[cryptography] Bonding or Insuring of CAs?

Jeffrey Walton noloader at gmail.com
Fri Jan 25 17:25:03 EST 2013

Hi All,

Is there any bonding of CAs? Do any browsers or other relying parties
require it?

Recall the first thing Diginotar did upon its failure was declare
bankruptcy. I believe that likely relieved the company of most of its
fiduciary responsibilities laid out in it CPS.

Two things drop out: (1) these folks should be bonded or insured, and
(2) those doing the bonding or insuring will probably take an in-depth
look at practices of the CA (money motivates folks like that).

In addition, it might have prevent Trustwave, where the insurer was
not willing to indemnify the CA with the perverted changes it made to
the CPS and TOS.


More information about the cryptography mailing list