[cabfpub] Ballot 133 - Insurance Requirements for EV Issuers

Moudrick M. Dadashov md at ssc.lt
Mon Oct 13 17:22:58 UTC 2014


Hi Atilla,

I agree, in worst case scenario existing insurance provisions remain 
unchanged.

A possible solution to prevent this IMO would be if we amend the latest 
ballot wording so that it ends up with one of two choices being 
approved. Maybe ballot 121 is a candidate alternative? In case there is 
a consensus, ballot 133 should say something like vote for A (as 
proposed in ballot 133) or B (as in ballot 121).

Thanks,
M.D.


On 10/9/2014 3:49 PM, N. Atilla Biler wrote:
>
> Dear All,
>
> Following the discussions below this message between Digicert and 
> Google on the insurance ballot and reading the recent thoughts of 
> Mozilla today, I would like to express my concern about the final 
> situation of the insurance requirement in the EV Guidelines.
>
> You will all remember we had ballot on this issue in May 2014, Ballot 
> 121 below, suggesting a flexible wording for the insurance requirement 
> where an insurance should be maintained related to CAs respective 
> performance and obligations under the EV Guidelines in accordance with 
> the law of their jurisdiction of incorporation or registration. This 
> is the common approach for the CAs following the EU legislation in 
> terms of qualified electronic certificate services as well. Ballot 121 
> was supposed to be a compromising solution among the parties who 
> favored the existing BR provisions and the other parties who tended to 
> release the insurance requirements from the EV Guidelines at all.
>
> Unfortunately, Ballot 121 had failed as it couldn't get enough support 
> from browsers whereas the 2/3 majority of CAs had been obtained.
>
> Afterwards, what we have been trying to do for the last few months, 
> finalized through the discussions at the Beijing F2F, is to find a new 
> and acceptable compromising solution for the insurance issue. 
> Actually, trying to find a middle way for the opponents and supporters 
> of an insurance requirement.
>
> If we are going to have a totally new ballot for eliminating the EV 
> insurance requirement at all, fine, let's do it. Then if it happens 
> that we still have an insurance requirement supported by the 
> sufficient majority of the Forum, we may then vote for a compromising 
> solution like the one we are trying to propose in the current Ballot 133.
>
> Otherwise, the current Ballot 133 should be supported, in my opinion, 
> at least by the browsers and the CAs that supported Ballot 121 as well 
> to build a consensus that will be expected from the CAB Forum as a 
> consensus based and democratic platform.
>
> If not, I'm afraid we will be back to the worst case position (I may 
> tell after all these discussions) where the existing EV Guidelines 
> provisions for insurance will remain unchanged, despite all the 
> browser tendencies to remove the insurance requirement, and many CAs 
> supporting a change (in a solid way) to the existing provisions...
>
> Best regards,
>
> *N. Atilla BILER*
>
> *Business Development Manager*
>
> *TURKTRUST Inc.*
>
> Address: Hollanda Cad. 696.Sok. No:7 Yildiz 06550 Cankaya / ANKARA - 
> TURKEY
>
> Phone   : +90 (312) 439 10 00
>
> Mobile  : +90 (530) 314 24 05
>
> Fax         : +90 (312) 439 10 01
>
> E-mail    : atilla.biler at turktrust.com.tr 
> <mailto:atilla.biler at turktrust.com.tr>
>
> Web      : www.turktrust.com.tr <http://www.turktrust.com.tr/>
>
> "
>
> *From:* public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben Wilson
> *Sent:* 8 May?s 2014 Pers,embe 21:14
> *To:* public at cabforum.org
> *Subject:* Re: [cabfpub] Ballot 121 - EVGL Insurance Requirements
>
> Voting closed yesterday on Ballot 121.
>
> "Yes" votes were cast by Buypass, Disig, Firmaprofesional, GlobalSign, 
> GoDaddy, Izenpe, OpenTrust, SSC, Trend Micro, Turktrust, and WoSign.
>
> "No" votes were cast by Actalis, DigiCert, QuoVadis, Symantec, and 
> Mozilla.
>
> Abstentions were submitted by StartCom, Visa, and Google.
>
> Therefore, Ballot 121 failed.
>
> *From:*public-bounces at cabforum.org 
> <mailto:public-bounces at cabforum.org> 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben Wilson
> *Sent:* Wednesday, April 23, 2014 6:17 PM
> *To:* public at cabforum.org <mailto:public at cabforum.org>
> *Subject:* [cabfpub] Ballot 121 - EVGL Insurance Requirements
>
> *Ballot 121 -- EVGL Insurance Requirements*
>
> The EV Guidelines Working Group is considering updating the EV 
> Guidelines in a number of areas.  Kirk Hall of Trend Micro hereby 
> makes the following motion, and Moudrick Dadashov from Skaitmeninio 
> sertifikavimo centras (SSC)and Richard Wang from WoSign have endorsed it.
