[cabfpub] Ballot 121 - EVGL Insurance Requirements

Eddy Nigg eddy_nigg at startcom.org
Fri May 2 11:21:19 UTC 2014

StartCom abstains.

On 04/24/2014 03:16 AM, Ben Wilson wrote:
> *Ballot 121 -- EVGL Insurance Requirements*
> The EV Guidelines Working Group is considering updating the EV 
> Guidelines in a number of areas.  Kirk Hall of Trend Micro hereby 
> makes the following motion, and Moudrick Dadashov from Skaitmeninio 
> sertifikavimo centras (SSC)and Richard Wang from WoSign have endorsed it.
> This ballot is to amend the current EV Guidelines (EVGL) Sec. 8.4 
> requirements as stated below. The reasons in favor of the Ballot are 
> stated after the proposed amendments.
> _Motion begins_:
> Amend EV Guideline Section 8.4 to read as follows:
> *EV Guideline Section 8.4 - Insurance*
> **
> Each CA SHALL maintain the following insurance related to their 
> *_its_* respective performance and obligations under these Guidelines 
> *_in accordance with the the minimum insurance requirements (if any) 
> as are applicable to the CA under the law of its jurisdiction of 
> incorporation or registration._* :
> (A) Commercial General Liability insurance (occurrence form) with 
> policy limits of at least two million US dollars in coverage; and
> (B) Professional Liability/Errors and Omissions insurance, with policy 
> limits of at least five million US dollars in coverage, and including 
> coverage for (i) claims for damages arising out of an act, error, or 
> omission, unintentional breach of contract, or neglect in issuing or 
> maintaining EV Certificates, and (ii) claims for damages arising out 
> of infringement of the proprietary rights of any third party 
> (excluding copyright, and trademark infringement), and invasion of 
> privacy and advertising injury.
> Such insurance MUST be with a company rated no less than A- as to 
> Policy Holder's Rating in the current edition of Best's Insurance 
> Guide (or with an association of companies each of the members of 
> which are so rated).
> A CA MAY self-insure for liabilities that arise from such party's 
> performance and obligations under these Guidelines provided that it 
> has at least five hundred million US dollars in liquid assets based on 
> audited financial statements in the past twelve months, and a quick 
> ratio (ratio of liquid assets to current liabilities) of not less than 
> 1.0.
> _Motion Ends _
> The reasons for this proposed amendment are as follows:
> ·The insurance requirements were created basically out of thin air 
> during initial drafting of the EVGL, without any particular analysis 
> of claims against CAs, usefulness of insurance, availability of 
> appropriate insurance, or necessary insurance levels.  The main 
> purpose of an insurance requirement in the EVGL was to impress the 
> public with the responsibility of CAs who issue EV certificates.  
> However, as noted below, these reasons aren't really justified by the 
> facts.
> ·The types and amounts of insurance required under EVGL 8.4 are North 
> America-centric, and are not easily available in other world regions 
> (or not available at all).  Insurance for damages "arising out of 
> infringement of the proprietary rights of any third party" are 
> generally not available in many professional liability/errors and 
> omissions policies.  The requirement is arguably unfair to CAs outside 
> North America.
> ·The types of insurance required under EVGL 8.4 are not designed to 
> provide relief or compensation to injured customers or the public who 
> rely on EV certs issued by a CA.  Both types of insurance are intended 
> primarily to protect the issuing CA, not injured claimants, and the 
> insurers will try to avoid or defeat all claims from claimants.  The 
> policies typically include defense costs within the policy limits, so 
> an insurance policy might be entirely consumed by defense costs to 
> protect the issuing CA, with nothing left to pay claims to claimants.
> ·Commercial General Liability insurance doesn't really help customers 
> or relying parties who claim injury from a bad cert -- these policies 
> are more designed to protect the CA from things like people falling on 
> a slippery floor in the CA's offices, etc.  Likewise, professional 
> liability/E&O coverage will only pay after defending the CA if a 
> judgment is likely or rendered, and the insurer may try to avoid 
> coverage if the issuing CA has done some bad things.  For example, 
> Diginotar's insurer has denied all coverage because Diginotar hid its 
> breach and failed to report the problem for several weeks, compounding 
> the damages and violating its obligations to the insurers -- so the 
> insurance was worthless.  These policies also do not cover contract 
> claims from customers (e.g., a claim of breach of contract by the CA 
> such as failure to issue a proper cert).
> ·Some have suggested that even if the current insurance requirements 
> don't actually protect the public or customers, they are nevertheless 
> useful as a "show of seriousness" by a CA.  If that is a worthwhile 
> objective, we may as well require other irrelevant things instead like 
> proof of auto insurance or a minimum office space size -- none of 
> these qualifications are really relevant to whether a CA operates 
> competently and in compliance with requirements.  Instead, we rely 
> mostly on (1) annual performance audits, and (2) browser root programs 
> (and consequences of failure) to confirm competence and compliance.
> ·VeriSign's previous general counsel for ten years has said VeriSign 
> never faced a claim for damages from any certs during that time.  In 
> most cases, bad certs are simply revoked and possibly reissued.
> ·Even though there have been virtually no claims against issuing CAs, 
> buying the minimum insurance can be expensive for smaller CAs.  There 
> is typically a minimum premium of $25,000 or more per year with a 
> significant deductible, even though the CA will likely never have a 
> covered claim.  That's a waste of money.
> ·In the Diginotar case, apparently claims were made against the 
> company's insurers (perhaps from investors for loss of value of the 
> company when it was shut down).  In any case, Diginotar's insurer 
> denied all coverage for the claims based on Diginotar's bad acts and 
> breach of its obligations to the insurer.  There would be no possibly 
> insurance coverage for customers or relying parties, so the insurance 
> was of no value.
> ·Some countries have their own minimum insurance requirements for 
> companies incorporated or registered in their jurisdiction, while many 
> do not.  The CA/Browser Forum should defer to these decisions by the 
> governing jurisdictions and require compliance with local standards -- 
> or just delete Section 8.4 entirely, as every CA must already comply 
> with applicable laws.
> ·Finally, under current EVGL Sec. 8.4, large companies like Trend 
> Micro get to opt out of the insurance requirements because they meet 
> the stated financial requirements.  This is arguably an unfair 
> advantage for large companies over small ones.
> The review period for this ballot shall commence at 2200 UTC on 
> Wednesday, 23 April 2014, and will close at 2200 UTC on Wednesday, 30 
> April 2014. Unless the motion is withdrawn during the review period, 
> the voting period will start immediately thereafter and will close at 
> 2200 UTC on Wednesday, 7 May 2014. Votes must be cast by posting an 
> on-list reply to this thread.
> A vote in favor of the motion must indicate a clear 'yes' in the 
> response. A vote against must indicate a clear 'no' in the response. A 
> vote to abstain must indicate a clear 'abstain' in the response. 
> Unclear responses will not be counted. The latest vote received from 
> any representative of a voting member before the close of the voting 
> period will be counted. Voting members are listed here: 
> https://cabforum.org/members/
> In order for the motion to be adopted, two thirds or more of the votes 
> cast by members in the CA category and greater than 50% of the votes 
> cast by members in the browser category must be in favor. Also, at 
> least six members must participate in the ballot, either by voting in 
> favor, voting against, or abstaining.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140502/f42bdc71/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140502/f42bdc71/attachment-0001.p7s>

More information about the Public mailing list