[cabfpub] Ballot 133 - Insurance Requirements for EV Issuers

[Ryan Sleevi]

On Tue, Oct 7, 2014 at 6:39 PM, Ben Wilson <ben.wilson at digicert.com> wrote:

> All,
> Proposed Ballot 133 represents a substantial reduction in the amount of
> and a change in the type of insurance that is needed to be qualified as an
> issuer of an EV certificate.  This proposal reduces the required coverage
> amount to a little over $3 million (counting coverage for property casualty
> loss)—less than half of what it is today.  Those arguing against an
> insurance requirement have generally centered their arguments on opinions
> about whether premiums paid for insurance coverage provide a meaningful
> ROI.  So not only does this ballot reduce the coverage amount, but it also
> fine-tunes the type of coverage required in order to align better with the
> types of risks that we should be concerned about.
>
> Those involved during the drafting of the EV Guidelines should agree that
> EV Certificates represent the highest degree of quality for SSL/TLS
> certificate services commercially available in contrast to other types of
> SSL/TLS certificate services offered.   The quality of service for EV can
> be gauged in several important aspects, detailed in the EV Guidelines.
> Those measures include the degree of identity verification performed on the
> domain registrant, CA quality controls, CA/subscriber warranties, and
> importantly, the financial responsibility of a CA.  Concerning financial
> stability, the EV Guidelines require that a CA stand behind each EV
> certificate it issues--to an amount of at least $2,000 for monetary loss to
> each Subscriber or Relying Party.  This is one of the reasons that the EV
> Guidelines have required an EV-issuing CA to be sufficiently able, not just
> to maintain ongoing EV certificate operations and maintenance, but also to
> ensure that CA warranties and representations do not become empty promises.
>
> Because requirements were needed to provide assurances to users that a
> certain level of recourse would be available in the event that a CA failed
> to exercise reasonable care in approving a certificate application,
> financial responsibility was a key requirement for the EV Guidelines.  In
> 2005 and 2006 we debated amounts required for insurance.  At the time, most
> CAs felt that $10 million was the maximum, and we settled on the $5 million
> and $2 million amounts.  Today, $3 million in insurance coverage is a very
> reasonable amount for a CA to carry.
> Since Day 1 of the CA/Browser Forum, insurance has been an important
> requirement for EV.  Back in May 2005, GeoTrust proposed that every CA and
> auditor have a $10 million professional liability / errors and omissions
> insurance policy.  The minutes of the May 2006 meeting indicate, “The chief
> purpose of financial stability requirements was to avoid the risk of
> catastrophic financial collapse and compromise of the roots and inability
> to maintain current OCSPs/CRLs.”  As I’ve mentioned previously, throughout
> 2006 we discussed the need for insurance and the question was not “if”
> there was an insurance requirement, but what it should be.  Finally, in
> August 2006 we settled on what is currently Section 8.4 (Insurance
> Requirements) and decided that the language chosen at that time was the
> most efficient way to ensure the financial responsibility of CAs.  The
> proposed language of Ballot 133 does the same thing today as what we
> intended the insurance language to do back in August 2006—provide a
> backstop that mitigates the risk of catastrophic CA failure.


And this is where the debate about whether or not insurance provides any
value.

If a CA is compromised, through hostile act or negligence, there are
several ways in which the infrastructure necessary to maintain current
OCSPs and CRLs can be rendered untrustworthy. DigiNotar is a prime example
of this, in which the misissued certificates were not even known by
DigiNotar, because they were not adequately logged.

As such, because this risk exists in the system (and recall that they were
indeed audited), Relying Parties MUST accept that OCSP/CRLs are
INSUFFICIENT to deal with the risk of compromise or collapse.

As such, browsers have developed programs to deal with this out of band.
CRLSets. OneCRL. Certificate Distrust Lists.

If such systems are good enough for the catastrophic failures where the
OCSP/CRL system is rendered unreliable, why are they not good enough for
the failures when the OCSP/CRL system is still viewed as "reliable" (or at
least, in which the signing keys have not been compromised?)