>
> This ballot is to amend the current EV Guidelines (EVGL) Sec. 8.4 
> requirements as stated below. The reasons in favor of the Ballot are 
> stated after the proposed amendments.
>
> _Motion begins_:
>
> Amend EV Guideline Section 8.4 to read as follows:
>
> *EV Guideline Section 8.4 - Insurance*
>
> **
>
> Each CA SHALL maintain the following insurance related to their 
> *_its_* respective performance and obligations under these Guidelines 
> *_in accordance with the the minimum insurance requirements (if any) 
> as are applicable to the CA under the law of its jurisdiction of 
> incorporation or registration._* :
>
> (A) Commercial General Liability insurance (occurrence form) with 
> policy limits of at least two million US dollars in coverage; and
>
> (B) Professional Liability/Errors and Omissions insurance, with policy 
> limits of at least five million US dollars in coverage, and including 
> coverage for (i) claims for damages arising out of an act, error, or 
> omission, unintentional breach of contract, or neglect in issuing or 
> maintaining EV Certificates, and (ii) claims for damages arising out 
> of infringement of the proprietary rights of any third party 
> (excluding copyright, and trademark infringement), and invasion of 
> privacy and advertising injury.
>
> Such insurance MUST be with a company rated no less than A- as to 
> Policy Holder's Rating in the current edition of Best's Insurance 
> Guide (or with an association of companies each of the members of 
> which are so rated).
>
> A CA MAY self-insure for liabilities that arise from such party's 
> performance and obligations under these Guidelines provided that it 
> has at least five hundred million US dollars in liquid assets based on 
> audited financial statements in the past twelve months, and a quick 
> ratio (ratio of liquid assets to current liabilities) of not less than 
> 1.0.
>
> _Motion Ends _
>
> "
>
> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben Wilson
> *Sent:* 9 Ekim 2014 Pers,embe 09:20
> *To:* Ryan Sleevi
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
>
> A preexisting relationship isn't necessary for duty, breach, 
> causation, damages.  And the duty doesn't have to be written in black 
> and white.  If some drives carelessly and causes another car to hit 
> you, they are liable and you'd better hope they have insurance.
>
> I think it's clear that this has turned into a debate over whatever 
> you can come up with to throw at me rather than an opportunity for me 
> to explain the merits of my position, so I'm not going to respond.
>
> Cheers,
> Ben
>
> ------------------------------------------------------------------------
>
> *From: *Ryan Sleevi <mailto:sleevi at google.com>
> *Sent: *?10/?8/?2014 11:52 PM
> *To: *Ben Wilson <mailto:ben.wilson at digicert.com>
> *Cc: *CABFPub <mailto:public at cabforum.org>; Gervase Markham 
> <mailto:gerv at mozilla.org>
> *Subject: *RE: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
>
>
> On Oct 9, 2014 1:32 AM, "Ben Wilson" <ben.wilson at digicert.com 
> <mailto:ben.wilson at digicert.com>> wrote:
> >
> > Any lawyer would challenge the validity of the CP/CPS disclaimer on 
> the basis of inadequate notice.
> >
> > Everyone in the world who suffers harm caused by the breach of a 
> duty that a CA was supposed to perform has a claim.
> >
> > It's basic tort law -- duty, a breach of that duty, which breach is 
> a cause of measureable harm.
> >
>
> A cursory examination will show you that no provisions exist for UAs 
> in terms of liability, nor for server operators, nor for any RP using 
> any modern client unless configured in such a way as to make the web 
> unusable, which no client will do.
>
> The CA has no relationship with example.com <http://example.com>, only 
> the Subscriber/Applicant, which may not be example.com 
> <http://example.com> (in the all to common case of misissuance), so no 
> duty has been breached.
>
> Similarly, establishing any basis of claims for an RP requires 
> establishing how they were harmed by the failure to perform. How do 
> quantify a cost for a privacy breach? How is the RP to demonstrate 
> that their password was compromised? Or that they even accessed the 
> site via the attackers control?
>
> This isn't hypothetical. You (DigiCert) are a prime example of 
> disclaiming any warranty unless the RP (the user visiting a site with 
> a certificate issued by DigiCert) has read your RP Agreement, as 
> documented at https://www.digicert.com/ssl-cps-repository.htm
>
> Just reading that policy and any lay person can see Section 3.2 alone 
> disqualifies virtually every RP out there from making a claim against 
> you. Heck, Section 3.2, (iv) alone exempts you from any compromises 
> that were not directly part of a financial transaction.
