[cabfpub] [cabfman] Notes of meeting, CAB Forum, 21 March 2013, Version 1

[Rich Smith]

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Rob Stradling
> Sent: Monday, March 25, 2013 7:56 AM
<snip>
> BTW, I presume you've considered this section of the BRs...
> 
> "18.2 Indemnification of Application Software Suppliers ...the CA SHALL
> defend, indemnify, and hold harmless each Application Software Supplier
> for any and all claims, damages, and losses suffered by such
> Application Software Supplier related to a Certificate issued by the
> CA, regardless of the cause of action or legal theory involved. This
> does not apply, however, to any claim, damages, or loss suffered by
> such Application Software Supplier related to a Certificate issued by
> the CA where such claim, damage, or loss was directly caused by such
> Application Software Supplier’s software displaying...as trustworthy:
> (1) a Certificate that has expired..."
> 
</snip>
[RWS] Taking item 2 of that section, which you've omitted, into account:
(2) a Certificate that has been revoked (but only in cases where the revocation status is currently available from the CA online, and the application software either failed to check such status or ignored an indication of revoked status).

If there's no revocation info in the cert then the Application Software Supplier isn't liable for making a decision not to check it.  This shifts all the liability back onto the issuing CA.  I am disinclined to make that kind of liability shift for a completely unproven idea.

-Rich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130326/538c9660/attachment.bin