[cabfpub] Ballot 133 - Insurance Requirements for EV Issuers

Ben Wilson ben.wilson at digicert.com
Mon Oct 20 03:13:19 UTC 2014

Normally I do not comment once the comment period has ended and voting has begun, but since Kirk “opened the door”, I feel it necessary to respond to his assertions:


·        Insurance is not designed to protect the public (i.e., customers and relying parties), but is only designed to protect the insured – the CA.  If the insurer can protect a bad or negligent CA by defeating all claims from customers and relying parties from a breach and paying nothing to them, it will.  Based on the incomplete information we have, it appears a court in The Netherlands allowed Diginotar to deny coverage on its insurance and not pay claims.


RESPONSE:  Insurance is a contract.  Contract law is globally recognized.  Contracts set forth terms and conditions which can be sued upon if breached.  In the case where a third party is clearly harmed under the terms of insurance contract, the insurer must act in good faith and cannot deny the claim simply because it doesn’t want to pay.  There is a well-known cause of action for this type of bad faith behavior against any insurer who denies coverage.  It is well-settled law that any ambiguity about coverage in an insurance contract is construed in favor of the insured.  If the CA has followed appropriate security measures and also has not breached the insurance contract, then the insured is covered as to the losses claimed by third parties.   Kirk does not know what happened in the Netherlands with Diginotar, so whatever he asserts is pure unsubstantiated speculation.


·        The ballot is very specific as to what insurance must be obtained.  Cyber insurance, etc. keeps changing, so the requirements of this ballot could soon be out of date and the required insurance could be unobtainable at any time in the future.


RESPONSE:   I don’t think Kirk read Ballot 133 because it makes the current insurance requirements less specific.  It eliminates several types of coverage, such as cyber insurance.  Instead, it focuses on plain ordinary liability coverage.  The ballot has been carefully written to make the requirement much more flexible and insurance much easier and less expensive to maintain.


·        The insurance is probably not obtainable in some non-US jurisdictions.


RESPONSE:   To say that that the insurance is “probably” not obtainable in “some” non-US jurisdictions is like saying you might not be able to buy a Toyota in North Korea, and for that, it is again speculation aimed at causing unnecessary FUD on this ballot.   Several insurance experts have indicated that ordinary liability insurance can be obtained globally, and even if it can’t, most CAs and their brokers go outside and over to London, Zurich, Hong Kong, and other international insurance markets anyway.   Ballot 133 only requires liability coverage in those countries where you issue EV certificates.  If you issue EV certificates only in your own country, then you only need to buy liability coverage for your country.   Can anyone tell me a country where they know they cannot buy insurance?  Contrary to what Kirk says about CAs not needing insurance, if a CA cannot obtain any insurance, should that CA be issuing EV certificates?  If someone cannot buy automobile insurance, should that person be driving?   In the interest of a fair and honest debate, even though, as Gerv notes, “Kirk has the right to change his mind,” people should be aware of the multiple memoranda that Kirk wrote and presented to the Forum in 2005 and 2006 arguing why it was so important for EV issuers to have insurance.   Was he wrong then or is he wrong now?   


·        The price could be prohibitively high, which could drive some CAs from the business.


RESPONSE:  Don’t all CAs already know their insurance price costs?  What is considered “prohibitive” and how does this drive a CA out of business?  If anything it allows more CAs into the EV certificate business?  To argue that this EV requirement “might” drive a CA out of business is also fallacious logic based on a faulty generalization.  It argues that issuing an EV certificate is synonymous with what it means to be a CA, and even if that were true, the rest of the argument falls apart because whatever the price is it must be lower because the coverage is being cut in half—there is no way that the price will be “prohibitively” high.


·        Most important, if we adopt this ballot, all of us (CAs and browsers) will be delegating  to insurance companies the decision of which CAs get to issue EV certs, and which do not.  A CA that can’t get the specific insurance required under this ballot will have to stop issuing EV certs, even though the CA has passed all audits and complies with all rules.


RESPONSE:  As it already stands today, a CA that does not have insurance should not be issuing EV certificates.  There is no proof that adopting this ballot changes the balance of power between anybody—except for newcomers, all CAs that have been around for the last 10+ years have kept their insurance, and now newcomers can enter the market more easily.  If this ballot fails, that does not change the fact that a CA issuing EV certificates must maintain insurance.   Furthermore, there are plenty of reasons within the four corners of the EV Guidelines for why insurance and/or financial responsibility are an EV requirement, including the EV warranties and the $2,000 per relying party minimum.


·        Don Sheehy, our WebTrust representative, has said the insurance requirements of this ballot are “unauditable”.


RESPONSE:  Insurance coverage is one of the easiest things to audit.  When our WebTrust auditors come onsite, they say “please show me your insurance policies.”  I go to my file cabinet, pull out my insurance policies, and hand them over.  They look at the coverage sheet and see that we have $3 million coverage, etc..  How is that not auditable?

·        This ballot creates a new and significant barrier to entry for new CAs (including non-US CAs), which is not a proper reason for adding a requirement to the EV Guidelines.


RESPONSE:  It is untrue.  This ballot does not create a new requirement.  It is untrue that this is “new and significant barrier” because the EV insurance provision already exists, which Kirk should recall.  This reduces barriers because it lowers the amounts required, takes away the specificity, and it adds at least two new exceptions to what was previously required—it gives an exception for the laws of the CA’s jurisdiction, and it doesn’t require that insurance be global in coverage because it only requires insurance for where the CA issues EV certificates. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141020/6658bcef/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141020/6658bcef/attachment-0001.p7s>

More information about the Public mailing list