<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Courier;
panose-1:2 7 4 9 2 2 5 2 4 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Heiti SC";}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">You have stated the situation well, Peter.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Right now, the EVGL say a CA may limit its liability for a bad EV cert to $2,000 per subscriber or relying party, but in an extreme case there could be 500,000 valid claims for $2,000 each, or $1 billion in damages
– tough on some CAs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The draft ballot continues to allow a CA to limit liability for a bad EV cert to $2,000 per subscriber or relying party, but ALSO allows the CA to limit aggregate liability from all claims from a single bad EV
cert to $100,000, AND ALSO allows a CA to limit liability in the aggregate for all claims during a 12 month period for all bad EV certs from all subscribers or relying parties to $5,000,000 (assuming a massive failure in the CA’s EV operations). Imposing
these limits is optional for the CA, who can mix and match the options – but a CA can’t choose lower numbers for any one of these limits.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">You are noting there is another alternative, which to eliminate the EVGL paragraph on liability altogether. That would allow a CA to say “Our liability for a bad EV cert is $0 to any subscriber or relying party
and $0 dollars in the aggregate for all bad EV cert we ever issue in the history of our company.” Some CAs use language like this for their DV and even OV certs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">When we drafted the EV Guidelines, we wanted to make EV certs “better” for users than DV and OV, and we as CAs wanted to demonstrate our confidence in the security of EV certs by putting our money where our work
was – in the EV certs. So from a personal standpoint, I’d don’t want to delete the current liability section of the EVGL entirely (which would allow a CA to choose $0 liability for EV certs) – I think Ben’s ballot is the better approach. It correctly deals
with the current “unlimited aggregate liability” problem in the existing EVGL language, but still makes CAs financially responsible for bad EV certs that actually cause financial harm to subscribers and relying parties.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Public [mailto:public-bounces@cabforum.org] <b>
On Behalf Of </b>Peter Bowen via Public<br>
<b>Sent:</b> Saturday, October 21, 2017 12:33 PM<br>
<b>To:</b> Wayne Thayer <wthayer@godaddy.com>; CA/Browser Forum Public Discussion List <public@cabforum.org>; Virginia Fournier <vfournier@apple.com>; Moudrick M. Dadashov <md@ssc.lt><br>
<b>Subject:</b> [EXTERNAL]Re: [cabfpub] Limitation of Liability and Indemnification<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Echoing Wayne, my understanding is that this is not directly about relying parties and/or subscribers, rather it sets rules around what a CA may include in their agreements.<span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The current text in the EV Guidelines says:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less
than two thousand US dollars per Subscriber or Relying Party per EV Certificate.”<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Based on the prior comments from Moudrick and others, we suggest adding two new sentences at the end to make it clearer how things can be combined.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less
than two thousand US dollars per Subscriber or Relying Party per EV Certificate. Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to an amount equal to, or greater than
(1) one hundred thousand US dollars – aggregated across all claims, Subscribers, and Relying Parties – per EV Certificate or (2) five million US dollars – aggregated across all claims, Subscribers, and Relying Parties – for all EV Certificates issued by the
CA during any continuous 12 month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary."<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On the other hand, if there is agreement that this paragraph is unnecessary or has no effect, then I suggest that we amend this ballot to simply remove the whole paragraph.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Peter<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Oct 12, 2017, at 3:41 PM, Wayne Thayer via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">Virginia,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">As Ryan stated, this requirement is about constraining the liability limits that CAs are allowed to place in their SA/RPA(s). If the CA isn’t permitted to enter in to an agreement with a liability limit lower than what is specified by
the CA/B Forum and enforced by the root programs via audits, then I fail to see how these limitations ‘are not required’?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Wayne <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt">From: </span></b><span style="font-size:12.0pt">Public <<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>> on behalf of Virginia Fournier via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Reply-To: </b>Virginia Fournier <<a href="mailto:vfournier@apple.com">vfournier@apple.com</a>>, CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Date: </b>Thursday, October 12, 2017 at 3:21 PM<br>
<b>To: </b>"Moudrick M. Dadashov" <<a href="mailto:md@ssc.lt">md@ssc.lt</a>><br>
<b>Cc: </b>CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Subject: </b>Re: [cabfpub] Limitation of Liability and Indemnification</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">MD,<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal">If you can get the Relying Parties and Subscribers to sign the agreement with the limitations of liability and indemnification in it, then they are bound. But the rest does not require them to agree to those provisions. It’s entirely
up to the Relying Parties and Subscribers to decide whether they accept those provisions or not.