>
> For example, if you misissued a cert for mail.google.com 
> <http://mail.google.com>, and every single GMail user's password was 
> compromised, and the attacker then used that to exploit password 
> resets against (banks, Mint, Amazon, etc), and then ordered 
> merchandise using you're stored financial information, not a single 
> one of those users would be entitled to a claim against DigiCert, 
> based on the RPA they never would have read anyways.
>
> This is precisely why insurance is a silly and unnecessary thing - 
> because it has enough holes to drive a truck through, and ignores the 
> most pressing concerns with the CA ecosystem, all in favor of "cost of 
> doing business"
>
> Since the questions I'm asking are going continually unanswered (and I 
> have tried to rephrase them repeatedly, so that there is no confusion 
> as to what I am asking or trying to understand), I don't think I'll 
> have any chance at understanding your position, not for lack of 
> trying, but because it hasn't been clearly articulated
>
> To save time, I have tried to reduce things down to a yes or no question:
>
> Would Digicert support a ballot that removed the insurance requirement 
> entirely, as a means of addressing the concerns over type and quantity 
> of insurance? Yes or No?
>
> >
> >
> > From: Ryan Sleevi [mailto:sleevi at google.com <mailto:sleevi at google.com>]
> > Sent: Wednesday, October 8, 2014 10:59 PM
> >
> > To: Ben Wilson
> > Cc: Gervase Markham; CABFPub
> > Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
> >
> >
> >
> > Ben,
> >
> > The question is not "why the ballot", and hasn't been for some time. 
> You've repeatedly provided ample explanation why this ballot.
> >
> > The question is "Why insurance at all". The only meaningful 
> explanation provided yet is to keep CRLs and OCSP operational, and yet 
> that is demonstrably insufficient (DigiNotar maintaining OCSP 
> capability would NOT have protected RPs, even those with hard fail OCSP)
> >
> > As to who, your explanation still ignores my previous email, which 
> is that the vast majority of CP/CPS effectively disclaim any such 
> liability in the Web PKI.
> >
> > For sake of simplicity, since we keep ending up in the weeds, it 
> might be easier if you provided 1-3 examples of " real world" 
> scenarios you think that insurance should pay out, and to whom, and 
> then we can figure out how much.
> >
> > For example:
> > - If CA 1 misissues a cert for example.com <http://example.com> 
> because they failed to check DNS, does anyone have a claim?
> >
> > - If CA 2 misissues a cert for example.com <http://example.com> 
> because they decided that hiring a small plane to write in the sky 
> "please give Jane a cert for example.com <http://example.com>" 
> constituted an 'equivalent method' of validating authorization for a 
> domain, does anyone have a claim?
> >
> > - If CA 3 accidentally revokes a certificate for example.com 
> <http://example.com> because they thought it was being used to serve 
> malware, but it wasn't, does anyone have a claim?
> >
> > - If CA 4 misissues a certificate for example.com 
> <http://example.com>, but then revokes it, and this act gets picked up 
> in the press as 'example.com <http://example.com> gets hacked', does 
> anyone have a claim?
> >
> > I am providing concrete examples that, save for Jane's skywriting 
> adventure, very much happen, and the answer to all of these is "No, no 
> one has any guaranteed chance of a claim" under the current BRs.
> >
> > Is there _any_ real world situation where the presence of insurance 
> and the requirements set forth in the BR have even a chance of a claim?
> >
> > I'm quite aware that you've proposed a set of aggregate categories 
> and a lengthy discussion of the types of insurance employed. But 
> frankly, I see nothing that would actually do anything to improve 
> security in any concrete form (e.g. as guaranteed by the BRs, the 
> lowest common denominator for cert issuance)
> >
> > On Oct 9, 2014 12:42 AM, "Ben Wilson" <ben.wilson at digicert.com 
> <mailto:ben.wilson at digicert.com>> wrote:
> >
> > Who?  Insurance under the ballot primarily protects the CA when 
> liability is questionable, but it protects anyone with a covered claim 
> when the CA is negligent.  Insurance proceeds, in the case of 
> liability insurance, are paid to the injured party.  If members all 
> want a more direct path to compensation without regard to the CA, then 
> a different ballot would have to propose a bond or surety payable to a 
> browser, victim compensation fund, or whomever.
> >
> > Why is the current language (liability insurance) necessary?   A CA 
> with $500 million in current assets and a current asset-to-debt ratio 
> of 1 or greater does not need insurance.  CAs like Symantec, 
> TrendMicro, and Wells Fargo have those kinds of assets, the rest of us 
> do not.  As explained, the insurance protects the CA with a legal 
> defense if the case is litigated -- that is the duty to defend part of 
> the policy.  However, if the CA is liable for damages because of 
> negligence, then the insurance pays the amount of the loss up to the 
> policy limits.  It is money that the CA does not have to pay, and 
> therefore enables the CA to stay in business and continue providing 
> services.  The alternative is an environment with survival of the 
> fitness---CAs who fail go out of business and pretty soon no one 
> trusts CAs---I am strongly opposed to that scenario.
