[cabfpub] Ballot 121 - EVGL Insurance Requirements

Gervase Markham gerv at mozilla.org
Wed May 7 11:56:27 UTC 2014

Hi Kirk,

On 05/05/14 23:10, kirk_hall at trendmicro.com wrote:
> Gerv - my frustration is that the proponents of keeping the current
> EVGL insurance requirements the same have never said "we need to keep
> the current insurance requirements because the insurance will cover
> claims from the public and customers that may arise from a CA's bad
> practices".  In fact, the current insurance requirements are *not*
> relevant at all to claims from the public and customers from a bad
> cert -- and no one has said they are relevant.  I ran an insurance
> company for 12 years, so I have some familiarity with this area.

I admit I am not qualified to form an opinion on the value of this
insurance. However, I do not feel I can vote to remove the requirement
without consulting a disinterested party who does.

I have opened a bug in Mozilla's bug-tracking system to ask our legal
team to make an assessment of the usefulness of this insurance in
protecting domain owners and end users, compared to a cost to CAs in the
region of $30,000 a year per CA. Based on that assessment, we will form
a view on this question.

However, that analysis will not be complete before 2200 UTC tonight, I'm
afraid :-( And in the mean time, our vote stands.


More information about the Public mailing list