[cabfpub] Reasons in support of Ballot 141

Gervase Markham gerv at mozilla.org
Thu Dec 11 15:42:11 UTC 2014


On 11/12/14 10:11, N. Atilla Biler wrote:
> If a CA has 1000 OV certs issued to 1000 different clients, does this
> statement imply, for instance, that
> 
> ·         the CA should put aside some liquid assets that would sum up
> to 5 million USD for their liability? or alternatively
> 
> ·         the CA should have an insurance of 5 million USD for their
> liability?

Neither, necessarily (as I read it). The insurance is per Relying Party,
and it's not easy to count those.

The point is that if a CA misissues a DV cert and 1,000 people rely on
it and get scammed, then the CA's potential liability is $2M, if all of
those people successfully sue the CA (perhaps as part of a class action
suit). If 100,000 people _all_ get scammed, the potential liability is
higher. But the chances of this happening are also extremely slim.

> In any case, the cost of this liability to that CA will be more than
> “one penny” if the above understanding is true. 

I believe what Kirk means is that there is no necessary additional cost
- the CA may choose to assume the risk of misissuance. If a CA wishes,
in the light of the new requirement, to insure against its own
malpractice, then perhaps there would be a cost for that insurance.

> Again this means, for
> instance, a bigger CA which has 100.000 active OV SSLs in the market
> will need to be liable for 500 million USD. If we even consider the
> relying parties for this CA, say 1 million end users as a minimum, the
> liability amount will be 5 billion USDs where the things become ridiculous.

If a CA has misissued 100,000 certs, then perhaps it's better if it goes
out of business! ;-))

Gerv



More information about the Public mailing list