[cabfpub] Ballot 121 - EVGL Insurance Requirements

Ryan Sleevi sleevi at google.com
Mon May 5 22:33:03 UTC 2014

Considering that no browser, to my knowledge, implements or has ever
implemented the bits necessary to count as a Relying Party under the
various CPSes I've seen - many of which are written in terms of mandating
hard-fail - does not give me personally much hope of seeing a successful
claim being launched by either the subscriber or the RP.

However, in this vote, Google abstains.

On Mon, May 5, 2014 at 3:24 PM, Jeremy Rowley <jeremy.rowley at digicert.com>wrote:

> Eliminating the insurance protection eliminates the potential path to
> recovery from a CA who may not have the funds to pay for damages outside of
> insurance.  Insurance may not sufficiently cover bankruptcy events but it
> does cover events which do not end in the nuclear option.  That's why we
> permit self-insured only with a substantial number of assets.
> Jeremy
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of kirk_hall at trendmicro.com
> Sent: Monday, May 5, 2014 4:11 PM
> To: Gervase Markham; public at cabforum.org
> Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements
> Gerv - my frustration is that the proponents of keeping the current EVGL
> insurance requirements the same have never said "we need to keep the
> current
> insurance requirements because the insurance will cover claims from the
> public and customers that may arise from a CA's bad practices".  In fact,
> the current insurance requirements are *not* relevant at all to claims from
> the public and customers from a bad cert -- and no one has said they are
> relevant.  I ran an insurance company for 12 years, so I have some
> familiarity with this area.
> There is *no connection* between the current insurance requirements and
> responding to claims from the public and customers.  Does anyone on the
> listserv disagree with that?
> That's why I say the burden is on the people who want to keep the current
> insurance requirements to prove they are useful for protecting the public.
> If no one will step forward with actual, substantive information, then the
> requirement should go.
> The only true way to protect the public would be to require CAs to deposit
> money or securities with a third party escrow with instructions to use the
> money to independently investigate and pay claims...  which is not
> insurance.  But that would be expensive and difficult to do, and no one
> would support that.
> By the way -- the same is (generally) true for browsers -- you don't have
> insurance that would directly respond to claims from members of the public
> of harm they suffered from using your browser....  Whatever insurance your
> browser maintains is solely for the purpose of protecting you, not the
> public.
> One other point -- eliminating the (meaningless) EVGL insurance requirement
> does NOT eliminate any liability a CA may have to the public and to
> customers.  That liability would stay EXACTLY the same, so people would be
> mistaken in saying elimination of the insurance requirement was a way for
> CAs to avoid liability -- far from it, the two are entirely separate.  (If
> you fail to pay for auto coverage and then cause an accident, you are still
> personally liable for the harm you did and can be sued even though you
> don't
> have insurance.)
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Monday, May 05, 2014 1:21 AM
> To: Kirk Hall (RD-US); public at cabforum.org
> Subject: Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements
> On 02/05/14 16:38, kirk_hall at trendmicro.com wrote:
> > Gerv (and all) -- I can already tell you that there is no other
> > insurance that the Forum could require that is designed to protect the
> > public and consumers.  So I won't be able to come up with a
> > replacement for the current (nonsensical) requirements for CGL and E&O
> > coverage, which also don't protect the public or consumers.
> >
> > I would say the burden is on the proponents of keeping an insurance
> > requirement to come up with an alternative (but they won't be able to
> > do so).
> I think the burden is only on them to come up with an alternative if there
> is general agreement that the current insurance requirements are not fit
> for
> purpose. That may indeed be so, but it cannot be established as so by
> assertion.
> > In the meantime, we should eliminate the current requirement, which
> > has no meaning.  In the one case we know of where insurance might have
> > made a difference to customers (Diginotar), we know the insurer denied
> > all coverage because of Diginotar's bad acts, and the Dutch bankruptcy
> > court agreed with the insurer -- no coverage at all to respond to
> > claims.  What other information do we need?
> This argument only holds if you think that, in the same position, every CA
> would behave like Diginotar did. Do you believe that?
> > This doesn't affect my company -- we don't even have to buy insurance
> > under the rules -- but the current rule is very unfair to CAs outside
> > the US, and is really just a pointless barrier for many new CAs.
> We are all for eliminating barriers to entry.
> I think there's a lot of potential support in the Forum for your position;
> it just needs the case made a little more carefully.
> The message that abolishing these requirements could send is: "CAs admit
> that if something goes wrong, it's not their problem". The way to avoid
> sending that message is having a good, written case for why they would
> never
> or very rarely help, and why the cons of their existence outweigh the pros.
> One question which may be relevant (although there may be reasons we can't
> talk about it): how much do CAs have to pay for insurance to meet this
> requirement, that is over and above the insurances they already have or
> would choose to have? I know you said for you it's $0.
> Gerv
> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail
> or
> telephone and delete the original message from your mail system.
> </pre></td></tr></table>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140505/71a89fcc/attachment-0003.html>

More information about the Public mailing list