[cabfpub] Ballot 133 - Insurance Requirements for EV Issuers

Ryan Sleevi sleevi at google.com
Wed Oct 8 22:52:13 MST 2014


On Oct 9, 2014 1:32 AM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
>
> Any lawyer would challenge the validity of the CP/CPS disclaimer on the
basis of inadequate notice.
>
> Everyone in the world who suffers harm caused by the breach of a duty
that a CA was supposed to perform has a claim.
>
> It’s basic tort law – duty, a breach of that duty, which breach is a
cause of measureable harm.
>

A cursory examination will show you that no provisions exist for UAs in
terms of liability, nor for server operators, nor for any RP using any
modern client unless configured in such a way as to make the web unusable,
which no client will do.

The CA has no relationship with example.com, only the Subscriber/Applicant,
which may not be example.com (in the all to common case of misissuance), so
no duty has been breached.

Similarly, establishing any basis of claims for an RP requires establishing
how they were harmed by the failure to perform. How do quantify a cost for
a privacy breach? How is the RP to demonstrate that their password was
compromised? Or that they even accessed the site via the attackers control?

This isn't hypothetical. You (DigiCert) are a prime example of disclaiming
any warranty unless the RP (the user visiting a site with a certificate
issued by DigiCert) has read your RP Agreement, as documented at
https://www.digicert.com/ssl-cps-repository.htm

Just reading that policy and any lay person can see Section 3.2 alone
disqualifies virtually every RP out there from making a claim against you.
Heck, Section 3.2, (iv) alone exempts you from any compromises that were
not directly part of a financial transaction.

For example, if you misissued a cert for mail.google.com, and every single
GMail user's password was compromised, and the attacker then used that to
exploit password resets against (banks, Mint, Amazon, etc), and then
ordered merchandise using you're stored financial information, not a single
one of those users would be entitled to a claim against DigiCert, based on
the RPA they never would have read anyways.

This is precisely why insurance is a silly and unnecessary thing - because
it has enough holes to drive a truck through, and ignores the most pressing
concerns with the CA ecosystem, all in favor of "cost of doing business"

Since the questions I'm asking are going continually unanswered (and I have
tried to rephrase them repeatedly, so that there is no confusion as to what
I am asking or trying to understand), I don't think I'll have any chance at
understanding your position, not for lack of trying, but because it hasn't
been clearly articulated

To save time, I have tried to reduce things down to a yes or no question:

Would Digicert support a ballot that removed the insurance requirement
entirely, as a means of addressing the concerns over type and quantity of
insurance? Yes or No?

