[cabfpub] Ballot 121 - EVGL Insurance Requirements

Jeremy Rowley jeremy.rowley at digicert.com
Mon May 5 22:30:19 UTC 2014

Plus you can't say a single event, which we don't know a lot about, proves
the rule.  Without knowing exactly why the insurance didn't pay, the nature
of claimants, and the rest of the story, claiming that the insurance isn't
useful in protecting the public is speculative.   I'd disagree with your
assertion.  There is a connection between the insurance requirements and
responding to claims. At the very least it shows that the CA has the ability
to address claims of mis-practice.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Monday, May 5, 2014 4:11 PM
To: Gervase Markham; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements

Gerv - my frustration is that the proponents of keeping the current EVGL
insurance requirements the same have never said "we need to keep the current
insurance requirements because the insurance will cover claims from the
public and customers that may arise from a CA's bad practices".  In fact,
the current insurance requirements are *not* relevant at all to claims from
the public and customers from a bad cert -- and no one has said they are
relevant.  I ran an insurance company for 12 years, so I have some
familiarity with this area.  

There is *no connection* between the current insurance requirements and
responding to claims from the public and customers.  Does anyone on the
listserv disagree with that?

That's why I say the burden is on the people who want to keep the current
insurance requirements to prove they are useful for protecting the public.
If no one will step forward with actual, substantive information, then the
requirement should go.

The only true way to protect the public would be to require CAs to deposit
money or securities with a third party escrow with instructions to use the
money to independently investigate and pay claims...  which is not
insurance.  But that would be expensive and difficult to do, and no one
would support that.

By the way -- the same is (generally) true for browsers -- you don't have
insurance that would directly respond to claims from members of the public
of harm they suffered from using your browser....  Whatever insurance your
browser maintains is solely for the purpose of protecting you, not the

One other point -- eliminating the (meaningless) EVGL insurance requirement
does NOT eliminate any liability a CA may have to the public and to
customers.  That liability would stay EXACTLY the same, so people would be
mistaken in saying elimination of the insurance requirement was a way for
CAs to avoid liability -- far from it, the two are entirely separate.  (If
you fail to pay for auto coverage and then cause an accident, you are still
personally liable for the harm you did and can be sued even though you don't
have insurance.)

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, May 05, 2014 1:21 AM
To: Kirk Hall (RD-US); public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements

On 02/05/14 16:38, kirk_hall at trendmicro.com wrote:
> Gerv (and all) -- I can already tell you that there is no other 
> insurance that the Forum could require that is designed to protect the 
> public and consumers.  So I won't be able to come up with a 
> replacement for the current (nonsensical) requirements for CGL and E&O 
> coverage, which also don't protect the public or consumers.
> I would say the burden is on the proponents of keeping an insurance 
> requirement to come up with an alternative (but they won't be able to 
> do so).

I think the burden is only on them to come up with an alternative if there
is general agreement that the current insurance requirements are not fit for
purpose. That may indeed be so, but it cannot be established as so by

> In the meantime, we should eliminate the current requirement, which 
> has no meaning.  In the one case we know of where insurance might have 
> made a difference to customers (Diginotar), we know the insurer denied 
> all coverage because of Diginotar's bad acts, and the Dutch bankruptcy 
> court agreed with the insurer -- no coverage at all to respond to 
> claims.  What other information do we need?

This argument only holds if you think that, in the same position, every CA
would behave like Diginotar did. Do you believe that?

> This doesn't affect my company -- we don't even have to buy insurance 
> under the rules -- but the current rule is very unfair to CAs outside 
> the US, and is really just a pointless barrier for many new CAs.

We are all for eliminating barriers to entry.

I think there's a lot of potential support in the Forum for your position;
it just needs the case made a little more carefully.

The message that abolishing these requirements could send is: "CAs admit
that if something goes wrong, it's not their problem". The way to avoid
sending that message is having a good, written case for why they would never
or very rarely help, and why the cons of their existence outweigh the pros.

One question which may be relevant (although there may be reasons we can't
talk about it): how much do CAs have to pay for insurance to meet this
requirement, that is over and above the insurances they already have or
would choose to have? I know you said for you it's $0.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail
telephone and delete the original message from your mail system.
Public mailing list
Public at cabforum.org

More information about the Public mailing list