-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/27/2014 06:07 PM, Eddy Nigg wrote: > On 04/26/2014 06:45 PM, Zack Weinberg wrote: >> >> CAs should be carrying insurance to cover exactly this sort of >> low-probability-but-still-foreseeable, high-cost event. > > Interestingly CAs can insure themselves for mistakes made at their > end (errors and omission, but not for mistakes of others. That's > exactly the reason why those costs can't be turned onto the insurer > (otherwise we'd have done exactly that).
I find this both surprising and disturbing. Are you saying that you tried to obtain insurance against the possibility of this sort of catastrophe (keys compromised due to bug in software maintained by third parties) but could not, because no insurer would write the policy? Or are you saying that there is some rule that forbids you to seek such insurance in the first place? Or some third possibility I am not thinking of? Whichever way, this seems like a major problem that needs to be corrected before the *next* time one of these bugs turns up. zw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTXpWwAAoJEJH8wytnaapkW8IP/2BS5qiF/U2C4XI52o9qkgVl hCyZAgyeO9L+rinYOYS/p1KqBjbAyN3sMJM/4WTf06e9p3XXpSoyv6cqXiR5AvNj sjSrHwA0mEsP8hIMmI1idM3KWMCOyc2giGIG7NgZ1EtK+rLULpp5NFgKbYVVYbw3 q39gAhM2czV4SrXOYv67mE7ux8e/cLejOZx7bjkz570JG4myzOU9skNEcqq5crh5 0YIWTDA7jzx0LGPmVcWcX+8w6MMkZxduq+465k/4kdJEPLkpube0APnTLl8zZfIl A/WIQQUgmCkwRRqJpktfwmuHMLdUbH8FPV08mkxlw9gYmn8stdH/HOf7jH9VNb8s Xn+aIEuDBUubWMo23WptSAFZdWSLpD5IYN9IiEqBsxXZj29DxKbhSdbD5Uafxu4j tLMnijky5SDUXx2tt6vVDpx14j+2lVkFfvXWnojKPN48aORrmotaK8eVlOY0RKY8 W8XaawZMbEJ4U0m9cJWECcf28bb5myK390ZRIRF/OfwnLKn4n6+dqDtLgo3xEiCo xGWGtWF1DOhEzqbC3e+BTqIF64mWT7Ndh/4YJ6LZuSWvuczynVqKz32+1xUrDyS6 vhweBPMSwpnnqheFPAgX3qaGnFRyR6ipR8qHmggTw7UMSHhb8KlcTGJ+gu7ZxdIG iejUpsSBUSVMm8onVBsj =xwf2 -----END PGP SIGNATURE----- _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy