[cabfpub] Ballot 133 - Insurance Requirements for EV Issuers
sleevi at google.com
Tue Oct 21 08:36:48 MST 2014
Google votes no.
On Oct 19, 2014 2:48 PM, "kirk_hall at trendmicro.com" <
kirk_hall at trendmicro.com> wrote:
> Trend Micro votes no. Here are the reasons why:
> · Insurance is not designed to protect the public (i.e.,
> customers and relying parties), but is only designed to protect the insured
> – the CA. If the insurer can protect a bad or negligent CA by defeating
> all claims from customers and relying parties from a breach and paying
> nothing to them, it will. Based on the incomplete information we have, it
> appears a court in The Netherlands allowed Diginotar to deny coverage on
> its insurance and not pay claims.
> · The ballot is very specific as to what insurance must be
> obtained. Cyber insurance, etc. keeps changing, so the requirements of
> this ballot could soon be out of date and the required insurance could be
> unobtainable at any time in the future.
> · The insurance is probably not obtainable in some non-US
> · The price could be prohibitively high, which could drive some
> CAs from the business.
> · Most important, if we adopt this ballot, all of us (CAs and
> browsers) will be delegating to insurance companies the decision of which
> CAs get to issue EV certs, and which do not. A CA that can’t get the
> specific insurance required under this ballot will have to stop issuing EV
> certs, even though the CA has passed all audits and complies with all rules.
> · Don Sheehy, our WebTrust representative, has said the insurance
> requirements of this ballot are “unauditable”.
> · This ballot creates a new and significant barrier to entry for
> new CAs (including non-US CAs), which is not a proper reason for adding a
> requirement to the EV Guidelines.
> *Previous Ballot 121* was part of our effort to clean up the EV
> Guidelines, and would have eliminated the current insurance requirements
> under EVGL Sec. 8.4 and instead require only that CAs maintain whatever
> insurance is required (if any) by their jurisdiction of incorporation.
> Ballot 121 was *approved* by CAs by a vote of 11-4, but failed among
> browsers by a vote of 0-1 (only Mozilla voted among the browsers, and it
> voted no). Gerv then checked with Mozilla lawyers who said the current
> insurance requirements were useless, and said he will vote yes if I bring
> back the ballot – which I will do after this ballot is completed.
> The CAs who voted yes on the previous Ballot 121 to *eliminate* the
> insurance requirement were Buypass, Disig, Firmaprofesional, GlobalSign,
> GoDaddy, Izenpe, OpenTrust, SSC, Trend Micro, Turktrust, and WoSign.
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ben Wilson
> *Sent:* Wednesday, October 08, 2014 9:08 AM
> *To:* CABFPub
> *Subject:* [cabfpub] Ballot 133 - Insurance Requirements for EV Issuers
> *Ballot 133 - Insurance Requirements for EV Issuers*
> The following motion has been proposed by Ben Wilson of Digicert and
> endorsed by Atilla Biler of Turktrust and Dean Coclin of Symantec.
> *Purpose *
> The purpose of this ballot is to simplify the insurance requirements in
> section 8.4 of the EV Guidelines by replacing commercial general liability
> in (A) with an ordinary property casualty insurance requirement and to
> simplify third party liability coverage in (B) and reduce the required
> amount of that coverage down to $3 million. This should make it easier for
> CAs to obtain insurance required by the EV Guidelines.
> *-- MOTION BEGINS -- *
> 1. Amend the second paragraph of Section 8.1 as follows:
> If a court or government body with jurisdiction over the activities
> covered by these Guidelines determines that the performance of any
> mandatory requirement is illegal *or would conflict with local law*, then
> such requirement is considered reformed to the minimum extent necessary to
> make the requirement valid and legal. This applies only to operations, or certificate
> issuances, *or insurance requirements* that are subject to the laws of
> that jurisdiction. The parties involved SHALL notify the CA / Browser Forum
> of the facts, circumstances, and law(s) involved, so that the CA/Browser
> Forum may revise these Guidelines accordingly.
> 2. Amend Section 8.4 as follows:
> *8.4. Insurance *
> Each CA SHALL maintain the following insurance related to their *its *respective
> performance and obligations under these Guidelines:
> *(A) Property insurance for casualty/perils of fire, water, electrical
> failure, and natural disaster in sufficient amount to cover damage or loss
> to physical assets used to issue and maintain EV Certificates*, Commercial
> General Liability insurance (occurrence form) with policy limits of at
> least two million US dollars in coverage; and
> (B) Professional Liability, Errors and Omissions insurance, with policy
> limits of at least five *three *million US dollars in coverage*, per
> claim and in the aggregate*, and including coverage for (i) claims for *direct
> *damages arising out of an *negligent* act, error, or omission, unintentional
> breach of contract, or neglect in issuing or maintaining EV Certificates,
> and (ii) claims for damages arising out of infringement of the proprietary
> rights of any third party (excluding copyright, and trademark
> infringement), and invasion of privacy and advertising injury.
> *(1)* Such insurance* MUST NOT exclude coverage when providing
> cryptographic, digital signature, or public key infrastructure services; *
> *(2) Such insurance *must:
> *(i) be maintained for all periods during which an EV Certificate issued
> by the CA is still valid (and if coverage is canceled or not renewed, the
> CA shall purchase an extended reporting period for such periods);*
> *(ii) include coverage for those territories where the CA provides EV
> Certificates; and*
> *(iii)* be with a company rated *good or better by Standard & Poor's,
> A.M.* no less than A- as to Policy Holder’s Rating in the current edition
> of Best's Insurance Guide*, Fitch, Moody's, DBRS, Japan Credit Rating
> Agency, Creditreform, Scope Ratings, or another similarly recognized
> insurance rating agency *(or with an association of companies each of the
> members of which are so rated).
> *If available at reasonable cost, a CA SHOULD maintain coverage for damage
> or loss to data, software, systems, and for business interruption due to IT
> security failure, malware, network attack, criminal hacker, or theft. *
> A CA MAY self-insure for liabilities that arise from such party's
> performance and obligations under these Guidelines provided that it has at
> least five hundred million US dollars in liquid *current *assets based on
> audited financial statements in the past twelve months, and a quick ratio
> (ratio of liquid *current* assets to current liabilities) of not less
> than 1.0.
> *-- MOTION ENDS -- *
> The review period for this ballot shall commence at 2200 UTC on Wednesday,
> 8 October 2014, and will close at 2200 UTC on Wednesday, 15 October 2014.
> Unless the motion is withdrawn during the review period, the voting period
> will start immediately thereafter and will close at 2200 UTC on Wednesday,
> 22 October 2014. Votes must be cast by posting an on-list reply to this
> A vote in favor of the motion must indicate a clear 'yes' in the response.
> A vote against must indicate a clear 'no' in the response. A vote to
> abstain must indicate a clear 'abstain' in the response. Unclear responses
> will not be counted. The latest vote received from any representative of a
> voting member before the close of the voting period will be counted. Voting
> members are listed here: https://cabforum.org/members/
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes cast
> by members in the browser category must be in favor. Quorum is currently
> nine (9) members– at least nine members must participate in the ballot,
> either by voting in favor, voting against, or abstaining.
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public