[cryptography] Bonding or Insuring of CAs?
iang at iang.org
Sat Jan 26 04:05:38 EST 2013
On 26/01/13 01:25 AM, Jeffrey Walton wrote:
> Hi All,
> Is there any bonding of CAs? Do any browsers or other relying parties
> require it?
EV requires insurance, but the description was originally a little
convoluted. In essence it could be summarised "unless one is Symantec
nee Verisign, a token insurance is required." Just googling, however,
it seems that they have cleaned up the text so it is much clearer:
Each CA SHALL maintain the following insurance related to their
respective performance and obligations under these Guidelines:
(A) Commercial General Liability insurance (occurrence form) with
policy limits of at least two million US dollars in coverage; and
(B) Professional Liability/Errors and Omissions insurance, with policy
limits of at least five million US dollars in coverage, and including
coverage for (i) claims for damages arising out of an act, error, or
omission, unintentional breach of contract, or neglect in issuing or
maintaining EV Certificates, and (ii) claims for damages arising out of
infringement of the proprietary rights of any third party (excluding
copyright, and trademark infringement), and invasion of privacy and
Such insurance MUST be with a company rated no less than A- as to Policy
Holder’s Rating in the current edition of Best’s Insurance Guide (or
with an association of companies each of the members of which are so rated).
A CA MAY self-insure for liabilities that arise from such party's
performance and obligations under these Guidelines provided that it has
at least five hundred million US dollars in liquid assets based on
audited financial statements in the past twelve months, and a quick
ratio (ratio of liquid assets to current liabilities) of not less than 1.0.
I don't know if anyone audits or polices that, off-hand. I'm not sure
they would see the point, $5m is about half what a footy club has to
have to run a barbeque (in Australia, 10m general liabilities). That
is, nobody takes it seriously, and they shouldn't. The insurance isn't
the point of the insurance, so there's no point in checking it.
> Recall the first thing Diginotar did upon its failure was declare
> bankruptcy. I believe that likely relieved the company of most of its
> fiduciary responsibilities laid out in it CPS.
Or, its parent company.
> Two things drop out: (1) these folks should be bonded or insured, and
OK, but insured or bonded *for what purpose* ? Who's the beneficiary?
What real world problem are you solving?
> (2) those doing the bonding or insuring will probably take an in-depth
> look at practices of the CA (money motivates folks like that).
Oh, you mean, like an audit ;-)
So, one of the issues with the industry could be considered the 'skin in
the game' problem. CAs have carefully ensured that they have zero
expected liability . Vendors have variously done so and have finally
caught up in Baseline Requirements 18.2 (from memory) by successfully
negotiating for themselves a zero liability indemnity contract with the CAs.
So if nobody has any skin in the game, nobody really cares much.
Putting it another way, if the CAs were required to have insurance, they
would also ensure that it would never pay out. That way it is cheaper.
Instead of looking at the solution - before identifying the problem -
try looking at the start of the game.
Grandma loses her house. What happens then?
> In addition, it might have prevent Trustwave, where the insurer was
> not willing to indemnify the CA with the perverted changes it made to
> the CPS and TOS.
Possibly. There would also be twists and turns. It is not clear that
many really knew what was going on there, including whether there were
any audit discussions.
 you can read more about zero effective liability in my paper on CAs.
More information about the cryptography