[cabfpub] Pre-ballot on Insurance and Financial Responsibility

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Nov 25 23:14:20 UTC 2014


Here is the pre-ballot I have been working on for several weeks to replace the existing EV insurance requirements with new financial responsibility provisions.  (Gerv, I just noticed you also have a pre-ballot - please take a look at this one as well.)

As you know, Trend Micro was the first to suggest the existing EVGL insurance requirements didn't make much sense in terms of making sure CAs were financially responsible for their product (certificates) and making sure CAs were financially capable of dealing with certificate mis-issuance, a breach, and/or possible termination expenses.

In recent emails, I suggested two possible substitutes for mandatory CA insurance:

1.  Minimum capital requirements (similar to the measurements we already have at the end of current EVGL Sec. 8.4 on insurance) - I'm still working on that proposal, and will come back with something shortly.

2.  Making CAs potentially liable for certificate mis-issuance for all their certs - DV, OV, and EV - not just for EV certs.  This proposal is very simple, and is included in the attached pre-ballot.

Today, CAs can disclaim (deny) their legal liability for DV and OV certs all the way to zero - meaning, even if they are found liable by a court for damages to customers and relying parties for mis-issued certificates, they can avoid making any payments to anyone.  That's just plain wrong.  The EV Guidelines presently allow CAs to limit what they pay to customers and relying parties for mis-issued certificates to $2,000 - that's too low, considering all the potential risks to the public.

The attached pre-ballot simply raises the potential liability cap to $10,000 for mis-issued EV certs, and requires that CAs potentially be liable up to $5,000 for mis-issued OV certs and $2,000 for mis-issued DV certs.  This recognizes the different levels of verification that are applied to each type of cert.

Please note:  This ballot does not create or impose legal liability on any CA - that already exists under applicable national law.  What the ballot does is say that a CA must be willing to back up whatever legal liability it has by some amount of money, and can't just say to customers and relying parties who have valid legal claims for damages "Too bad, I'm not going to pay you anything."  We do, however, allow CAs to cap their liability at the $2,000 / $5,000 / $10,000 per cert levels, which would help keep aggregate damage claims within an overall limit.

We have done so many other things to avoid and detect certificate mis-issuance (e.g., the Network and Certificate Systems Security Requirements, Certificate Transparency, etc.) that this is a natural extension of that effort - and it will reinforce the value of SSL certificates from trusted CAs.

Several CAs I've consulted with already support these three liability levels.  I'd be happy for endorsers for this pre-ballot.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088

*****

Pre-Ballot on Insurance and Financial Responsibility

1.  EV Guideline 8.4 is deleted.

2.  EV Guideline Section 18 is amended to read as follows:

18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two ten thousand US dollars per Subscriber or Relying Party per EV Certificate.

A CA's indemnification obligations and a Root CA's obligations with respect to subordinate CAs are set forth in the Baseline Requirements.

3. Baseline Requirements Section 18.1 is amended to read as follows:

18.1 Liability to Subscribers and Relying Parties

If the CA has issued and managed the Certificate in compliance with these Requirements and its Certificate Policy and/or Certification Practice Statement, the CA MAY disclaim liability to the Certificate Beneficiaries or any other third parties for any losses suffered as a result of use or reliance on such Certificate beyond those specified in the CA's Certificate Policy and/or Certification Practice Statement. If the CA has not issued or managed the Certificate in compliance with these Requirements and its Certificate Policy and/or Certification Practice Statement, the CA MAY seek to limit its liability to the Subscriber and to Relying Parties, regardless of the cause of action or legal theory involved, for any and all claims, losses or damages suffered as a result of the use or reliance on such Certificate by any appropriate means that the CA desires. If the CA chooses to limit its liability for Certificates that are not issued or managed in compliance with these Requirements or its Certificate Policy and/or Certification Practice Statement, then the CA SHALL include the limitations on liability in the CA's Certificate Policy and/or Certification Practice Statement.  Notwithstanding the foregoing, a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per DV Certificate or less than five thousand US dollars per Subscriber or Relying Party per OV Certificate.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141125/c4152a99/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pre-ballot on Insurance and	Financial Responsibility (25 Nov 2014).docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 14108 bytes
Desc: Pre-ballot on Insurance and Financial Responsibility	(25 Nov 2014).docx
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141125/c4152a99/attachment.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pre-ballot on Insurance and	Financial Responsibility (25 Nov 2014).pdf
Type: application/pdf
Size: 66132 bytes
Desc: Pre-ballot on Insurance and Financial Responsibility	(25 Nov 2014).pdf
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141125/c4152a99/attachment-0002.pdf>


More information about the Public mailing list