>
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Wednesday, October 8, 2014 10:59 PM
>
> To: Ben Wilson
> Cc: Gervase Markham; CABFPub
> Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV Issuers
>
>
>
> Ben,
>
> The question is not "why the ballot", and hasn't been for some time.
You've repeatedly provided ample explanation why this ballot.
>
> The question is "Why insurance at all". The only meaningful explanation
provided yet is to keep CRLs and OCSP operational, and yet that is
demonstrably insufficient (DigiNotar maintaining OCSP capability would NOT
have protected RPs, even those with hard fail OCSP)
>
> As to who, your explanation still ignores my previous email, which is
that the vast majority of CP/CPS effectively disclaim any such liability in
the Web PKI.
>
> For sake of simplicity, since we keep ending up in the weeds, it might be
easier if you provided 1-3 examples of " real world" scenarios you think
that insurance should pay out, and to whom, and then we can figure out how
much.
>
> For example:
> - If CA 1 misissues a cert for example.com because they failed to check
DNS, does anyone have a claim?
>
> - If CA 2 misissues a cert for example.com because they decided that
hiring a small plane to write in the sky "please give Jane a cert for
example.com" constituted an 'equivalent method' of validating authorization
for a domain, does anyone have a claim?
>
> - If CA 3 accidentally revokes a certificate for example.com because they
thought it was being used to serve malware, but it wasn't, does anyone have
a claim?
>
> - If CA 4 misissues a certificate for example.com, but then revokes it,
and this act gets picked up in the press as 'example.com gets hacked', does
anyone have a claim?
>
> I am providing concrete examples that, save for Jane's skywriting
adventure, very much happen, and the answer to all of these is "No, no one
has any guaranteed chance of a claim" under the current BRs.
>
> Is there _any_ real world situation where the presence of insurance and
the requirements set forth in the BR have even a chance of a claim?
>
> I'm quite aware that you've proposed a set of aggregate categories and a
lengthy discussion of the types of insurance employed. But frankly, I see
nothing that would actually do anything to improve security in any concrete
form (e.g. as guaranteed by the BRs, the lowest common denominator for cert
issuance)
>
> On Oct 9, 2014 12:42 AM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
>
> Who?  Insurance under the ballot primarily protects the CA when liability
is questionable, but it protects anyone with a covered claim when the CA is
negligent.  Insurance proceeds, in the case of liability insurance, are
paid to the injured party.  If members all want a more direct path to
compensation without regard to the CA, then a different ballot would have
to propose a bond or surety payable to a browser, victim compensation fund,
or whomever.
>
> Why is the current language (liability insurance) necessary?   A CA with
$500 million in current assets and a current asset-to-debt ratio of 1 or
greater does not need insurance.  CAs like Symantec, TrendMicro, and Wells
Fargo have those kinds of assets, the rest of us do not.  As explained, the
insurance protects the CA with a legal defense if the case is litigated –
that is the duty to defend part of the policy.  However, if the CA is
liable for damages because of negligence, then the insurance pays the
amount of the loss up to the policy limits.  It is money that the CA does
not have to pay, and therefore enables the CA to stay in business and
continue providing services.  The alternative is an environment with
survival of the fitness—CAs who fail go out of business and pretty soon no
one trusts CAs—I am strongly opposed to that scenario.
>
>
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Wednesday, October 8, 2014 10:19 PM
> To: Ben Wilson
> Cc: CABFPub; Gervase Markham
> Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV Issuers
>
>
>
> If any decision has been made, it's been because of a lack of convincing
evidence, not because there isn't an honest and genuine desire to
understand the issues at play here.
>
> If this ballot fails, then the concerns you and other members have raised
goes unaddressed. That would be unfortunate, if only because it's always
unfortunate when members concerns are unaddressed. You've provided ample
evidence as to why the current language is a concern, and why the Forum
should attempt to resolve this concern. Trust me, I'm sold on this.
>
> The question is, if not this, then how do we attempt to resolve those
concerns? A ballot to remove the insurance requirement altogether would
meet that requirement, but its unclear whether or not that would succeed.
>
> Your messages suggest you would be opposed to such a ballot. I am trying
to understand why. If this ballot doesn't succeed because the browsers view
insurance as unnecessary, and I'd a ballot to remove it doesn't succeed
because CAs view it as necessary, then we aren't really making progress.
>
> So please help me understand your position by working from the core
question - why is insurance necessary and who does it protect?
>
> If we can establish that there is any possibility of it having value,
then the natural next questions are "how do we ensure that value is
realized" (e.g. that it is not wholly disclaimed via an unreasonable
CP/CPS) and how much of it is necessary?
>
> But let's not presume that if $10 million of insurance is bad, $3 million
is better. What you're hearing is that $10 million is bad for multiple
reasons, and $3 million is still bad too.
>
> On Oct 9, 2014 12:06 AM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
