[cabfpub] Ballot 121 - EVGL Insurance Requirements

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri May 2 16:46:56 UTC 2014


At the last CABF meeting in February, the insurance issue was discussed, and someone (I can't remember who now) found an article about the decision of the Dutch bankruptcy court upholding the denial of all coverage for claims by Diginotar's insurer.  The article was read out loud to the group.  

Unfortunately, I can't find it now -- does anyone remember the reference?

I am not surprised by the insurer's decision to deny coverage on all claims and the court's concurrence.  An insurance policy is bought by the insured (here, Diginotar) to protect itself against claims by other people (here, customers, the public, and maybe shareholders), with the first emphasis on defending the insured (Diginotar) and defeating all claims, not paying money to injured third parties.  All insurance policies impose certain requirements on the insured (Diginotar) as a condition to providing any coverage for claims, such as honesty and full reporting of information to the insurer.  When an insured fails to meet those conditions, the insurer is allowed to deny coverage and not defend the insured or pay any claims.

For a major CA failure like Diginotar, the required insurance is not likely to be of any use to anyone.

-----Original Message-----
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Friday, May 02, 2014 9:00 AM
To: Kirk Hall (RD-US); 'Gervase Markham'; public at cabforum.org
Subject: RE: [cabfpub] Ballot 121 - EVGL Insurance Requirements

Can you please send a link to the info about DigiNotar.  This is the first I've heard that the insurance company didn't have to pay anything to damaged end users and would like to investigate further.  My guess is that the claims were not being brought by the right party.  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Friday, May 2, 2014 9:39 AM
To: Gervase Markham; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements

Gerv (and all) -- I can already tell you that there is no other insurance that the Forum could require that is designed to protect the public and consumers.  So I won't be able to come up with a replacement for the current (nonsensical) requirements for CGL and E&O coverage, which also don't protect the public or consumers.

I would say the burden is on the proponents of keeping an insurance requirement to come up with an alternative (but they won't be able to do so).

In the meantime, we should eliminate the current requirement, which has no meaning.  In the one case we know of where insurance might have made a difference to customers (Diginotar), we know the insurer denied all coverage because of Diginotar's bad acts, and the Dutch bankruptcy court agreed with the insurer -- no coverage at all to respond to claims.  What other information do we need?

This doesn't affect my company -- we don't even have to buy insurance under the rules -- but the current rule is very unfair to CAs outside the US, and is really just a pointless barrier for many new CAs.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Friday, May 02, 2014 1:58 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements

On 01/05/14 17:56, Jeremy Rowley wrote:
> I am in favor of that approach rather than gutting the entire 
> requirement.  We haven’t adequately explored the alternatives and 
> possible revisions to the language to know whether a simple change 
> could satisfy the current concerns.

I agree. I don't deny the problems raised, and it could be that the Working Group has considered and rejected other options, but I don't feel "sold" on this.

There are two options - remove the requirements and then think of new ones to add later (Kirk's suggestion) or keep them until we've more carefully examined the problem as a group (Jeremy's suggestion).

I'm with Jeremy so, for this ballot in this form at this time:

Mozilla votes NO.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
</pre></td></tr></table>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>


More information about the Public mailing list