 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140530/afd922de/attachment-0002.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sec.9-FinancialResponsibilityRequirements6-12-06-0001.pdf
Type: application/pdf
Size: 38086 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140530/afd922de/attachment-0003.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140530/afd922de/attachment-0001.bin
More information about the Public
mailing list