> >
> >
> >
> > From: Ryan Sleevi [mailto:sleevi at google.com <mailto:sleevi at google.com>]
> > Sent: Wednesday, October 8, 2014 10:19 PM
> > To: Ben Wilson
> > Cc: CABFPub; Gervase Markham
> > Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
> >
> >
> >
> > If any decision has been made, it's been because of a lack of 
> convincing evidence, not because there isn't an honest and genuine 
> desire to understand the issues at play here.
> >
> > If this ballot fails, then the concerns you and other members have 
> raised goes unaddressed. That would be unfortunate, if only because 
> it's always unfortunate when members concerns are unaddressed. You've 
> provided ample evidence as to why the current language is a concern, 
> and why the Forum should attempt to resolve this concern. Trust me, 
> I'm sold on this.
> >
> > The question is, if not this, then how do we attempt to resolve 
> those concerns? A ballot to remove the insurance requirement 
> altogether would meet that requirement, but its unclear whether or not 
> that would succeed.
> >
> > Your messages suggest you would be opposed to such a ballot. I am 
> trying to understand why. If this ballot doesn't succeed because the 
> browsers view insurance as unnecessary, and I'd a ballot to remove it 
> doesn't succeed because CAs view it as necessary, then we aren't 
> really making progress.
> >
> > So please help me understand your position by working from the core 
> question - why is insurance necessary and who does it protect?
> >
> > If we can establish that there is any possibility of it having 
> value, then the natural next questions are "how do we ensure that 
> value is realized" (e.g. that it is not wholly disclaimed via an 
> unreasonable CP/CPS) and how much of it is necessary?
> >
> > But let's not presume that if $10 million of insurance is bad, $3 
> million is better. What you're hearing is that $10 million is bad for 
> multiple reasons, and $3 million is still bad too.
> >
> > On Oct 9, 2014 12:06 AM, "Ben Wilson" <ben.wilson at digicert.com 
> <mailto:ben.wilson at digicert.com>> wrote:
> >
> > You have already made up your mind to oppose this ballot, so why 
> should I put forth any more effort to try to convince you?
> >
> >
> >
> > From: Ryan Sleevi [mailto:sleevi at google.com <mailto:sleevi at google.com>]
> > Sent: Wednesday, October 8, 2014 10:04 PM
> > To: Ben Wilson
> > Cc: Gervase Markham; CABFPub
> > Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
> >
> >
> >
> >
> > On Oct 8, 2014 11:56 PM, "Ben Wilson" <ben.wilson at digicert.com 
> <mailto:ben.wilson at digicert.com>> wrote:
> > >
> > > The part you quote me as saying, "to maintain CRL and OCSP 
> infrastructure," comes from others who argued for it back in 2005, so 
> it wasn't me who said it.
> > >
> >
> > It was the only justification you gave for the original 
> requirements, and which you quoted specifically in the context of 
> trying to answer why.
> >
> > What I asked of you in the previous message, and which remains 
> unanswered, is why you feel insurance is meaningful, since you're 
> ardently defending it here.
> >
> > If you don't feel it is (and that would both surprise and please 
> me), then we should be removing, not reducing.
> >
> > > Your argument about the current CP/CPS language as the only 
> situation where insurance comes into play is a convenient strawman 
> that you put up just to knock down.
> > >
> > > "Who" can make a claim and "why" is up to you -- I don't know why 
> you're asking me.
> >
> > It's not a straw man, and that isn't an answer.
> >
> > As we discussed in past calls, why is the ballot simply not to 
> remove it as a requirement - which you've heard two browsers express 
> support for.
> >
> > I don't care about the why is this language reducing, because ANY 
> such requirement presumes insurance is valuable. What I'm asking is 
> why do we even have it.
> >
> > Your previous message said "cost of doing business," but failed to 
> express why such a cost existed. The original justification given - 
> which you quoted - doesn't hold. The provided explanation "that it 
> protects people", fails to deal with the very real issue that the set 
> of people it protects is virtually zero. So it doesn't protect 
> "people" as an abstract, it protects a near-zero sum population.
> >
> > So why have it? And who should it be for?
> >
> > These aren't straw man arguments - these are key to establishing why 
> there should be any proposal other than "remove it".
> >
> > >
> > >
> > >
> > > From: Ryan Sleevi [mailto:sleevi at google.com 
> <mailto:sleevi at google.com>]
> > > Sent: Wednesday, October 8, 2014 9:44 PM
> > > To: Ben Wilson
> > > Cc: CABFPub; Gervase Markham
> > > Subject: RE: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
> > >
> > >
> > >
> > > Ben,
> > >
> > > No investigation into DigiNotar's insurance is necessary, so I'm 
> shocked you would think it is. The facts exist that the purpose of 
> insurance, as you stated (to maintain CRL and OCSP infrastructure) was 
> unnecessary, because the infrastructure was so thoroughly compromised. 
