[cryptography] Bonding or Insuring of CAs?

ianG iang at iang.org
Sat Jan 26 04:05:38 EST 2013

On 26/01/13 01:25 AM, Jeffrey Walton wrote:
> Hi All,
> Is there any bonding of CAs? Do any browsers or other relying parties
> require it?

EV requires insurance, but the description was originally a little 
convoluted.  In essence it could be summarised "unless one is Symantec 
nee Verisign, a token insurance is required."  Just googling, however, 
it seems that they have cleaned up the text so it is much clearer:

8.4 Insurance
Each CA SHALL maintain the following insurance related to their 
respective performance and obligations under these Guidelines:
(A) Commercial General Liability insurance (occurrence form) with 
policy limits of at least two million US dollars in coverage; and
(B) Professional Liability/Errors and Omissions insurance, with policy 
limits of at least five million US dollars in coverage, and including 
coverage for (i) claims for damages arising out of an act, error, or 
omission, unintentional breach of contract, or neglect in issuing or 
maintaining EV Certificates, and (ii) claims for damages arising out of 
infringement of the proprietary rights of any third party (excluding 
copyright, and trademark infringement), and invasion of privacy and 
advertising injury.
Such insurance MUST be with a company rated no less than A- as to Policy 
Holder’s Rating in the current edition of Best’s Insurance Guide (or 
with an association of companies each of the members of which are so rated).
A CA MAY self-insure for liabilities that arise from such party's 
performance and obligations under these Guidelines provided that it has 
at least five hundred million US dollars in liquid assets based on 
audited financial statements in the past twelve months, and a quick 
ratio (ratio of liquid assets to current liabilities) of not less than 1.0.

I don't know if anyone audits or polices that, off-hand.  I'm not sure 
they would see the point, $5m is about half what a footy club has to 
have to run a barbeque (in Australia, 10m general liabilities).  That 
is, nobody takes it seriously, and they shouldn't.  The insurance isn't 
the point of the insurance, so there's no point in checking it.

> Recall the first thing Diginotar did upon its failure was declare
> bankruptcy. I believe that likely relieved the company of most of its
> fiduciary responsibilities laid out in it CPS.

Or, its parent company.

> Two things drop out: (1) these folks should be bonded or insured, and

OK, but insured or bonded *for what purpose* ?  Who's the beneficiary?

What real world problem are you solving?

> (2) those doing the bonding or insuring will probably take an in-depth
> look at practices of the CA (money motivates folks like that).

Oh, you mean, like an audit ;-)

So, one of the issues with the industry could be considered the 'skin in 
the game' problem.  CAs have carefully ensured that they have zero 
expected liability [0].  Vendors have variously done so and have finally 
caught up in Baseline Requirements 18.2 (from memory) by successfully 
negotiating for themselves a zero liability indemnity contract with the CAs.

So if nobody has any skin in the game, nobody really cares much.

Putting it another way, if the CAs were required to have insurance, they 
would also ensure that it would never pay out.  That way it is cheaper.

Instead of looking at the solution - before identifying the problem - 
try looking at the start of the game.

Grandma loses her house.  What happens then?

> In addition, it might have prevent Trustwave, where the insurer was
> not willing to indemnify the CA with the perverted changes it made to
> the CPS and TOS.

Possibly.  There would also be twists and turns.  It is not clear that 
many really knew what was going on there, including whether there were 
any audit discussions.


[0] you can read more about zero effective liability in my paper on CAs.

More information about the cryptography mailing list