[cabfpub] Ballot 133 - Insurance Requirements for EV Issuers

Ben Wilson ben.wilson at digicert.com
Thu Oct 9 13:25:26 MST 2014


Even if we adopted a different vehicle for this (one which wasn't so CA-protection-centric), it would still require someone to make a determination of fault, breach of responsibility, etc. and who is willing to take on that role?

 

The typical language in these liability policies is: “The insurer has the right to settle any claim made by a third party for money, services, non-monetary relief, or injunctive relief that it believes is proper.”)  So, liability insurance does provide for the compensation of injured third parties, and it is a reasonable expectation of EV requirements, and not just something that a CA should be able to do or not do.   

 

Section 18 of the Extended Validation Guidelines states, "a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate".  I think there should be <<something>> financial, in the EV Guidelines, to balance out this potential liability.  

 

If someone feels that section 8.4 doesn't provide sufficient protection of third parties, then maybe we delete the insurance language.  On possibility is that Section 8.4 could be amended to read, "All CAs shall maintain the following to meet requirements arising from such party's performance and obligations under these Guidelines: provided that it has at least five hundred X million US dollars in liquid current assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of liquid current assets to current liabilities) of not less than 1.05.”  Or, if someone supports the idea of re-writing sections 8.4 and 18 as a financial guaranty (rather than as insurance and caps on liability limits), then they ought to propose a ballot to merge 8.4 and 18 into a reserve requirement and eliminate the insurance requirement.   The ballot could propose that each CA apply a factor of "X" the number of that CA’s valid, unrevoked, and unexpired EV certificates and calculate a reserve requirement.  For example, "each CA shall maintain a liquidity reserve ratio of unencumbered liquid assets readily available and on hand to cover $2,000 * X * number of valid certificates.”     

 

As to your comment about disclaimers in your other email, I don't disagree with your assessment.  However, we live in an imperfect world.  Disclaimers and the like, are part of the legal posturing that everyone does, even Mozilla and Google - https://www.mozilla.org/en-US/about/legal/terms/mozilla/, https://wiki.mozilla.org/Personas/TOS, https://developer.android.com/sdk/terms.html, etc..  Similarly, with this financial responsibility issue in mind, I believe that while not perfect, this insurance update is a reasonably calculated compromise aimed at addressing an issue raised in the EV Guidelines (not to be confused with the Baseline Requirements).  As I’ve said before, this insurance proposal protects and benefits various parties affected by the EV ecosystem—not just CAs, and the insurance benefits third parties.  So until someone proposes something better, I am not inclined to change my view. 

 

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, October 9, 2014 2:33 AM
To: Ben Wilson; Ryan Sleevi
Cc: CABFPub
Subject: Re: [cabfpub] Ballot 133 - Insurance Requirements for EV Issuers

 

On 09/10/14 05:41, Ben Wilson wrote:

> Who?  Insurance under the ballot primarily protects the CA when 

> liability is questionable, but it protects anyone with a covered claim 

> when the CA is negligent.

 

We can discuss who has a covered claim when the CA is negligent, but I assert that insofar as the purpose of this insurance is to protect the CA, then it is not a valid subject for a CAB Forum requirement. CAs should take out whatever insurance they feel is necessary to adequately address business risk, but the amount of such insurance should be a CA decision, not a regulatory decision.

 

Gerv

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141009/81ca9c25/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141009/81ca9c25/attachment-0001.bin 


More information about the Public mailing list