>
> You have already made up your mind to oppose this ballot, so why should I
put forth any more effort to try to convince you?
>
>
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Wednesday, October 8, 2014 10:04 PM
> To: Ben Wilson
> Cc: Gervase Markham; CABFPub
> Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV Issuers
>
>
>
>
> On Oct 8, 2014 11:56 PM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
> >
> > The part you quote me as saying, “to maintain CRL and OCSP
infrastructure,” comes from others who argued for it back in 2005, so it
wasn’t me who said it.
> >
>
> It was the only justification you gave for the original requirements, and
which you quoted specifically in the context of trying to answer why.
>
> What I asked of you in the previous message, and which remains
unanswered, is why you feel insurance is meaningful, since you're ardently
defending it here.
>
> If you don't feel it is (and that would both surprise and please me),
then we should be removing, not reducing.
>
> > Your argument about the current CP/CPS language as the only situation
where insurance comes into play is a convenient strawman that you put up
just to knock down.
> >
> > “Who” can make a claim and ”why” is up to you – I don’t know why you’re
asking me.
>
> It's not a straw man, and that isn't an answer.
>
> As we discussed in past calls, why is the ballot simply not to remove it
as a requirement - which you've heard two browsers express support for.
>
> I don't care about the why is this language reducing, because ANY such
requirement presumes insurance is valuable. What I'm asking is why do we
even have it.
>
> Your previous message said "cost of doing business," but failed to
express why such a cost existed. The original justification given - which
you quoted - doesn't hold. The provided explanation "that it protects
people", fails to deal with the very real issue that the set of people it
protects is virtually zero. So it doesn't protect "people" as an abstract,
it protects a near-zero sum population.
>
> So why have it? And who should it be for?
>
> These aren't straw man arguments - these are key to establishing why
there should be any proposal other than "remove it".
>
> >
> >
> >
> > From: Ryan Sleevi [mailto:sleevi at google.com]
> > Sent: Wednesday, October 8, 2014 9:44 PM
> > To: Ben Wilson
> > Cc: CABFPub; Gervase Markham
> > Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV
Issuers
> >
> >
> >
> > Ben,
> >
> > No investigation into DigiNotar's insurance is necessary, so I'm
shocked you would think it is. The facts exist that the purpose of
insurance, as you stated (to maintain CRL and OCSP infrastructure) was
unnecessary, because the infrastructure was so thoroughly compromised. NO
amount of insurance can deal with that.
> >
> > As such, browsers have systems in place for such complete compromise,
which is equally sufficient for _less_ complete compromises.
> >
> > I don't see how you can claim it promotes good security, since its
insufficient for dealing with the things browsers care most about. At best,
it seems to be a tool to try and establish liability - but browser's are
clearly telling CAs that liability exists, insurance or not.
> >
> > I can't see how, in the same message, you can suggest "For many
industries, CAs included, insurance is just a cost of doing business" and
then simultaneously assert you're not using insurance as a barrier for
entry.
> >
> > Let's take a step back. You've talked at extreme length about the
challenges with the current language, the problems CAs face in obtaining
it, etc, but are ignoring the two extremely pertinent and relevant
questions.
> >
> > It is NOT about "what" and "how much" (which you have devoted great
time to), but about "why" and "for who"? I'm very much challenging your
statements about "why" (and 'just because', which is what 'cost of doing
business' reads as, is not a good answer) and "who"
> >
> > Under the current CP/CPS, if someone issues a fraudulent cert for
example.com, example.com can't claim damages. The browser cannot claim
damages. Only the users who visited example.com can claim damages, and only
if they used an application in a configuration that does not exist in the
real world, save for some very baroque and unusable conditions. Even if
there was a "why" that made sense, the "who" is, under current terms,
extremely questionable.
> >
> > Let's stop focusing on terminology appendices for the type of
insurance, and focus on first principles. What reasons, beyond OCSP/CRL
serving infrastructure, is it meant to address, and who, in the real world
of applications and Internet browsers and servers, can make a claim?
> >
> > On Oct 8, 2014 11:29 PM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
> >
> > Whether browser security methods, systems, etc. are good enough remains
to be seen in the long term.  Citing Diginotar is insufficient proof of
failure for the insurance-based risk-mitigation method-- unless you have
investigated and can elaborate on all of the facts and circumstances about
the particular insurance coverage, denial of coverage, etc., and whether
appropriate inquiries for insurance coverage were denied and then
challenged for bad faith denial of coverage.  My argument is that insurance
goes hand-in-hand with promoting good security practices, and along with
compliance audits they establish an integrated risk management strategy.
Browsers will do whatever browsers do, but these three things are within a
CA’s control, and the best place to mitigate risk is always with those who
are in the best position with the ability to do something about it.
> >
> >
> >
> > Ballot 133 removes the specifics of that type of liability insurance