> NO amount of insurance can deal with that.
> > >
> > > As such, browsers have systems in place for such complete 
> compromise, which is equally sufficient for _less_ complete compromises.
> > >
> > > I don't see how you can claim it promotes good security, since its 
> insufficient for dealing with the things browsers care most about. At 
> best, it seems to be a tool to try and establish liability - but 
> browser's are clearly telling CAs that liability exists, insurance or not.
> > >
> > > I can't see how, in the same message, you can suggest "For many 
> industries, CAs included, insurance is just a cost of doing business" 
> and then simultaneously assert you're not using insurance as a barrier 
> for entry.
> > >
> > > Let's take a step back. You've talked at extreme length about the 
> challenges with the current language, the problems CAs face in 
> obtaining it, etc, but are ignoring the two extremely pertinent and 
> relevant questions.
> > >
> > > It is NOT about "what" and "how much" (which you have devoted 
> great time to), but about "why" and "for who"? I'm very much 
> challenging your statements about "why" (and 'just because', which is 
> what 'cost of doing business' reads as, is not a good answer) and "who"
> > >
> > > Under the current CP/CPS, if someone issues a fraudulent cert for 
> example.com <http://example.com>, example.com <http://example.com> 
> can't claim damages. The browser cannot claim damages. Only the users 
> who visited example.com <http://example.com> can claim damages, and 
> only if they used an application in a configuration that does not 
> exist in the real world, save for some very baroque and unusable 
> conditions. Even if there was a "why" that made sense, the "who" is, 
> under current terms, extremely questionable.
> > >
> > > Let's stop focusing on terminology appendices for the type of 
> insurance, and focus on first principles. What reasons, beyond 
> OCSP/CRL serving infrastructure, is it meant to address, and who, in 
> the real world of applications and Internet browsers and servers, can 
> make a claim?
> > >
> > > On Oct 8, 2014 11:29 PM, "Ben Wilson" <ben.wilson at digicert.com 
> <mailto:ben.wilson at digicert.com>> wrote:
> > >
> > > Whether browser security methods, systems, etc. are good enough 
> remains to be seen in the long term.  Citing Diginotar is insufficient 
> proof of failure for the insurance-based risk-mitigation method-- 
> unless you have investigated and can elaborate on all of the facts and 
> circumstances about the particular insurance coverage, denial of 
> coverage, etc., and whether appropriate inquiries for insurance 
> coverage were denied and then challenged for bad faith denial of 
> coverage.  My argument is that insurance goes hand-in-hand with 
> promoting good security practices, and along with compliance audits 
> they establish an integrated risk management strategy.  Browsers will 
> do whatever browsers do, but these three things are within a CA's 
> control, and the best place to mitigate risk is always with those who 
> are in the best position with the ability to do something about it.
> > >
> > >
> > >
> > > Ballot 133 removes the specifics of that type of liability 
> insurance requirement because some have said it was too difficult to 
> obtain in areas with emerging economies---so even if you perceive an 
> insurance requirement as a mere barrier to entry, that barrier is 
> dropping, and more because there will only be $3 million in liability 
> coverage required, although some might argue that $3 million is not 
> enough.  For many industries, CAs included, insurance is just a cost 
> of doing business, and the new language is balanced and allows plenty 
> of flexibility, in several different ways, including an unlimited 
> retention amount. With CAs I've talked to, after a little research 
> with their broker, they understand better what is available in the 
> market.  I've also been told by brokers that pricing for this type of 
> coverage is very competitive.   Members can use their search engine of 
> preference to look for "technology e&o" and to see what is available.  
> So, as a practical matter, I don't see it as any barrier to entry.  
>  I've also uploaded some of my insurance research to the wiki here: 
> https://cabforum.org/wiki/Insurance .  I think a thorough reading of 
> this material disproves the claim that this insurance requirement is 
> of miniscule benefit.
> > >
> > >
> > >
> > > Moreover, this is not a barrier to entry for entities desiring to 
> become publicly trusted CAs.  This is a requirement of the Extended 
> Validation Guidelines, not the Baseline Requirements and not browser 
> root programs. Browsers are free to allow a CA into their trust stores 
> without any financial ability, responsibility, or insurance 
> whatsoever--you can still accept them and rely on browser-based 
> security measures, but Extended Validation certificates have a known 
> level of quality, which shouldn't be devalued or deprecated by 
> encouraging a new race to the bottom.  I am not saying that insurance 
> is the best answer, but no one has put forward a serious proposal for 
> financial guarantees, performance bonds, escrow deposits, or other 
> financial responsibility mechanisms, recently.  I think I've shown 
> sufficient reasoning for amending the financial responsibility / 
> insurance requirement as one way to force the internalization of risk, 
> and it's also an established method used in other areas such as 
> automobile insurance, commercial products, banking, etc.
