[cabfpub] Ballot 121 - EVGL Insurance Requirements
Ben Wilson
ben at digicert.com
Fri May 2 17:04:06 UTC 2014
FWIW - Here are some resources I found on cyber risk insurance, which is a type of insurance that might be more applicable to the CA industry:
English
http://latham.com/thoughtLeadership/lw-cybersecurity-insurance-policy-coverage
http://www.aon.com/risk-services/cyber.jsp
http://www.zurich.com/insight/cyber/cyber-risk.htm
http://uk.marsh.com/RiskIssues/CyberRisk/lapg-13383/2.aspx
http://www.allianz.com.au/media/news/2014/allianz-launches-cyber-risk-insurance-product
German
http://www.aon.com/germany/risk-services/cyber-risiken.jsp
Spanish
http://spain.marsh.com/ActualidadAFondo/Liderazgointelectual/Articles/ID/24861/PageID/25841/Ciber-riesgo-la-seguridad-de-la-informacion-electronica.aspx
Chinese
http://asia.marsh.com/china/tabid/14027/ID/33653/default.aspx - http://asia.marsh.com/china/MRMR/ID/35546.aspx
French
http://www.cnaeurope.com/CNADownloadsLibrary/Cyber%20NetProtect%20Brochure.pdf
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Thursday, May 01, 2014 3:18 PM
To: Eddy Nigg
Cc: CABFPub
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements
I'm generally supportive of this, if only because the vast majority of CA's CP/CPSes leave them enough wiggle room to drive a truck through, while still not being an insurable incident.
CA accidentally revokes a certificate? Most CPSes seem to leave enough verbiage in that the CA is not 'on the hook' for that.
CA accidentally misissues a certificate? Most CPSes seem to leave enough verbiage in their Subscriber/Relying Party agreements that (to a non-lawyer such as myself) that they could argue it was the subscriber's fault.
We discussed this during the Mountain View F2F, where I raised similar remarks.
I think absent clear guidance from the CA/B Forum on
1) What are events that a CA should be liable for
2) What language is unacceptable in a CP/CPS (in terms of disclaiming liability/imposing requirements)
That requiring insurance has more the effect of theatre than security.
That is, I think the practical reality is things are already wildly inconsistent and largely inapplicable for the incidents that most of us would consider inappropriate and grave for trust in the ecosystem.
On Thu, May 1, 2014 at 1:59 PM, Eddy Nigg <eddy_nigg at startcom.org> wrote:
On 05/01/2014 07:56 PM, Jeremy Rowley wrote:
I am in favor of that approach rather than gutting the entire requirement. We haven’t adequately explored the alternatives and possible revisions to the language to know whether a simple change could satisfy the current concerns.
I can't be against saving expensive insurances if the effect on having them or not would be exactly the same. However we would take out probably a different/similar insurance in any case as we wouldn't want to be completely unprotected.
I'm not an insurance specialist and don't really know what the options would be, if at all. We followed the EV requirement more or less blindly because it's there and I'm actually a bit surprised that it's perceived as entire waste of money by some.
But then, Kirk is a lawyer that might have that knowledge - but Kirk, I believe we need more information and also an alternative before we can vote on it.
--
Regards
Signer:
Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP:
startcom at startcom.org
Blog:
Join the Revolution! <http://blog.startcom.org>
Twitter:
Follow Me <http://twitter.com/eddy_nigg>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140502/050c3ec8/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140502/050c3ec8/attachment-0001.p7s>
More information about the Public
mailing list