[cabfpub] Ballot 121 - EVGL Insurance Requirements
eddy_nigg at startcom.org
Thu May 1 09:42:51 UTC 2014
The reasons are indeed interesting, question is what would be a better
alternative. However if the insurances we are required to take out don't
provide what we expect them to do, than it's indeed a waste of money.
And we probably should look for something better than that.
On 04/24/2014 03:16 AM, Ben Wilson wrote:
> The reasons for this proposed amendment are as follows:
> ·The insurance requirements were created basically out of thin air
> during initial drafting of the EVGL, without any particular analysis
> of claims against CAs, usefulness of insurance, availability of
> appropriate insurance, or necessary insurance levels. The main
> purpose of an insurance requirement in the EVGL was to impress the
> public with the responsibility of CAs who issue EV certificates.
> However, as noted below, these reasons aren't really justified by the
> ·The types and amounts of insurance required under EVGL 8.4 are North
> America-centric, and are not easily available in other world regions
> (or not available at all). Insurance for damages "arising out of
> infringement of the proprietary rights of any third party" are
> generally not available in many professional liability/errors and
> omissions policies. The requirement is arguably unfair to CAs outside
> North America.
> ·The types of insurance required under EVGL 8.4 are not designed to
> provide relief or compensation to injured customers or the public who
> rely on EV certs issued by a CA. Both types of insurance are intended
> primarily to protect the issuing CA, not injured claimants, and the
> insurers will try to avoid or defeat all claims from claimants. The
> policies typically include defense costs within the policy limits, so
> an insurance policy might be entirely consumed by defense costs to
> protect the issuing CA, with nothing left to pay claims to claimants.
> ·Commercial General Liability insurance doesn't really help customers
> or relying parties who claim injury from a bad cert -- these policies
> are more designed to protect the CA from things like people falling on
> a slippery floor in the CA's offices, etc. Likewise, professional
> liability/E&O coverage will only pay after defending the CA if a
> judgment is likely or rendered, and the insurer may try to avoid
> coverage if the issuing CA has done some bad things. For example,
> Diginotar's insurer has denied all coverage because Diginotar hid its
> breach and failed to report the problem for several weeks, compounding
> the damages and violating its obligations to the insurers -- so the
> insurance was worthless. These policies also do not cover contract
> claims from customers (e.g., a claim of breach of contract by the CA
> such as failure to issue a proper cert).
> ·Some have suggested that even if the current insurance requirements
> don't actually protect the public or customers, they are nevertheless
> useful as a "show of seriousness" by a CA. If that is a worthwhile
> objective, we may as well require other irrelevant things instead like
> proof of auto insurance or a minimum office space size -- none of
> these qualifications are really relevant to whether a CA operates
> competently and in compliance with requirements. Instead, we rely
> mostly on (1) annual performance audits, and (2) browser root programs
> (and consequences of failure) to confirm competence and compliance.
> ·VeriSign's previous general counsel for ten years has said VeriSign
> never faced a claim for damages from any certs during that time. In
> most cases, bad certs are simply revoked and possibly reissued.
> ·Even though there have been virtually no claims against issuing CAs,
> buying the minimum insurance can be expensive for smaller CAs. There
> is typically a minimum premium of $25,000 or more per year with a
> significant deductible, even though the CA will likely never have a
> covered claim. That's a waste of money.
> ·In the Diginotar case, apparently claims were made against the
> company's insurers (perhaps from investors for loss of value of the
> company when it was shut down). In any case, Diginotar's insurer
> denied all coverage for the claims based on Diginotar's bad acts and
> breach of its obligations to the insurer. There would be no possibly
> insurance coverage for customers or relying parties, so the insurance
> was of no value.
> ·Some countries have their own minimum insurance requirements for
> companies incorporated or registered in their jurisdiction, while many
> do not. The CA/Browser Forum should defer to these decisions by the
> governing jurisdictions and require compliance with local standards --
> or just delete Section 8.4 entirely, as every CA must already comply
> with applicable laws.
> ·Finally, under current EVGL Sec. 8.4, large companies like Trend
> Micro get to opt out of the insurance requirements because they meet
> the stated financial requirements. This is arguably an unfair
> advantage for large companies over small ones.
> The review period for this ballot shall commence at 2200 UTC on
> Wednesday, 23 April 2014, and will close at 2200 UTC on Wednesday, 30
> April 2014. Unless the motion is withdrawn during the review period,
> the voting period will start immediately thereafter and will close at
> 2200 UTC on Wednesday, 7 May 2014. Votes must be cast by posting an
> on-list reply to this thread.
> A vote in favor of the motion must indicate a clear 'yes' in the
> response. A vote against must indicate a clear 'no' in the response. A
> vote to abstain must indicate a clear 'abstain' in the response.
> Unclear responses will not be counted. The latest vote received from
> any representative of a voting member before the close of the voting
> period will be counted. Voting members are listed here:
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes
> cast by members in the browser category must be in favor. Also, at
> least six members must participate in the ballot, either by voting in
> favor, voting against, or abstaining.
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
More information about the Public