> > >
> > >
> > >
> > >
> > >
> > > From: Ryan Sleevi [mailto:sleevi at google.com 
> <mailto:sleevi at google.com>]
> > > Sent: Wednesday, October 8, 2014 3:34 PM
> > > To: Ben Wilson
> > > Cc: Gervase Markham; CABFPub
> > > Subject: Re: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Tue, Oct 7, 2014 at 6:39 PM, Ben Wilson 
> <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>> wrote:
> > >
> > > All,
> > > Proposed Ballot 133 represents a substantial reduction in the 
> amount of and a change in the type of insurance that is needed to be 
> qualified as an issuer of an EV certificate.  This proposal reduces 
> the required coverage amount to a little over $3 million (counting 
> coverage for property casualty loss)---less than half of what it is 
> today. Those arguing against an insurance requirement have generally 
> centered their arguments on opinions about whether premiums paid for 
> insurance coverage provide a meaningful ROI.  So not only does this 
> ballot reduce the coverage amount, but it also fine-tunes the type of 
> coverage required in order to align better with the types of risks 
> that we should be concerned about.
> > >
> > > Those involved during the drafting of the EV Guidelines should 
> agree that EV Certificates represent the highest degree of quality for 
> SSL/TLS certificate services commercially available in contrast to 
> other types of SSL/TLS certificate services offered.   The quality of 
> service for EV can be gauged in several important aspects, detailed in 
> the EV Guidelines.  Those measures include the degree of identity 
> verification performed on the domain registrant, CA quality controls, 
> CA/subscriber warranties, and importantly, the financial 
> responsibility of a CA.  Concerning financial stability, the EV 
> Guidelines require that a CA stand behind each EV certificate it 
> issues--to an amount of at least $2,000 for monetary loss to each 
> Subscriber or Relying Party.  This is one of the reasons that the EV 
> Guidelines have required an EV-issuing CA to be sufficiently able, not 
> just to maintain ongoing EV certificate operations and maintenance, 
> but also to ensure that CA warranties and representations do not 
> become empty promises.
> > >
> > > Because requirements were needed to provide assurances to users 
> that a certain level of recourse would be available in the event that 
> a CA failed to exercise reasonable care in approving a certificate 
> application, financial responsibility was a key requirement for the EV 
> Guidelines.  In 2005 and 2006 we debated amounts required for 
> insurance.  At the time, most CAs felt that $10 million was the 
> maximum, and we settled on the $5 million and $2 million amounts.  
> Today, $3 million in insurance coverage is a very reasonable amount 
> for a CA to carry.
> > > Since Day 1 of the CA/Browser Forum, insurance has been an 
> important requirement for EV.  Back in May 2005, GeoTrust proposed 
> that every CA and auditor have a $10 million professional liability / 
> errors and omissions insurance policy.  The minutes of the May 2006 
> meeting indicate, "The chief purpose of financial stability 
> requirements was to avoid the risk of catastrophic financial collapse 
> and compromise of the roots and inability to maintain current 
> OCSPs/CRLs."  As I've mentioned previously, throughout 2006 we 
> discussed the need for insurance and the question was not "if" there 
> was an insurance requirement, but what it should be.  Finally, in 
> August 2006 we settled on what is currently Section 8.4 (Insurance 
> Requirements) and decided that the language chosen at that time was 
> the most efficient way to ensure the financial responsibility of CAs.  
> The proposed language of Ballot 133 does the same thing today as what 
> we intended the insurance language to do back in August 2006---provide 
> a backstop that mitigates the risk of catastrophic CA failure.
> > >
> > >
> > >
> > > And this is where the debate about whether or not insurance 
> provides any value.
> > >
> > >
> > >
> > > If a CA is compromised, through hostile act or negligence, there 
> are several ways in which the infrastructure necessary to maintain 
> current OCSPs and CRLs can be rendered untrustworthy. DigiNotar is a 
> prime example of this, in which the misissued certificates were not 
> even known by DigiNotar, because they were not adequately logged.
> > >
> > >
> > >
> > > As such, because this risk exists in the system (and recall that 
> they were indeed audited), Relying Parties MUST accept that OCSP/CRLs 
> are INSUFFICIENT to deal with the risk of compromise or collapse.
> > >
> > >
> > >
> > > As such, browsers have developed programs to deal with this out of 
> band. CRLSets. OneCRL. Certificate Distrust Lists.