requirement because some have said it was too difficult to obtain in areas
with emerging economies—so even if you perceive an insurance requirement as
a mere barrier to entry, that barrier is dropping, and more because there
will only be $3 million in liability coverage required, although some might
argue that $3 million is not enough.  For many industries, CAs included,
insurance is just a cost of doing business, and the new language is
balanced and allows plenty of flexibility, in several different ways,
including an unlimited retention amount.  With CAs I’ve talked to, after a
little research with their broker, they understand better what is available
in the market.  I’ve also been told by brokers that pricing for this type
of coverage is very competitive.   Members can use their search engine of
preference to look for “technology e&o” and to see what is available.  So,
as a practical matter, I don’t see it as any barrier to entry.   I’ve also
uploaded some of my insurance research to the wiki here:
https://cabforum.org/wiki/Insurance .  I think a thorough reading of this
material disproves the claim that this insurance requirement is of
miniscule benefit.
> >
> >
> >
> > Moreover, this is not a barrier to entry for entities desiring to
become publicly trusted CAs.  This is a requirement of the Extended
Validation Guidelines, not the Baseline Requirements and not browser root
programs.  Browsers are free to allow a CA into their trust stores without
any financial ability, responsibility, or insurance whatsoever--you can
still accept them and rely on browser-based security measures, but Extended
Validation certificates have a known level of quality, which shouldn’t be
devalued or deprecated by encouraging a new race to the bottom.  I am not
saying that insurance is the best answer, but no one has put forward a
serious proposal for financial guarantees, performance bonds, escrow
deposits, or other financial responsibility mechanisms, recently.  I think
I’ve shown sufficient reasoning for amending the financial responsibility /
insurance requirement as one way to force the internalization of risk, and
it’s also an established method used in other areas such as automobile
insurance, commercial products, banking, etc.
> >
> >
> >
> >
> >
> > From: Ryan Sleevi [mailto:sleevi at google.com]
> > Sent: Wednesday, October 8, 2014 3:34 PM
> > To: Ben Wilson
> > Cc: Gervase Markham; CABFPub
> > Subject: Re: [cabfpub] Ballot 133 - Insurance Requirements for EV
Issuers
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Oct 7, 2014 at 6:39 PM, Ben Wilson <ben.wilson at digicert.com>
wrote:
> >
> > All,
> > Proposed Ballot 133 represents a substantial reduction in the amount of
and a change in the type of insurance that is needed to be qualified as an
issuer of an EV certificate.  This proposal reduces the required coverage
amount to a little over $3 million (counting coverage for property casualty
loss)—less than half of what it is today.  Those arguing against an
insurance requirement have generally centered their arguments on opinions
about whether premiums paid for insurance coverage provide a meaningful
ROI.  So not only does this ballot reduce the coverage amount, but it also
fine-tunes the type of coverage required in order to align better with the
types of risks that we should be concerned about.
> >
> > Those involved during the drafting of the EV Guidelines should agree
that EV Certificates represent the highest degree of quality for SSL/TLS
certificate services commercially available in contrast to other types of
SSL/TLS certificate services offered.   The quality of service for EV can
be gauged in several important aspects, detailed in the EV Guidelines.
Those measures include the degree of identity verification performed on the
domain registrant, CA quality controls, CA/subscriber warranties, and
importantly, the financial responsibility of a CA.  Concerning financial
stability, the EV Guidelines require that a CA stand behind each EV
certificate it issues--to an amount of at least $2,000 for monetary loss to
each Subscriber or Relying Party.  This is one of the reasons that the EV
Guidelines have required an EV-issuing CA to be sufficiently able, not just
to maintain ongoing EV certificate operations and maintenance, but also to
ensure that CA warranties and representations do not become empty promises.
> >
> > Because requirements were needed to provide assurances to users that a
certain level of recourse would be available in the event that a CA failed
to exercise reasonable care in approving a certificate application,
financial responsibility was a key requirement for the EV Guidelines.  In
2005 and 2006 we debated amounts required for insurance.  At the time, most
CAs felt that $10 million was the maximum, and we settled on the $5 million
and $2 million amounts.  Today, $3 million in insurance coverage is a very
reasonable amount for a CA to carry.
> > Since Day 1 of the CA/Browser Forum, insurance has been an important
requirement for EV.  Back in May 2005, GeoTrust proposed that every CA and
auditor have a $10 million professional liability / errors and omissions
insurance policy.  The minutes of the May 2006 meeting indicate, “The chief
purpose of financial stability requirements was to avoid the risk of
catastrophic financial collapse and compromise of the roots and inability
to maintain current OCSPs/CRLs.”  As I’ve mentioned previously, throughout
2006 we discussed the need for insurance and the question was not “if”
there was an insurance requirement, but what it should be.  Finally, in
August 2006 we settled on what is currently Section 8.4 (Insurance
Requirements) and decided that the language chosen at that time was the
