[cabfpub] Possible new BR on Financial Responsibility -- minimum capital requirements

Stephen Davidson S.Davidson at quovadisglobal.com
Wed Nov 5 11:36:16 MST 2014

Hi Kirk:


While I appreciate the intent to find a meaningful alternative to insurance, I am doubtful about these proposals.  The criteria in your proposals may be relevant when self-insurance is involved but not as a general baseline.


1.       It drags financial audit into the WebTrust sphere.  Insurance exists as long as it is paid – these financial ratios can change rapidly (and without much transparency).

2.       It creates an advantage for CAs that are part of larger orgs either as subs or operating divisions.  Is the expectation that parent/divisions would separately capitalize.  There was no evidence in the DigiNotar/Vasco case that being part of a well-funded corporate family helped protect RPs.  

3.       I’m not sure retained earnings is a good measure of business stability.  Stability is measured by actually funding the appropriate systems, process and staffing – and those are covered under WebTrust.

4.       I’m not sure this helps “continuation of the business” – in most cases, an exiting CA whether rich or poor can say ciao as they turn off the lights/HSM.

On the latter proposal, I’m not sure that’s workable.  Facebook has an OV cert.  They also have 864 million users aka RPs. At $2,000 per RP per cert, the CA’s max liability on that cert would be $1,728,000,000,000.  Imagine the fun that could arise with those cloud-operator certs with 250 unrelated SAN in them!


Best, Stephen



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, November 04, 2014 7:58 PM
To: CABFPub (public at cabforum.org)
Subject: [cabfpub] Possible new BR on Financial Responsibility -- minimum capital requirements


In our Forum call last week I raised the issue of possible new Financial Responsibility requirements for CAs as a substitute for the existing EV insurance requirements (which most people have concluded do not really help the Forum reach any meaningful goals that relate to SSL and internet security).


I mentioned two ideas of my own for new financial responsibility requirements, and asked those on the call for their preliminary reactions, plus any ideas they might have for other financial responsibility ideas.  Ben Wilson had some feedback, but no one else spoke on the call so I promised to post the two ideas to the Public list for further discussion.  If there is support, we can move later to a pre-ballot with specifics.


I will post each idea separately so we can have separate discussions.


First Idea – Minimum Capital Requirements


The first idea is to establish new CA financial responsibility requirements in the Baseline Requirements for some sort of minimum capital requirements.  Here are my two main reasons for seeking minimum capital requirements:


1.  It would help a CA respond to a serious security breach or emergency infrastructure problem – ready cash and net capital is always important to deal quickly with a serious problem.


2.  If the CA decides to exit the certificate business, it could help the CA continue the required revocation checking services (CRLs, OCSP responses), archives, etc.


In my mind, any minimum capital requirement we come up with should satisfy at least three goals:


·         It should be reasonable and not punitive or prohibitive for small or new CAs,

·         It should scale according to the level of activity for a CA, and

·         It should use existing financial terms and measurements if possible so no CA or auditor has to do extra or complicated calculations to see whether or not the CA is in compliance.


I believe the minimum capital requirements should look at three elements: (1) total liquid assets (cash and cash-like assets), (2) the CA’s so-called “quick ratio”, which is a measurement of how much cash and cash-like assets the CA has compared to its short term liabilities (so the quick ratio is a measure of how easily the CA can access its cash to deal with an emergency without being unable to pay current debts), and (3) net retained earnings (owner’s equity), which is a measurement of how much capital a CA has after all its short and long term liabilities are subtracted from all its assets.  These are common financial accounting concepts.


The CA/Browser Forum already uses these same capital tests in a different context, and we can recycle existing language if we choose.   As you know, EVGL 8.4 currently requires two kinds of insurance, but allows larger CAs not to carry insurance if they meet the following minimum capital tests:


Current EVGL 8.4  *** A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that:


[1] It has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and 


[2] It has a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0.


So here is a possible new Financial Responsibility Baseline Requirement we can consider (we need to decide what amounts to put in the blanks below):


[New] Baseline Requirements Section X.X – Financial Responsibility


A CA must meet the following minimum financial responsibility tests:


(a) Liquid Assets (i.e., cash plus assets that can be converted into cash quickly and with minimal impact to the price received) equal to or exceeding $X per certificate for the number of issued certificates outstanding , but not less than $Y; 


(b) A quick ratio (ratio of liquid assets to current liabilities) of not less than x.x; and


(c) Retained Earnings (Owner’s Equity) of $A per certificate for the number of issued certificates outstanding during the CA’s previous annual audit period, but not less than $B.  


These tests will be confirmed by the CAs WebTrust or ETSI auditor [Alternative 1: as of the last day of each calendar month during the audit period] <or> [Alternative 2: as of the last day of each calendar quarter during the audit year] <or>[Alternative 3: as of the last day of the audit year].  The auditor shall rely on the CA’s audited financial statements if available; otherwise the auditor may rely on the CA’s unaudited financial statements that are verified in writing as accurate by the CA’s CEO or equivalent officer.  This requirement shall not apply to government CAs.


If we like this structure for a new Financial Responsibility BR, the question will be – what numbers should we use for X, Y, Z, A, and B above?


I have asked WebTrust auditor Don Sheehy to think about this issue, and each CA should consult its own financial department for comments and input.


Any preliminary reaction?


I will post my second idea in a separate email.


Kirk R. Hall

Operations Director, Trust Services

Trend Micro



The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141105/c9138ad7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5494 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141105/c9138ad7/attachment-0001.bin 

More information about the Public mailing list