> > >
> > >
> > >
> > > If such systems are good enough for the catastrophic failures 
> where the OCSP/CRL system is rendered unreliable, why are they not 
> good enough for the failures when the OCSP/CRL system is still viewed 
> as "reliable" (or at least, in which the signing keys have not been 
> compromised?)
> > >
> > >
> > >
> > > Between the RP agreements in most CP/CPSes, and the language 
> itself regarding the practices, you've heard from several browsers 
> that have, under advice, been given the opinion that such insurance 
> does not provide meaningful recourse for them.
> > >
> > >
> > >
> > > To this end, why does it make sense to enforce a requirement that 
> is not technically fit for purpose (as demonstrated by DigiNotar), nor 
> actionable (as advised by counsel), but which encumbers members?
> > >
> > >
> > >
> > > I can certainly understand that some CAs would prefer a "cost of 
> doing business" be imposed on new entrants. However, that's of dubious 
> nature.
> > >
> > >
> > >
> > > I can certainly understand a desire to prevent "fly by night" 
> operators. But that's incumbent upon the root store programs, and 
> you've heard from at least two that believe this doesn't meaningfully 
> prevent such "fly by night".
> > >
> > >
> > >
> > > So while it's great to understand why the Forum introduced it, 
> what we do know is that it's failed to meet the Forum's goals. So why 
> should we pretend it does? Simply for historic reasons?
> > >
> > >
> > >>
> > >>
> > >> Why do we have an EV insurance requirement? An effective 
> information security risk management program consists of risk 
> avoidance, risk reduction, risk spreading, risk transfer, and risk 
> acceptance.  There is no such thing as 100% perfect information 
> security, so risk will remain with any system, even after applying 
> industry best-practice controls that aim to avoid, reduce, or spread 
> risk.  With unmitigated risks present in any CA system, the remaining 
> options are (1) transfer risk or (2) accept risk.  CA/Browser Forum 
> members should still be concerned about an unjustified acceptance of 
> risk by a "fly-by-night" CA that simply treats residual risk as its 
> own "risk of doing business" without regard to the negative 
> consequences to third parties.  Thus, the "transfer of risk" approach 
> has been adopted with this insurance requirement. Contemporaneously 
> with the Forum's adoption of the insurance provision,  an exception 
> was added for any CA that was essentially self-insured because it had 
> "five hundred million US dollars in liquid assets" -- that was the bar 
> that was set for CAs choosing strictly the risk-acceptance approach.  
> (Actually, this provision should have stated "five hundred million US 
> dollars in current assets" which is the correct terminology for 
> calculating a quick ration, but that error also is proposed for 
> correction in this Ballot 133.)   CAs who prefer a risk-acceptance 
> approach can still have a hybrid with the insurance-based "transfer of 
> risk" approach and "hedge their bets" by increasing the "retention 
> amount" when negotiating the price of insurance with $3 million 
> coverage.  A retention amount is like a deductible---it is the amount 
> of risk that is retained by the CA.  So, because the EV Guidelines do 
> not limit risk-retention amounts, there is plenty of flexibility for 
> any CA in obtaining the coverage required by the proposed ballot.
> > >>
> > >> Again, insurance goes hand-in-hand with security controls and the 
> guidelines of the CA/Browser Forum---by following and being audited to 
> standards, CAs are in the best position to control risks and because 
> of this, insurers should be willing to insure the residual risk 
> because the CA's loss will be occasioned by chance-- not due to the 
> carelessness or indifference about maintaining CA system security.
> > >>
> > >> Ballot 133 is in response to requests of CAs which have been:
> > >> 1-      These types of insurance are too difficult to obtain in 
> my country
> > >> 2-      Insurance is too expensive
> > >> 3-      The current insurance requirement does not cover 
> anticipated incidents
> > >>
> > >> As a result, I have researched insurance and interviewed 
> insurance company representatives on changes to the language that 
> would be best, based on the situations that we face as CAs and 
> Browsers concerned about the utility and reliability of SSL 
> certificates.   The feedback has been that it is not easy to phrase a 
> global standard because of the differences in legal systems and 
> insurance environments around the globe.  Conversely, we know that the 
> Internet is global in reach, and a CA located in one country can 
> affect the lives of persons globally.    Another challenge has been 
> that if the policy wording is switched from the current language to 
> something else it will be too difficult to change policies mid-term.  
> The proposal that offered transition dates was too confusing, which 
> lead to the approach taken here, which was to make compliance easier, 
> although there still might be questions on whether certain types of 
> coverage or policies meet the proposed requirement.  Also, some CAs 
> have indicated that they are shopping in the insurance market right 
> now, and they need to know what coverage will be appropriate.  This is 
> another reason why this ballot should go forward and be voted upon.