most efficient way to ensure the financial responsibility of CAs.  The
proposed language of Ballot 133 does the same thing today as what we
intended the insurance language to do back in August 2006—provide a
backstop that mitigates the risk of catastrophic CA failure.
> >
> >
> >
> > And this is where the debate about whether or not insurance provides
any value.
> >
> >
> >
> > If a CA is compromised, through hostile act or negligence, there are
several ways in which the infrastructure necessary to maintain current
OCSPs and CRLs can be rendered untrustworthy. DigiNotar is a prime example
of this, in which the misissued certificates were not even known by
DigiNotar, because they were not adequately logged.
> >
> >
> >
> > As such, because this risk exists in the system (and recall that they
were indeed audited), Relying Parties MUST accept that OCSP/CRLs are
INSUFFICIENT to deal with the risk of compromise or collapse.
> >
> >
> >
> > As such, browsers have developed programs to deal with this out of
band. CRLSets. OneCRL. Certificate Distrust Lists.
> >
> >
> >
> > If such systems are good enough for the catastrophic failures where the
OCSP/CRL system is rendered unreliable, why are they not good enough for
the failures when the OCSP/CRL system is still viewed as "reliable" (or at
least, in which the signing keys have not been compromised?)
> >
> >
> >
> > Between the RP agreements in most CP/CPSes, and the language itself
regarding the practices, you've heard from several browsers that have,
under advice, been given the opinion that such insurance does not provide
meaningful recourse for them.
> >
> >
> >
> > To this end, why does it make sense to enforce a requirement that is
not technically fit for purpose (as demonstrated by DigiNotar), nor
actionable (as advised by counsel), but which encumbers members?
> >
> >
> >
> > I can certainly understand that some CAs would prefer a "cost of doing
business" be imposed on new entrants. However, that's of dubious nature.
> >
> >
> >
> > I can certainly understand a desire to prevent "fly by night"
operators. But that's incumbent upon the root store programs, and you've
heard from at least two that believe this doesn't meaningfully prevent such
"fly by night".
> >
> >
> >
> > So while it's great to understand why the Forum introduced it, what we
do know is that it's failed to meet the Forum's goals. So why should we
pretend it does? Simply for historic reasons?
> >
> >
> >>
> >>
> >> Why do we have an EV insurance requirement?  An effective information
security risk management program consists of risk avoidance, risk
reduction, risk spreading, risk transfer, and risk acceptance.  There is no
such thing as 100% perfect information security, so risk will remain with
any system, even after applying industry best-practice controls that aim to
avoid, reduce, or spread risk.  With unmitigated risks present in any CA
system, the remaining options are (1) transfer risk or (2) accept risk.
 CA/Browser Forum members should still be concerned about an unjustified
acceptance of risk by a “fly-by-night” CA that simply treats residual risk
as its own “risk of doing business” without regard to the negative
consequences to third parties.  Thus, the “transfer of risk” approach has
been adopted with this insurance requirement.  Contemporaneously with the
Forum’s adoption of the insurance provision,  an exception was added for
any CA that was essentially self-insured because it had “five hundred
million US dollars in liquid assets” – that was the bar that was set for
CAs choosing strictly the risk-acceptance approach.  (Actually, this
provision should have stated “five hundred million US dollars in current
assets” which is the correct terminology for calculating a quick ration,
but that error also is proposed for correction in this Ballot 133.)   CAs
who prefer a risk-acceptance approach can still have a hybrid with the
insurance-based “transfer of risk” approach and “hedge their bets” by
increasing the “retention amount” when negotiating the price of insurance
with $3 million coverage.  A retention amount is like a deductible—it is
the amount of risk that is retained by the CA.  So, because the EV
Guidelines do not limit risk-retention amounts, there is plenty of
flexibility for any CA in obtaining the coverage required by the proposed
ballot.
> >>
> >> Again, insurance goes hand-in-hand with security controls and the
guidelines of the CA/Browser Forum—by following and being audited to
standards, CAs are in the best position to control risks and because of
this, insurers should be willing to insure the residual risk because the
CA’s loss will be occasioned by chance-- not due to the carelessness or
indifference about maintaining CA system security.
> >>
> >> Ballot 133 is in response to requests of CAs which have been:
> >> 1-      These types of insurance are too difficult to obtain in my
country
> >> 2-      Insurance is too expensive
> >> 3-      The current insurance requirement does not cover anticipated
incidents
> >>
> >> As a result, I have researched insurance and interviewed insurance
company representatives on changes to the language that would be best,
based on the situations that we face as CAs and Browsers concerned about
the utility and reliability of SSL certificates.   The feedback has been
that it is not easy to phrase a global standard because of the differences
in legal systems and insurance environments around the globe.  Conversely,
we know that the Internet is global in reach, and a CA located in one
country can affect the lives of persons globally.    Another challenge has
been that if the policy wording is switched from the current language to