Between the RP agreements in most CP/CPSes, and the language itself
regarding the practices, you've heard from several browsers that have,
under advice, been given the opinion that such insurance does not provide
meaningful recourse for them.

To this end, why does it make sense to enforce a requirement that is not
technically fit for purpose (as demonstrated by DigiNotar), nor actionable
(as advised by counsel), but which encumbers members?

I can certainly understand that some CAs would prefer a "cost of doing
business" be imposed on new entrants. However, that's of dubious nature.

I can certainly understand a desire to prevent "fly by night" operators.
But that's incumbent upon the root store programs, and you've heard from at
least two that believe this doesn't meaningfully prevent such "fly by
night".

So while it's great to understand why the Forum introduced it, what we do
know is that it's failed to meet the Forum's goals. So why should we
pretend it does? Simply for historic reasons?


>
> Why do we have an EV insurance requirement?  An effective information
> security risk management program consists of risk avoidance, risk
> reduction, risk spreading, risk transfer, and risk acceptance.  There is no
> such thing as 100% perfect information security, so risk will remain with
> any system, even after applying industry best-practice controls that aim to
> avoid, reduce, or spread risk.  With unmitigated risks present in any CA
> system, the remaining options are (1) transfer risk or (2) accept risk.
>  CA/Browser Forum members should still be concerned about an unjustified
> acceptance of risk by a “fly-by-night” CA that simply treats residual risk
> as its own “risk of doing business” without regard to the negative
> consequences to third parties.  Thus, the “transfer of risk” approach has
> been adopted with this insurance requirement.  Contemporaneously with the
> Forum’s adoption of the insurance provision,  an exception was added for
> any CA that was essentially self-insured because it had “five hundred
> million US dollars in liquid assets” – that was the bar that was set for
> CAs choosing strictly the risk-acceptance approach.  (Actually, this
> provision should have stated “five hundred million US dollars in current
> assets” which is the correct terminology for calculating a quick ration,
> but that error also is proposed for correction in this Ballot 133.)   CAs
> who prefer a risk-acceptance approach can still have a hybrid with the
> insurance-based “transfer of risk” approach and “hedge their bets” by
> increasing the “retention amount” when negotiating the price of insurance
> with $3 million coverage.  A retention amount is like a deductible—it is
> the amount of risk that is retained by the CA.  So, because the EV
> Guidelines do not limit risk-retention amounts, there is plenty of
> flexibility for any CA in obtaining the coverage required by the proposed
> ballot.
>
> Again, insurance goes hand-in-hand with security controls and the
> guidelines of the CA/Browser Forum—by following and being audited to
> standards, CAs are in the best position to control risks and because of
> this, insurers should be willing to insure the residual risk because the
> CA’s loss will be occasioned by chance-- not due to the carelessness or
> indifference about maintaining CA system security.
>
> Ballot 133 is in response to requests of CAs which have been:
> 1-      These types of insurance are too difficult to obtain in my country
> 2-      Insurance is too expensive
> 3-      The current insurance requirement does not cover anticipated
> incidents
>
> As a result, I have researched insurance and interviewed insurance company
> representatives on changes to the language that would be best, based on the
> situations that we face as CAs and Browsers concerned about the utility and
> reliability of SSL certificates.   The feedback has been that it is not
> easy to phrase a global standard because of the differences in legal
> systems and insurance environments around the globe.  Conversely, we know
> that the Internet is global in reach, and a CA located in one country can
> affect the lives of persons globally.    Another challenge has been that if
> the policy wording is switched from the current language to something else
> it will be too difficult to change policies mid-term.  The proposal that
> offered transition dates was too confusing, which lead to the approach
> taken here, which was to make compliance easier, although there still might
> be questions on whether certain types of coverage or policies meet the
> proposed requirement.  Also, some CAs have indicated that they are shopping
> in the insurance market right now, and they need to know what coverage will
> be appropriate.  This is another reason why this ballot should go forward
> and be voted upon.
>
> As additional background, Commercial General Liability (CGL) insurance was
