<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 23, 2017 at 2:37 AM, Gervase Markham via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 22/10/17 00:12, Kirk Hall via Public wrote:<br>
> The draft ballot continues to allow a CA to limit liability for a bad EV<br>
> cert to $2,000 per subscriber or relying party, but ALSO allows the CA<br>
> to limit aggregate liability from all claims from a single bad EV cert<br>
> to $100,000<br>
<br>
</span>I can see why a CA might want this to make it easier to get insurance,<br>
as the liability is not unlimited. But the $100,000 figure in particular<br>
seems low to me. In fact, as does the $2,000 per subscriber. If someone<br>
has suffered significant harm, why should they not be able to claim more<br>
than $2,000?<br>
<br>
I'd like to see figures like:<br>
<br>
Per-subscriber: $50,000<br>
Per-cert: $1M<br>
Per-incident: $5M<br>
<br>
This still leaves the same per-incident cap, and so the same theoretical<br>
maximum.<br>
<br>
EV is supposed to be a solid, validated cert. In 10 years we have,<br>
AFAIK, had no confirmed cases of misissuance. The amounts available<br>
should reflect CAs' confidence in the vetting.<br></blockquote><div><br></div><div>I don't believe this is correct or supported by fact, Gerv, nor supported by the limits of liability if you review CA's CP/CPS.</div><div><br></div><div>We are very much opposed to increasing liability, and I'm surprised to see Mozilla advocating it, given its past votes to abolish liability requirements from EV given the practical challenges they face. </div></div></div></div>