something else it will be too difficult to change policies mid-term.  The
proposal that offered transition dates was too confusing, which lead to the
approach taken here, which was to make compliance easier, although there
still might be questions on whether certain types of coverage or policies
meet the proposed requirement.  Also, some CAs have indicated that they are
shopping in the insurance market right now, and they need to know what
coverage will be appropriate.  This is another reason why this ballot
should go forward and be voted upon.
> >>
> >> As additional background, Commercial General Liability (CGL) insurance
was named in Section 8.4 because it was a type of insurance well-known in
the U.S. that would cover all common types of insurance that an operating
business would need, and which a CA’s business partners would expect it to
have.  It includes property and casualty losses and public liability
coverage for personal/bodily/physical injuries and/or property damage to
the public for claims arising out of operations.  However, over the last
several years court cases have held that it doesn’t cover certain types of
damage to intangibles, unless the language in the policy is specific that
it does.  So even though many CAs will still maintain CGL coverage, it is
no longer worth having as an EV requirement.
> >>
> >> Another response to opponents of an insurance requirement is that for
centuries insurance has served as a global mechanism to re-distribute risk
associated with global commerce.  If the right insurance is selected, and
if the CA makes good faith efforts to follow common industry security
practices, it is unlikely that an insurer will deny coverage, provided that
the type of peril is acknowledged in the insurance policy, which is why
Ballot 133 makes clear that the policy must not exclude coverage when
providing cryptographic, digital signature, or public key infrastructure
services.  Insurance companies have over $25 trillion in assets under
management; in the case of claims against a CA with clear liability and
catastrophic loss, it is likely that the insurer would rather tender the
policy limits than defend the case.  The argument that the insurance
requirement will not prevent a CA from closing up shop and disappearing
during the night runs contrary to the good will that a CA intending to stay
in operation should seek to engender.  A CA worth its salt will maintain a
certain level of insurance, and third parties relying on the services of
the CA should have assurance that it will.  Also, in the event of
bankruptcy, receivership, or whatever, the insurance will either be an
asset of the estate or the bankruptcy court can abstain and a direct
obligation of the insurer and liability can be established in court, see
Landry v. Exxon Pipeline Co., 260 B.R. 769 (Bkrtcy.M.D.La. 2001), or an
interpleader/adversary proceeding could take place as the trustee, judge,
or administrator determines how proceeds are distributed--whether claims
are paid pro rata, on a first-come basis, or for damage mitigation, e.g. to
ensure that the CA “fails gracefully.”
> >>
> >> I could go on with my discourse, but I’ll spare you the trouble …
unless anyone wants to consider additional resources, which I’m happy to
provide.
> >>
> >> For additional benefit, here is an overview of some insurance terms:
> >>
> >> Property insurance – Covers damage to physical property
> >>
> >> Liability Insurance – Protects against third party claims, i.e.,
payment is not typically made to the insured, but rather to someone
suffering loss who is not a party to the insurance contract and it usually
does not cover damage caused intentionally or agreed to by contract (the
latter requires contractual liability insurance)
> >>
> >> Casualty insurance -- Covers injuries resulting solely from an
inevitable accident and not from negligence, something that cannot be
foreseen or guarded against.
> >>
> >> Commercial General Liability insurance – “covers bodily injury and
property damage arising out of premises, operations, products, and
completed operations; and advertising and personal injury liability”
(evolved from “general liability” and “corporate general liability” forms
and is what has been common in the United States for most businesses for
the past 30+ years).
> >>
> >> Technology E&O insurance - covers both liability and property loss
exposures . Liability part covers losses resulting from: (a) technology
services, (b) technology products, (c) media content, and (d) network
security breaches. Property part covers damage mitigation related to
extortion threats, crisis management expenses, and business interruption.
> >>
> >>
> >> -----Original Message-----
> >> From: Gervase Markham [mailto:gerv at mozilla.org]
> >> Sent: Friday, October 3, 2014 4:07 AM
> >> To: Ryan Sleevi; Ben Wilson
> >> Cc: CABFPub
> >>
> >> Subject: Re: [cabfpub] Ballot 133 - Insurance Requirements for EV
Issuers
> >>
> >> On 02/10/14 20:47, Ryan Sleevi wrote:
> >> > It's likely we'd abstain from such a ballot as presented, or support
> >> > such a ballot that removed the requirement.
> >>
> >> This is likely to be our position also. /Pace/ Ben, but we maintain
based on legal advice that this particular insurance requirement (not the
concept of insurance in general!) is extremely unlikely to lead to
practical benefit for anyone. Its presence either has no effect (if CAs are
required to have the insurances already by other bodies) or leads to
increased and unnecessary costs for CAs (if they are not).
> >>
> >> Gerv
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141008/e68fceb4/attachment-0001.html 


More information about the Public mailing list