<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-9"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:windowtext;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:windowtext;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
color:black;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.baec5a81-e4d6-4674-97f3-e9220f0136c1
{mso-style-name:baec5a81-e4d6-4674-97f3-e9220f0136c1;}
span.EmailStyle24
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:763305347;
mso-list-template-ids:-979063340;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:2082216173;
mso-list-type:hybrid;
mso-list-template-ids:-94701696 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>All,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>This current discussion on one of the American Bar lists has some relevance to the directions we’re headed with CA liability in various jurisdictions globally …<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Ben<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b>From:</b> Federated ID Management Task Force [mailto:BL-FIDM@MAIL.AMERICANBAR.ORG] <b>On Behalf Of </b>James D McCartney<br><b>Sent:</b> Thursday, December 11, 2014 6:25 AM<br><b>To:</b> BL-FIDM@MAIL.AMERICANBAR.ORG<br><b>Subject:</b> Re: [ABA-IDM-TASK-FORCE] IdM Liability Legislation<o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Tom,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> In practical terms, I can’t see any kind of legislation making it through to be able to help. More important, I believe that the current structures of negligence are sufficient. What is missing is the standard against which negligence can be measured. An interesting parallel which may offer an answer is data security and privacy . <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> I’m sure most people on this list are familiar with the recent rulings that have used the HIPAA as a standard of care to determine negligence. Given the increasing number of breaches occurring, this is likely to expand to use HIPAA, GLB, and several other laws as establishing a common standard of care related to data security & privacy. An example of where this taking shape is the cases against Home Depot. In the past week or so, a judge ruled not to dismiss the cases brought by financial institutions. I believe that they are likely to go through. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> I am working on a white paper now that develops this discussion further, and I will send it on when it is done, which should be in the next few weeks. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>V/R,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Jim McC<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>James D. McCartney CIPP/G, CITRMS<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Partner, Accurate Data Partners, LLC<o:p></o:p></span></p><p class=MsoNormal><a href="mailto:jmccartney@accuratedatapartners.com">jmccartney@accuratedatapartners.com</a><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>571-207-6339<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b>From:</b> Federated ID Management Task Force [<a href="mailto:BL-FIDM@MAIL.AMERICANBAR.ORG">mailto:BL-FIDM@MAIL.AMERICANBAR.ORG</a>] <b>On Behalf Of </b>Smedinghoff, Tom<br><b>Sent:</b> Wednesday, December 10, 2014 12:08 PM<br><b>To:</b> <a href="mailto:BL-FIDM@MAIL.AMERICANBAR.ORG">BL-FIDM@MAIL.AMERICANBAR.ORG</a><br><b>Subject:</b> Re: [ABA-IDM-TASK-FORCE] IdM Liability Legislation<o:p></o:p></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'>Bob – In theory, IdM legislation could be written apply to the private sector, the public sector, or both. The EU eIDAS regulation expressly applies to the public sector – i.e., it imposes liability on member states for failure to meet the requirements of the Regulation. It also appears to apply at some level to private sector entities that are part of an identity system that a country notifies to the EU Commission. It’s not entirely clear to me whether the proposed Virginia legislation is intended to generally apply to the public sector, but it does include a provision expressly stating that the Act does not constitute a waiver of sovereign immunity by any government entity. As to driver’s licenses, my sense is that all states have a law expressly excluding state liability for erroneous driver’s licenses. But I’m also not sure whether Virginia intends to have public entities act as identity providers for electronic credentials, or leave that to the private sector. - Tom<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#7F7F7F'>Thomas J. Smedinghoff</span></b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#7F7F7F'><br>Edwards Wildman Palmer LLP<br>225 W. Wacker Drive<br>Chicago, Illinois 60606<br>Office: +1 312-201-2021<br>Mobile: +1 312-545-1333<br></span><a href="mailto:tsmedinghoff@edwardswildman.com"><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>tsmedinghoff@edwardswildman.com</span></a><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> Federated ID Management Task Force [<a href="mailto:BL-FIDM@MAIL.AMERICANBAR.ORG">mailto:BL-FIDM@MAIL.AMERICANBAR.ORG</a>] <b>On Behalf Of </b>Bob Pinheiro<br><b>Sent:</b> Wednesday, December 10, 2014 9:40 AM<br><b>To:</b> <a href="mailto:BL-FIDM@MAIL.AMERICANBAR.ORG">BL-FIDM@MAIL.AMERICANBAR.ORG</a><br><b>Subject:</b> Re: [ABA-IDM-TASK-FORCE] IdM Liability Legislation<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal>Tom,<br><br>Just to clarify, would any proposed legislation apply only to private sector identity providers (in the US), or would it need to also extend to identity providers in the public sector? For instance, what if an identity provider is a state motor vehicle bureau? In the physical world, the DMVs are the defacto identity providers for most Americans, since a driver's license or state-issued photo ID is accepted as a high assurance credential for most purposes (ie, opening a bank account, boarding a plane, etc). As far as I know, the DMVs are not liable if they issue a license / photo ID to an imposter. So if the DMVs were to issue electronic IDs (eIDs) to people who already possess physical credentials issued by the DMV, would there be any liability issues? Assuming the DMVs have no liability in the case of physical credentials, why would it be any different for electronic credentials?<br><br>Bob Pinheiro<br><br>On 12/10/2014 9:03 AM, Smedinghoff, Tom wrote:<o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>Liability is often cited as a major concern by participants in identity systems. We now have two examples of liability legislation, with each taking quite different approaches. At the risk of some oversimplification, the approaches may be summarized as follows --</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='margin-bottom:6.