> > >>
> > >> As additional background, Commercial General Liability (CGL) 
> insurance was named in Section 8.4 because it was a type of insurance 
> well-known in the U.S. that would cover all common types of insurance 
> that an operating business would need, and which a CA's business 
> partners would expect it to have.  It includes property and casualty 
> losses and public liability coverage for personal/bodily/physical 
> injuries and/or property damage to the public for claims arising out 
> of operations.  However, over the last several years court cases have 
> held that it doesn't cover certain types of damage to intangibles, 
> unless the language in the policy is specific that it does.  So even 
> though many CAs will still maintain CGL coverage, it is no longer 
> worth having as an EV requirement.
> > >>
> > >> Another response to opponents of an insurance requirement is that 
> for centuries insurance has served as a global mechanism to 
> re-distribute risk associated with global commerce.  If the right 
> insurance is selected, and if the CA makes good faith efforts to 
> follow common industry security practices, it is unlikely that an 
> insurer will deny coverage, provided that the type of peril is 
> acknowledged in the insurance policy, which is why Ballot 133 makes 
> clear that the policy must not exclude coverage when providing 
> cryptographic, digital signature, or public key infrastructure 
> services.  Insurance companies have over $25 trillion in assets under 
> management; in the case of claims against a CA with clear liability 
> and catastrophic loss, it is likely that the insurer would rather 
> tender the policy limits than defend the case.  The argument that the 
> insurance requirement will not prevent a CA from closing up shop and 
> disappearing during the night runs contrary to the good will that a CA 
> intending to stay in operation should seek to engender.  A CA worth 
> its salt will maintain a certain level of insurance, and third parties 
> relying on the services of the CA should have assurance that it will. 
> Also, in the event of bankruptcy, receivership, or whatever, the 
> insurance will either be an asset of the estate or the bankruptcy 
> court can abstain and a direct obligation of the insurer and liability 
> can be established in court, see Landry v. Exxon Pipeline Co., 260 
> B.R. 769 (Bkrtcy.M.D.La <http://Bkrtcy.M.D.La>. 2001), or an 
> interpleader/adversary proceeding could take place as the trustee, 
> judge, or administrator determines how proceeds are 
> distributed--whether claims are paid pro rata, on a first-come basis, 
> or for damage mitigation, e.g. to ensure that the CA "fails gracefully."
> > >>
> > >> I could go on with my discourse, but I'll spare you the trouble 
> ... unless anyone wants to consider additional resources, which I'm 
> happy to provide.
> > >>
> > >> For additional benefit, here is an overview of some insurance terms:
> > >>
> > >> Property insurance -- Covers damage to physical property
> > >>
> > >> Liability Insurance -- Protects against third party claims, i.e., 
> payment is not typically made to the insured, but rather to someone 
> suffering loss who is not a party to the insurance contract and it 
> usually does not cover damage caused intentionally or agreed to by 
> contract (the latter requires contractual liability insurance)
> > >>
> > >> Casualty insurance -- Covers injuries resulting solely from an 
> inevitable accident and not from negligence, something that cannot be 
> foreseen or guarded against.
> > >>
> > >> Commercial General Liability insurance -- "covers bodily injury 
> and property damage arising out of premises, operations, products, and 
> completed operations; and advertising and personal injury liability" 
> (evolved from "general liability" and "corporate general liability" 
> forms and is what has been common in the United States for most 
> businesses for the past 30+ years).
> > >>
> > >> Technology E&O insurance - covers both liability and property 
> loss exposures . Liability part covers losses resulting from: (a) 
> technology services, (b) technology products, (c) media content, and 
> (d) network security breaches. Property part covers damage mitigation 
> related to extortion threats, crisis management expenses, and business 
> interruption.
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: Gervase Markham [mailto:gerv at mozilla.org 
> <mailto:gerv at mozilla.org>]
> > >> Sent: Friday, October 3, 2014 4:07 AM
> > >> To: Ryan Sleevi; Ben Wilson
> > >> Cc: CABFPub
> > >>
> > >> Subject: Re: [cabfpub] Ballot 133 - Insurance Requirements for EV 
> Issuers
> > >>
> > >> On 02/10/14 20:47, Ryan Sleevi wrote:
> > >> > It's likely we'd abstain from such a ballot as presented, or 
> support
> > >> > such a ballot that removed the requirement.
> > >>
> > >> This is likely to be our position also. /Pace/ Ben, but we 
> maintain based on legal advice that this particular insurance 
> requirement (not the concept of insurance in general!) is extremely 
> unlikely to lead to practical benefit for anyone. Its presence either 
> has no effect (if CAs are required to have the insurances already by 
> other bodies) or leads to increased and unnecessary costs for CAs (if 
> they are not).
> > >>
> > >> Gerv
> > >
> > >
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141013/bd98a09d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3653 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141013/bd98a09d/attachment-0001.p7s>


More information about the Public mailing list