> named in Section 8.4 because it was a type of insurance well-known in the
> U.S. that would cover all common types of insurance that an operating
> business would need, and which a CA’s business partners would expect it to
> have.  It includes property and casualty losses and public liability
> coverage for personal/bodily/physical injuries and/or property damage to
> the public for claims arising out of operations.  However, over the last
> several years court cases have held that it doesn’t cover certain types of
> damage to intangibles, unless the language in the policy is specific that
> it does.  So even though many CAs will still maintain CGL coverage, it is
> no longer worth having as an EV requirement.
>
> Another response to opponents of an insurance requirement is that for
> centuries insurance has served as a global mechanism to re-distribute risk
> associated with global commerce.  If the right insurance is selected, and
> if the CA makes good faith efforts to follow common industry security
> practices, it is unlikely that an insurer will deny coverage, provided that
> the type of peril is acknowledged in the insurance policy, which is why
> Ballot 133 makes clear that the policy must not exclude coverage when
> providing cryptographic, digital signature, or public key infrastructure
> services.  Insurance companies have over $25 trillion in assets under
> management; in the case of claims against a CA with clear liability and
> catastrophic loss, it is likely that the insurer would rather tender the
> policy limits than defend the case.  The argument that the insurance
> requirement will not prevent a CA from closing up shop and disappearing
> during the night runs contrary to the good will that a CA intending to stay
> in operation should seek to engender.  A CA worth its salt will maintain a
> certain level of insurance, and third parties relying on the services of
> the CA should have assurance that it will.  Also, in the event of
> bankruptcy, receivership, or whatever, the insurance will either be an
> asset of the estate or the bankruptcy court can abstain and a direct
> obligation of the insurer and liability can be established in court, see
> Landry v. Exxon Pipeline Co., 260 B.R. 769 (Bkrtcy.M.D.La. 2001), or an
> interpleader/adversary proceeding could take place as the trustee, judge,
> or administrator determines how proceeds are distributed--whether claims
> are paid pro rata, on a first-come basis, or for damage mitigation, e.g. to
> ensure that the CA “fails gracefully.”
>
> I could go on with my discourse, but I’ll spare you the trouble … unless
> anyone wants to consider additional resources, which I’m happy to provide.
>
> For additional benefit, here is an overview of some insurance terms:
>
> Property insurance – Covers damage to physical property
>
> Liability Insurance – Protects against third party claims, i.e., payment
> is not typically made to the insured, but rather to someone suffering loss
> who is not a party to the insurance contract and it usually does not cover
> damage caused intentionally or agreed to by contract (the latter requires
> contractual liability insurance)
>
> Casualty insurance -- Covers injuries resulting solely from an inevitable
> accident and not from negligence, something that cannot be foreseen or
> guarded against.
>
> Commercial General Liability insurance – “covers bodily injury and
> property damage arising out of premises, operations, products, and
> completed operations; and advertising and personal injury liability”
> (evolved from “general liability” and “corporate general liability” forms
> and is what has been common in the United States for most businesses for
> the past 30+ years).
>
> Technology E&O insurance - covers both liability and property loss
> exposures . Liability part covers losses resulting from: (a) technology
> services, (b) technology products, (c) media content, and (d) network
> security breaches. Property part covers damage mitigation related to
> extortion threats, crisis management expenses, and business interruption.
>
>
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Friday, October 3, 2014 4:07 AM
> To: Ryan Sleevi; Ben Wilson
> Cc: CABFPub
> Subject: Re: [cabfpub] Ballot 133 - Insurance Requirements for EV Issuers
>
> On 02/10/14 20:47, Ryan Sleevi wrote:
> > It's likely we'd abstain from such a ballot as presented, or support
> > such a ballot that removed the requirement.
>
> This is likely to be our position also. /Pace/ Ben, but we maintain based
> on legal advice that this particular insurance requirement (not the concept
> of insurance in general!) is extremely unlikely to lead to practical
> benefit for anyone. Its presence either has no effect (if CAs are required
> to have the insurances already by other bodies) or leads to increased and
> unnecessary costs for CAs (if they are not).
>
> Gerv
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141008/d680d493/attachment-0001.html