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>1. The EU eIDAS Regulation approved last July (which applies to all European states) expressly <b><u>imposes liability</u></b> for damages caused intentionally or negligently due to --</span><o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='mso-list:l1 level1 lfo3'><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>a failure to ensure that <b>identification data</b> uniquely representing of the person in question is attributed to the appropriate person in accordance with the technical specifications, standards and procedures for the relevant assurance level, and</span><o:p></o:p></li><li class=MsoNormal style='mso-list:l1 level1 lfo3'><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>a failure to ensure that the <b>identity credential</b> (referred to as the “electronic identification means”) is attributed to the proper person. See Article 11(1) and (2).</span><o:p></o:p></li></ul><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>2. By contrast, the proposed Virginia Electronic Identity Management Act (to be introduced in the next legislative session) provides <b><u>immunity from liability</u></b> to identity providers in connection with the <b>issuance of an identity credential</b> so long as so long as the credential was issued in accordance with the specifications of a trust framework that meets the Virginia identity management standards. And this immunity apparently applies even if the identity provider is negligent. See proposed section 59.1-552.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>So I have two questions –</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>1. Do we need legislation addressing the liability of participants in identity systems, or is it better to let each identity system address liability in a contract-based trust framework? and</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>2. If legislation is desirable, how should that legislation address liability?</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>Thoughts?</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>Tom</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#7F7F7F'>Thomas J. Smedinghoff</span></b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#7F7F7F'><br>Edwards Wildman Palmer LLP<br>225 W. Wacker Drive<br>Chicago, Illinois 60606<br>Office: +1 312-201-2021<br>Mobile: +1 312-545-1333<br></span><a href="mailto:tsmedinghoff@edwardswildman.com"><span style='font-size:10.0pt;font-family:"Arial",sans-serif'>tsmedinghoff@edwardswildman.com</span></a><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><pre>-----------------------------<o:p></o:p></pre><pre>Robert Pinheiro Consulting LLC<o:p></o:p></pre><pre>908-654-1939<o:p></o:p></pre><pre><a href="mailto:bob@bobpinheiro.com">bob@bobpinheiro.com</a><o:p></o:p></pre><pre><a href="http://www.bobpinheiro.com">www.bobpinheiro.com</a><o:p></o:p></pre><pre><o:p> </o:p></pre><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>N. Atilla Biler<br><b>Sent:</b> Thursday, December 11, 2014 9:18 AM<br><b>To:</b> 'Gervase Markham'; kirk_hall@trendmicro.com; 'CABFPub'<br><b>Subject:</b> Re: [cabfpub] Reasons in support of Ballot 141<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoPlainText>Of course by saying that “<b><i>Again this means, for instance, a bigger CA which has 100.000 active OV SSLs in the market will need to be liable for 500 million USD</i></b>.”, I do not mean misissuing this much SSL.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>What I’m interpreting from Kirk’s ballot is, for this much active (and healthy) SSL in usage, I somehow need to guarantee the 5000 USD per SSL financial liability which totals 500.000 USD, just in case. <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>So, there should be a clear interpretation of the ballot statement “<b><i>CAs must retain minimum potential liability for DV certs of at least $2,000, for OV certs $5,000, and for EV certs $10,000</i></b>.”. <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><b><u>Question</u>: </b>What exactly does a CA having 100.000 active OV SSLs “must retain” as a financial requirement according to this ballot?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<br>From: Gervase Markham [<a href="mailto:gerv@mozilla.org">mailto:gerv@mozilla.org</a>] <br>Sent: 11 Aralık 2014 Perşembe 17:42<br>To: N. Atilla Biler; <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; 'CABFPub'<br>Subject: Re: [cabfpub] Reasons in support of Ballot 141<o:p></o:p></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>On 11/12/14 10:11, N. Atilla Biler wrote:<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> If a CA has 1000 OV certs issued to 1000 different clients, does this <o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> statement imply, for instance, that<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> · the CA should put aside some liquid assets that would sum up<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> to 5 million USD for their liability? or alternatively<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> · the CA should have an insurance of 5 million USD for their<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> liability?<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>Neither, necessarily (as I read it). The insurance is per Relying Party, and it's not easy to count those.<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>The point is that if a CA misissues a DV cert and 1,000 people rely on it and get scammed, then the CA's potential liability is $2M, if all of those people successfully sue the CA (perhaps as part of a class action suit). If 100,000 people _all_ get scammed, the potential liability is higher. But the chances of this happening are also extremely slim.<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>> In any case, the cost of this liability to that CA will be more than <o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> “one penny” if the above understanding is true.<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>I believe what Kirk means is that there is no necessary additional cost<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>- the CA may choose to assume the risk of misissuance. If a CA wishes, in the light of the new requirement, to insure against its own malpractice, then perhaps there would be a cost for that insurance.<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>> Again this means, for<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> instance, a bigger CA which has 100.000 active OV SSLs in the market <o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> will need to be liable for 500 million USD. If we even consider the <o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> relying parties for this CA, say 1 million end users as a minimum, the <o:p></o:p></span></p><p class=MsoPlainText><span lang=TR>> liability amount will be 5 billion USDs where the things become ridiculous.<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>If a CA has misissued 100,000 certs, then perhaps it's better if it goes out of business! ;-))<o:p></o:p></span></p><p class=MsoPlainText><span lang=TR><o:p> </o:p></span></p><p class=MsoPlainText><span lang=TR>Gerv<o:p></o:p></span></p></div></body></html>