[cabfpub] Reasons in support of Ballot 141

N. Atilla Biler atilla.biler at turktrust.com.tr
Thu Dec 11 16:18:10 UTC 2014 

Of course by saying that “Again this means, for instance, a bigger CA which has 100.000 active OV SSLs in the market will need to be liable for 500 million USD.”, I do not mean misissuing this much SSL.

 

What I’m interpreting from Kirk’s ballot is, for this much active (and healthy) SSL in usage, I somehow need to guarantee the 5000 USD per SSL financial liability which totals 500.000 USD, just in case. 

 

So, there should be a clear interpretation of the ballot statement “CAs must retain minimum potential liability for DV certs of at least $2,000, for OV certs $5,000, and for EV certs $10,000.”. 

 

Question: What exactly does a CA having 100.000 active OV SSLs “must retain” as a financial requirement according to this ballot?

 

 

 

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: 11 Aralık 2014 Perşembe 17:42
To: N. Atilla Biler; kirk_hall at trendmicro.com; 'CABFPub'
Subject: Re: [cabfpub] Reasons in support of Ballot 141

 

On 11/12/14 10:11, N. Atilla Biler wrote:

> If a CA has 1000 OV certs issued to 1000 different clients, does this 

> statement imply, for instance, that

> 

> ·         the CA should put aside some liquid assets that would sum up

> to 5 million USD for their liability? or alternatively

> 

> ·         the CA should have an insurance of 5 million USD for their

> liability?

 

Neither, necessarily (as I read it). The insurance is per Relying Party, and it's not easy to count those.

 

The point is that if a CA misissues a DV cert and 1,000 people rely on it and get scammed, then the CA's potential liability is $2M, if all of those people successfully sue the CA (perhaps as part of a class action suit). If 100,000 people _all_ get scammed, the potential liability is higher. But the chances of this happening are also extremely slim.

 

> In any case, the cost of this liability to that CA will be more than 

> “one penny” if the above understanding is true.

 

I believe what Kirk means is that there is no necessary additional cost

- the CA may choose to assume the risk of misissuance. If a CA wishes, in the light of the new requirement, to insure against its own malpractice, then perhaps there would be a cost for that insurance.

 

> Again this means, for

> instance, a bigger CA which has 100.000 active OV SSLs in the market 

> will need to be liable for 500 million USD. If we even consider the 

> relying parties for this CA, say 1 million end users as a minimum, the 

> liability amount will be 5 billion USDs where the things become ridiculous.

 

If a CA has misissued 100,000 certs, then perhaps it's better if it goes out of business! ;-))

 

Gerv

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141211/48699886/attachment-0003.html>

More information about the Public mailing list