[cabfpub] Ballot 121 - EVGL Insurance Requirements
ben at digicert.com
Thu May 1 15:40:42 UTC 2014
We can discuss this briefly during today's call under Agenda Item 5.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Eddy Nigg
Sent: Thursday, May 01, 2014 3:43 AM
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements
The reasons are indeed interesting, question is what would be a better
alternative. However if the insurances we are required to take out don't
provide what we expect them to do, than it's indeed a waste of money. And we
probably should look for something better than that.
On 04/24/2014 03:16 AM, Ben Wilson wrote:
The reasons for this proposed amendment are as follows:
. The insurance requirements were created basically out of thin air
during initial drafting of the EVGL, without any particular analysis of
claims against CAs, usefulness of insurance, availability of appropriate
insurance, or necessary insurance levels. The main purpose of an insurance
requirement in the EVGL was to impress the public with the responsibility of
CAs who issue EV certificates. However, as noted below, these reasons
aren't really justified by the facts.
. The types and amounts of insurance required under EVGL 8.4 are
North America-centric, and are not easily available in other world regions
(or not available at all). Insurance for damages "arising out of
infringement of the proprietary rights of any third party" are generally not
available in many professional liability/errors and omissions policies. The
requirement is arguably unfair to CAs outside North America.
. The types of insurance required under EVGL 8.4 are not designed to
provide relief or compensation to injured customers or the public who rely
on EV certs issued by a CA. Both types of insurance are intended primarily
to protect the issuing CA, not injured claimants, and the insurers will try
to avoid or defeat all claims from claimants. The policies typically
include defense costs within the policy limits, so an insurance policy might
be entirely consumed by defense costs to protect the issuing CA, with
nothing left to pay claims to claimants.
. Commercial General Liability insurance doesn't really help
customers or relying parties who claim injury from a bad cert - these
policies are more designed to protect the CA from things like people falling
on a slippery floor in the CA's offices, etc. Likewise, professional
liability/E&O coverage will only pay after defending the CA if a judgment is
likely or rendered, and the insurer may try to avoid coverage if the issuing
CA has done some bad things. For example, Diginotar's insurer has denied
all coverage because Diginotar hid its breach and failed to report the
problem for several weeks, compounding the damages and violating its
obligations to the insurers - so the insurance was worthless. These
policies also do not cover contract claims from customers (e.g., a claim of
breach of contract by the CA such as failure to issue a proper cert).
. Some have suggested that even if the current insurance
requirements don't actually protect the public or customers, they are
nevertheless useful as a "show of seriousness" by a CA. If that is a
worthwhile objective, we may as well require other irrelevant things instead
like proof of auto insurance or a minimum office space size - none of these
qualifications are really relevant to whether a CA operates competently and
in compliance with requirements. Instead, we rely mostly on (1) annual
performance audits, and (2) browser root programs (and consequences of
failure) to confirm competence and compliance.
. VeriSign's previous general counsel for ten years has said
VeriSign never faced a claim for damages from any certs during that time.
In most cases, bad certs are simply revoked and possibly reissued.
. Even though there have been virtually no claims against issuing
CAs, buying the minimum insurance can be expensive for smaller CAs. There
is typically a minimum premium of $25,000 or more per year with a
significant deductible, even though the CA will likely never have a covered
claim. That's a waste of money.
. In the Diginotar case, apparently claims were made against the
company's insurers (perhaps from investors for loss of value of the company
when it was shut down). In any case, Diginotar's insurer denied all
coverage for the claims based on Diginotar's bad acts and breach of its
obligations to the insurer. There would be no possibly insurance coverage
for customers or relying parties, so the insurance was of no value.
. Some countries have their own minimum insurance requirements for
companies incorporated or registered in their jurisdiction, while many do
not. The CA/Browser Forum should defer to these decisions by the governing
jurisdictions and require compliance with local standards - or just delete
Section 8.4 entirely, as every CA must already comply with applicable laws.
. Finally, under current EVGL Sec. 8.4, large companies like Trend
Micro get to opt out of the insurance requirements because they meet the
stated financial requirements. This is arguably an unfair advantage for
large companies over small ones.
The review period for this ballot shall commence at 2200 UTC on Wednesday,
23 April 2014, and will close at 2200 UTC on Wednesday, 30 April 2014.
Unless the motion is withdrawn during the review period, the voting period
will start immediately thereafter and will close at 2200 UTC on Wednesday, 7
May 2014. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: <https://cabforum.org/members/>
In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Also, at least six members
must participate in the ballot, either by voting in favor, voting against,
Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
startcom at startcom.org
Join the Revolution! <http://blog.startcom.org>
Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5453 bytes
Desc: not available
More information about the Public