<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">If you have any additional questions, you should discuss with your counsel.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Given that the limitations are not required, is there a need to proceed with this ballot?<o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif"><br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">Best regards,</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">Virginia Fournier</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">Senior Standards Counsel</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Heiti SC";color:#5E5E5E"></span><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif"> Apple Inc.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"MS Mincho"">☏</span><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif"> 669-227-9595</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"MS Mincho"">✉</span><span style="font-size:10.5pt;font-family:"MS Mincho"">︎</span><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif"> <a href="mailto:vmf@apple.com">vmf@apple.com</a></span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Oct 12, 2017, at 3:11 PM, Moudrick M. Dadashov <<a href="mailto:md@ssc.lt">md@ssc.lt</a>> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Cambria",serif">How about:<br>
<br>
BR/EVG --> Webtrust/ETSI schemes --> <b>Root Store schemes</b> --> Audit report --> CP/CPS --> Binding RPA/Subscriber Agreement</span><br>
<br>
Thanks,<br>
M.D<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On 10/13/2017 12:58 AM, Ryan Sleevi via Public wrote:<o:p></o:p></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">On Thu, Oct 12, 2017 at 5:38 PM, Virginia Fournier via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">Message: 3<br>
Date: Fri, 13 Oct 2017 00:18:33 +0300<br>
From: "Moudrick M. Dadashov" <</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><a href="mailto:md@ssc.lt" target="_blank"><span style="font-size:10.5pt">md@ssc.lt</span></a></span><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">><br>
To: Virginia Fournier via Public <</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><a href="mailto:public@cabforum.org" target="_blank"><span style="font-size:10.5pt">public@cabforum.org</span></a></span><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">><br>
Subject: Re: [cabfpub] Limitation of Liability and Indemnification<br>
Message-ID: <</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><a href="mailto:3b9e4544-5b18-7535-c712-1cf544d7d8c5@ssc.lt" target="_blank"><span style="font-size:10.5pt">3b9e4544-5b18-7535-c712-1cf544d7d8c5@ssc.lt</span></a></span><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">><br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"<br>
<br>
Could you please explain why you think BR and EV Requirements are only <br>
binding on members of the Forum?<br>
<br>
Thanks,<br>
M.D.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">Hi M.D.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif">I can see why this would be hard to understand.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif">Entities who are not members of the Forum have nothing that would legally bind them to abide by those limitations. They aren’t members, so they aren’t bound by any of the Forum documents
- Bylaws, Baseline Requirements, etc. They don’t have a written agreement with the Forum to abide by certain requirements, so they’re not bound that way either. </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Members of the Forum also aren't bound to abide by the Baseline Requirements.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Given this, does that resolve your concern?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif">The best way to make the limitations binding on the Subscribers, Relying Parties, etc. would be for the CAs to enter into agreements with those parties, and try to get them to agree to the
limitations. But, again, they could just ignore the limitations.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Perhaps phrased differently - the BRs describe what such agreements MUST and SHOULD contain. This is allowing a further modification (a MAY) to such agreements. The enforcement and requirement that CAs agreements do or do not contain such
provisions is done by the root stores that individual CAs partner with - not by the Forum.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">No member of the Forum is bound to abide by the Baseline Requirements by the Forum. The only document any member is bound to is to the IPR policy (as per the mutual contracts signed). <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>