[cabfpub] Ballot 133 - Insurance Requirements for EV Issuers

Ryan Sleevi sleevi at google.com
Thu Oct 2 19:47:01 UTC 2014

Note that I have no objections to the current wording in spirit, although
as noted in the past, the notion of insurance requirements doesn't really
align as a practical or technical matter.

For example, the insurance required in (A) does not cover any security
impact/chemspills that might be caused by the destruction of an HSM
responsible for CRL signing. At best, this falls under the "SHOULD maintain
coverage", but figuring out what impact or liability there is for such an
incident is a game that lawyers and insurers would love to pad their
billables with, but without making much of a practical difference.

There is equally a huge number of mistakes a CA can make - such as
accidentally revoking a certificate that may take a company offline or
prevent code signing from working - that would not even begin to be covered.

It's likely we'd abstain from such a ballot as presented, or support such a
ballot that removed the requirement.

On Wed, Oct 1, 2014 at 7:54 PM, Ben Wilson <ben.wilson at digicert.com> wrote:

>  *Please take a look and let me know your comments.*
> *Ballot 133 - Insurance Requirements for EV Issuers*
> Purpose
> The purpose of this ballot is to simplify the insurance requirements in
> section 8.4 of the EV Guidelines by replacing commercial general liability
> in (A) with an ordinary property casualty insurance requirement and to
> simplify third party liability coverage in (B) and reduce the required
> amount of that coverage down to $3 million. This should make it easier for
> CAs to obtain insurance required by the EV Guidelines.
> 1. Amend the second paragraph of Section 8.1 as follows:
> If a court or government body with jurisdiction over the activities
> covered by these Guidelines determines that the performance of any
> mandatory requirement is illegal *or would conflict with local law*, then
> such requirement is considered reformed to the minimum extent necessary to
> make the requirement valid and legal. This applies only to operations, or certificate
> issuances, *or insurance requirements* that are subject to the laws of
> that jurisdiction. The parties involved SHALL notify the CA / Browser Forum
> of the facts, circumstances, and law(s) involved, so that the CA/Browser
> Forum may revise these Guidelines accordingly.
> 2. Amend Section 8.4 as follows:
> *8.4.  Insurance *
> Each CA SHALL maintain the following insurance related to their *its *respective
> performance and obligations under these Guidelines:
> *(A) Property insurance for casualty/perils of fire, water, electrical
> failure, and natural disaster in sufficient amount to cover damage or loss
> to physical assets used to issue and maintain EV Certificates*, Commercial
> General Liability insurance (occurrence form) with policy limits of at
> least two million US dollars in coverage; and
> (B) Professional Liability, Errors and Omissions insurance, with policy
> limits of at least five *three *million US dollars in coverage*, per
> claim and in the aggregate*, and including coverage for (i) claims for *direct
> *damages arising out of an *negligent* act, error, or omission, unintentional
> breach of contract, or neglect in issuing or maintaining EV Certificates,
> and (ii) claims for damages arising out of infringement of the proprietary
> rights of any third party (excluding copyright, and trademark
> infringement), and invasion of privacy and advertising injury.
> *(1)* Such insurance* MUST NOT exclude coverage when providing
> cryptographic, digital signature, or public key infrastructure services; *
> *and*
> *(2) Such insurance *must:
> *(i) be maintained for all periods during which an EV Certificate issued
> by the CA is still valid (and if coverage is canceled or not renewed, the
> CA shall purchase an extended reporting period for such periods);*
> *(ii) include coverage for those territories where the CA provides EV
> Certificates; and*
> *(iii)* be with a company rated *good or better by Standard & Poor's,
> A.M.* no less than A- as to Policy Holder’s Rating in the current edition
> of Best's Insurance Guide*, Fitch, Moody's, DBRS, Japan Credit Rating
> Agency, Creditreform, Scope Ratings, or another similarly recognized
> insurance rating agency *(or with an association of companies each of the
> members of which are so rated).
> *If available at reasonable cost, a CA SHOULD maintain coverage for damage
> or loss to data, software, systems, and for business interruption due to IT
> security failure, malware, network attack, criminal hacker, or theft. *
> A CA MAY self-insure for liabilities that arise from such party's
> performance and obligations under these Guidelines provided that it has at
> least five hundred million US dollars in liquid *current *assets based on
> audited financial statements in the past twelve months, and a quick ratio
> (ratio of liquid *current* assets to current liabilities) of not less
> than 1.0.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141002/340bc014/attachment-0003.html>

More information about the Public mailing list