[cabfpub] Possible new BR on Financial Responsibility -- minimum capital requirements

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Nov 5 00:00:35 UTC 2014

In our Forum call last week I raised the issue of possible new Financial Responsibility requirements for CAs as a substitute for the existing EV insurance requirements (which most people have concluded do not really help the Forum reach any meaningful goals that relate to SSL and internet security).

I mentioned two ideas of my own for new financial responsibility requirements, and asked those on the call for their preliminary reactions, plus any ideas they might have for other financial responsibility ideas.  Ben Wilson had some feedback, but no one else spoke on the call so I promised to post the two ideas to the Public list for further discussion.  If there is support, we can move later to a pre-ballot with specifics.

I will post each idea separately so we can have separate discussions.

First Idea - Minimum Capital Requirements

The first idea is to establish new CA financial responsibility requirements in the Baseline Requirements for some sort of minimum capital requirements.  Here are my two main reasons for seeking minimum capital requirements:

1.  It would help a CA respond to a serious security breach or emergency infrastructure problem - ready cash and net capital is always important to deal quickly with a serious problem.

2.  If the CA decides to exit the certificate business, it could help the CA continue the required revocation checking services (CRLs, OCSP responses), archives, etc.

In my mind, any minimum capital requirement we come up with should satisfy at least three goals:

*         It should be reasonable and not punitive or prohibitive for small or new CAs,

*         It should scale according to the level of activity for a CA, and

*         It should use existing financial terms and measurements if possible so no CA or auditor has to do extra or complicated calculations to see whether or not the CA is in compliance.

I believe the minimum capital requirements should look at three elements: (1) total liquid assets (cash and cash-like assets), (2) the CA's so-called "quick ratio", which is a measurement of how much cash and cash-like assets the CA has compared to its short term liabilities (so the quick ratio is a measure of how easily the CA can access its cash to deal with an emergency without being unable to pay current debts), and (3) net retained earnings (owner's equity), which is a measurement of how much capital a CA has after all its short and long term liabilities are subtracted from all its assets.  These are common financial accounting concepts.

The CA/Browser Forum already uses these same capital tests in a different context, and we can recycle existing language if we choose.   As you know, EVGL 8.4 currently requires two kinds of insurance, but allows larger CAs not to carry insurance if they meet the following minimum capital tests:

Current EVGL 8.4  *** A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that:

[1] It has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and

[2] It has a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0.

So here is a possible new Financial Responsibility Baseline Requirement we can consider (we need to decide what amounts to put in the blanks below):

[New] Baseline Requirements Section X.X - Financial Responsibility

A CA must meet the following minimum financial responsibility tests:

(a) Liquid Assets (i.e., cash plus assets that can be converted into cash quickly and with minimal impact to the price received) equal to or exceeding $X per certificate for the number of issued certificates outstanding , but not less than $Y;

(b) A quick ratio (ratio of liquid assets to current liabilities) of not less than x.x; and

(c) Retained Earnings (Owner's Equity) of $A per certificate for the number of issued certificates outstanding during the CA's previous annual audit period, but not less than $B.

These tests will be confirmed by the CAs WebTrust or ETSI auditor [Alternative 1: as of the last day of each calendar month during the audit period] <or> [Alternative 2: as of the last day of each calendar quarter during the audit year] <or>[Alternative 3: as of the last day of the audit year].  The auditor shall rely on the CA's audited financial statements if available; otherwise the auditor may rely on the CA's unaudited financial statements that are verified in writing as accurate by the CA's CEO or equivalent officer.  This requirement shall not apply to government CAs.

If we like this structure for a new Financial Responsibility BR, the question will be - what numbers should we use for X, Y, Z, A, and B above?

I have asked WebTrust auditor Don Sheehy to think about this issue, and each CA should consult its own financial department for comments and input.

Any preliminary reaction?

I will post my second idea in a separate email.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141105/93302fef/attachment-0002.html>

More information about the Public mailing list