[cabfpub] Ballot 121 (insurance)

Gervase Markham gerv at mozilla.org
Fri May 30 22:27:48 UTC 2014 

Hi Ben,

On 30/05/14 15:15, Ben Wilson wrote:
> If people want to save money, they can stick to issuing DV or OV
> certificates. 

If these provisions have value, they should stay. If not, they should
go. Issuing EV should not be a privilege obtained by wasting the most money.

> EV certificates need to remain different, and this proposed
> move is contrary to the first goal we all agreed upon when we began working
> on the guidelines for issuing Extended Validation Certificates, which my
> notes indicates was to "increase online trust."

If you can make a case that the insurance requirements would increase
online trust, that is, that there is a realistic scenario in which they
would come in to play and provide benefit to end users, site owners or
browsers, and we can explain that to people and make them more confident
in trusting EV, I will happily hear that scenario.

> If the ballot is re-introduced and passes, then CAs will not be required to
> have insurance for any negligence in issuing or maintaining EV Certificates.

No. However, they will still be as liable for that negligence as they
ever were.

> The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,
> which took place during 2006.  For example, attached is Kirk Hall's memo to
> the group from June 2006 in which he recommends "indemnity insurance
> coverage (e.g. "errors and omissions," "cyber coverage," "network computer
> liability," "professional liability," or other similar coverage) for
> Extended Validation Certificates [in the amount of $10 million]."  

What that memo shows me is that some CAs are already required to have
this (or better) insurance for other reasons, and so for them, this
requirement is one which burdens only their competitors.

Kirk is allowed to change his mind about the wisdom of such insurance
based on 8 years of experience.

> Opponents of insurance requirements cannot simply erase these historical
> choices without proposing viable alternatives.  (It's always easier to
> complain and to poke holes at things than to work on real solutions.)  And
> finally, if the EV Guidelines do not contain some form of financial
> responsibility, then we might as well delete the Section 7 warranties, and
> the other EV provisions to which they refer, because they will just become
> empty promises.    

How is that so, given that the liability is unchanged? It means that if
the CA goes completely under due to misissuance, then there won't be a
pot for payouts. But as people seem to be saying we saw with Diginotar,
in that case the insurance company will find a way not to pay out anyway
as there was probably malpractice involved.

Gerv

More information about the Public mailing list