[cabfpub] Ballot 121 (insurance)

Ben Wilson ben at digicert.com
Fri May 30 23:42:38 UTC 2014


On Friday, May 30, 2014 4:28 PM, Gerv Markham wrote: 

> How is that so, given that the liability is unchanged? It means that if
the 
> CA goes completely under due to misissuance, then there won't be a 
> pot for payouts. But as people seem to be saying we saw with
>  Diginotar, in that case the insurance company will find a way not to
>  pay out anyway as there was probably malpractice involved.

Everything so far about Diginotar has been hearsay, but I don't think that
negligence/malpractice was the escape clause.  The right kind of insurance
would cover loss to third parties due to negligence, as illustrated by the
sample policy I sent.  Ask anyone involved in this industry and they'll tell
you that insurance is a basic component of good infosec risk management.
I'll provide more information about the benefits of insurance coverage in
response to your first question next week, but CA financial responsibility
is paramount because we actually do want there to be money to mitigate the
costs for a security breach.  I distinctly remember discussions of concern
back in 2006 about the CA that disappears during the night, and I do not
believe that our group's sentiment about that has changed any.  So again, on
this insurance issue, those wanting to scratch this rule off the books need
to propose an alternative.  I don't think it is wise for us to walk away and
leave an empty gap. 

Ben


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140530/66eb210d/attachment-0001.p7s>


More information about the Public mailing list