[cabfpub] Possible new BR on Financial Responsibility -- minimum capital requirements

i-barreira at izenpe.net i-barreira at izenpe.net
Wed Nov 5 09:49:10 UTC 2014

Kirk, I´m not sure about this idea (and didn´t in the EV guidelines) but here are some concerns:


-          If a CA exists the certificate business for whatever reason and cease its operations, according to the most of the European countries law the supervisory body can assign another CA to take over that CA businesses if not reached an agreement before, so no need to have that minimum capital, which by the way is covered when you register/create the company

-          From the ETSI point of view, the standards used to audit CAs are technical standards, based on the CA businesses but this seems more a kind of financial assessment which OTOH every EU company has to do once a year, but done by different auditors or with different standards and schemes.

-          As per the 3 options you indicate I have my concern:

o   What is a liquid asset?

o   What is a quick ratio? How is that measure?

o   Retain earnings? Maybe in the US or for the big ones, but the smallest CAs can´t retain earnings.

-          The current national law on every EU county indicates that every CA has to have an insurance of whatever (it´s on every country to decide the amount) and the new regulation says that we need a “kind of” insurance (still to be developed but it will go on that way). If you´re suggesting not having an insurance, in which all the EU CAs will be obligated to have, but this financial responsibility, that will add another issue for the EU CAs and if the aim is not having so US-centric language and have new/small CAs on board, I think this is going on the contrary





Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net




ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de kirk_hall at trendmicro.com
Enviado el: miércoles, 05 de noviembre de 2014 1:01
Para: CABFPub (public at cabforum.org)
Asunto: [cabfpub] Possible new BR on Financial Responsibility -- minimum capital requirements


In our Forum call last week I raised the issue of possible new Financial Responsibility requirements for CAs as a substitute for the existing EV insurance requirements (which most people have concluded do not really help the Forum reach any meaningful goals that relate to SSL and internet security).


I mentioned two ideas of my own for new financial responsibility requirements, and asked those on the call for their preliminary reactions, plus any ideas they might have for other financial responsibility ideas.  Ben Wilson had some feedback, but no one else spoke on the call so I promised to post the two ideas to the Public list for further discussion.  If there is support, we can move later to a pre-ballot with specifics.


I will post each idea separately so we can have separate discussions.


First Idea – Minimum Capital Requirements


The first idea is to establish new CA financial responsibility requirements in the Baseline Requirements for some sort of minimum capital requirements.  Here are my two main reasons for seeking minimum capital requirements:


1.  It would help a CA respond to a serious security breach or emergency infrastructure problem – ready cash and net capital is always important to deal quickly with a serious problem.


2.  If the CA decides to exit the certificate business, it could help the CA continue the required revocation checking services (CRLs, OCSP responses), archives, etc.


In my mind, any minimum capital requirement we come up with should satisfy at least three goals:


·         It should be reasonable and not punitive or prohibitive for small or new CAs,

·         It should scale according to the level of activity for a CA, and

·         It should use existing financial terms and measurements if possible so no CA or auditor has to do extra or complicated calculations to see whether or not the CA is in compliance.


I believe the minimum capital requirements should look at three elements: (1) total liquid assets (cash and cash-like assets), (2) the CA’s so-called “quick ratio”, which is a measurement of how much cash and cash-like assets the CA has compared to its short term liabilities (so the quick ratio is a measure of how easily the CA can access its cash to deal with an emergency without being unable to pay current debts), and (3) net retained earnings (owner’s equity), which is a measurement of how much capital a CA has after all its short and long term liabilities are subtracted from all its assets.  These are common financial accounting concepts.


The CA/Browser Forum already uses these same capital tests in a different context, and we can recycle existing language if we choose.   As you know, EVGL 8.4 currently requires two kinds of insurance, but allows larger CAs not to carry insurance if they meet the following minimum capital tests:


Current EVGL 8.4  *** A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that:


[1] It has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and 


[2] It has a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0.


So here is a possible new Financial Responsibility Baseline Requirement we can consider (we need to decide what amounts to put in the blanks below):


[New] Baseline Requirements Section X.X – Financial Responsibility


A CA must meet the following minimum financial responsibility tests:


(a) Liquid Assets (i.e., cash plus assets that can be converted into cash quickly and with minimal impact to the price received) equal to or exceeding $X per certificate for the number of issued certificates outstanding , but not less than $Y; 


(b) A quick ratio (ratio of liquid assets to current liabilities) of not less than x.x; and


(c) Retained Earnings (Owner’s Equity) of $A per certificate for the number of issued certificates outstanding during the CA’s previous annual audit period, but not less than $B.  


These tests will be confirmed by the CAs WebTrust or ETSI auditor [Alternative 1: as of the last day of each calendar month during the audit period] <or> [Alternative 2: as of the last day of each calendar quarter during the audit year] <or>[Alternative 3: as of the last day of the audit year].  The auditor shall rely on the CA’s audited financial statements if available; otherwise the auditor may rely on the CA’s unaudited financial statements that are verified in writing as accurate by the CA’s CEO or equivalent officer.  This requirement shall not apply to government CAs.


If we like this structure for a new Financial Responsibility BR, the question will be – what numbers should we use for X, Y, Z, A, and B above?


I have asked WebTrust auditor Don Sheehy to think about this issue, and each CA should consult its own financial department for comments and input.


Any preliminary reaction?


I will post my second idea in a separate email.


Kirk R. Hall

Operations Director, Trust Services

Trend Micro



The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141105/e550cdc5/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141105/e550cdc5/attachment-0003.png>

More information about the Public mailing list