[cabfpub] Reasons in support of Ballot 141

Ben Wilson ben.wilson at digicert.com
Thu Dec 11 16:35:09 UTC 2014


All,

This current discussion on one of the American Bar lists has some relevance
to the directions we're headed with CA liability in various jurisdictions
globally .

Ben

 

From: Federated ID Management Task Force
[mailto:BL-FIDM at MAIL.AMERICANBAR.ORG] On Behalf Of James D McCartney
Sent: Thursday, December 11, 2014 6:25 AM
To: BL-FIDM at MAIL.AMERICANBAR.ORG
Subject: Re: [ABA-IDM-TASK-FORCE] IdM Liability Legislation

 

Tom,

                In practical terms, I can't see any kind of legislation
making it through to be able to help.  More important, I believe that the
current structures of negligence are sufficient.  What is missing is the
standard against which negligence can be measured.  An interesting parallel
which may offer an answer is data security and privacy .  

                I'm sure most people on this list are familiar with the
recent rulings that have used the HIPAA as a standard of care to determine
negligence.  Given the increasing number of breaches occurring, this is
likely to expand to use HIPAA, GLB, and several other laws as establishing a
common standard of care related to data security & privacy.  An example of
where this taking shape is the cases against Home Depot.  In the past week
or so, a judge ruled not to dismiss the cases brought by financial
institutions. I believe that they are likely to go through.  

                I am working on a white paper now that develops this
discussion further, and I will send it on when it is done, which should be
in the next few weeks. 

 

V/R,

Jim McC

 

James D. McCartney CIPP/G, CITRMS

Partner, Accurate Data Partners, LLC

jmccartney at accuratedatapartners.com
<mailto:jmccartney at accuratedatapartners.com> 

571-207-6339

 

 

From: Federated ID Management Task Force
[mailto:BL-FIDM at MAIL.AMERICANBAR.ORG] On Behalf Of Smedinghoff, Tom
Sent: Wednesday, December 10, 2014 12:08 PM
To: BL-FIDM at MAIL.AMERICANBAR.ORG <mailto:BL-FIDM at MAIL.AMERICANBAR.ORG> 
Subject: Re: [ABA-IDM-TASK-FORCE] IdM Liability Legislation

 

Bob - In theory, IdM legislation could be written apply to the private
sector, the public sector, or both. The EU eIDAS regulation expressly
applies to the public sector - i.e., it imposes liability on member states
for failure to meet the requirements of the Regulation.  It also appears to
apply at some level to private sector entities that are part of an identity
system that a country notifies to the EU Commission. It's not entirely clear
to me whether the proposed Virginia legislation is intended to generally
apply to the public sector, but it does include a provision expressly
stating that the Act does not constitute a waiver of sovereign immunity by
any government entity.  As to driver's licenses, my sense is that all states
have a law expressly excluding state liability for erroneous driver's
licenses. But I'm also not sure whether Virginia intends to have public
entities act as identity providers for electronic credentials, or leave that
to the private sector. - Tom

 

Thomas J. Smedinghoff
Edwards Wildman Palmer LLP
225 W. Wacker Drive
Chicago, Illinois 60606
Office: +1 312-201-2021
Mobile:  +1 312-545-1333
 <mailto:tsmedinghoff at edwardswildman.com> tsmedinghoff at edwardswildman.com

 

From: Federated ID Management Task Force
[mailto:BL-FIDM at MAIL.AMERICANBAR.ORG] On Behalf Of Bob Pinheiro
Sent: Wednesday, December 10, 2014 9:40 AM
To: BL-FIDM at MAIL.AMERICANBAR.ORG <mailto:BL-FIDM at MAIL.AMERICANBAR.ORG> 
Subject: Re: [ABA-IDM-TASK-FORCE] IdM Liability Legislation

 

Tom,

Just to clarify, would any proposed legislation apply only to private sector
identity providers (in the US), or would it need to also extend to identity
providers in the public sector?  For instance, what if an identity provider
is a state motor vehicle bureau?  In the physical world, the DMVs are the
defacto identity providers for most Americans, since a driver's license or
state-issued photo ID is accepted as a high assurance credential for most
purposes (ie, opening a bank account, boarding a plane, etc).  As far as I
know, the DMVs are not liable if they issue a license / photo ID to an
imposter.  So if the DMVs were to issue electronic IDs (eIDs) to people who
already possess physical credentials issued by the DMV, would there be any
liability issues?  Assuming the DMVs have no liability in the case of
physical credentials, why would it be any different for electronic
credentials?

Bob Pinheiro

On 12/10/2014 9:03 AM, Smedinghoff, Tom wrote:

Liability is often cited as a major concern by participants in identity
systems. We now have two examples of liability legislation, with each taking
quite different approaches.  At the risk of some oversimplification, the
approaches may be summarized as follows --

 

1.  The EU eIDAS Regulation approved last July (which applies to all
European states) expressly imposes liability for damages caused
intentionally or negligently due to --

*	a failure to ensure that identification data uniquely representing
of the person in question is attributed to the appropriate person in
accordance with the technical specifications, standards and procedures for
the relevant assurance level, and
*	a failure to ensure that the identity credential (referred to as the
"electronic identification means") is attributed to the proper person. See
Article 11(1) and (2).

 

2.  By contrast, the proposed Virginia Electronic Identity Management Act
(to be introduced in the next legislative session) provides immunity from
liability to identity providers in connection with the issuance of an
identity credential so long as so long as the credential was issued in
accordance with the specifications of a trust framework that meets the
Virginia identity management standards. And this immunity apparently applies
even if the identity provider is negligent. See proposed section 59.1-552.

 

So I have two questions -

 

1.  Do we need legislation addressing the liability of participants in
identity systems, or is it better to let each identity system address
liability in a contract-based trust framework? and

 

2.  If legislation is desirable, how should that legislation address
liability?

 

Thoughts?

 

Tom

 

Thomas J. Smedinghoff
Edwards Wildman Palmer LLP
225 W. Wacker Drive
Chicago, Illinois 60606
Office: +1 312-201-2021
Mobile:  +1 312-545-1333
 <mailto:tsmedinghoff at edwardswildman.com> tsmedinghoff at edwardswildman.com

 

-----------------------------
Robert Pinheiro Consulting LLC
908-654-1939
bob at bobpinheiro.com <mailto:bob at bobpinheiro.com> 
www.bobpinheiro.com <http://www.bobpinheiro.com> 
 

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of N. Atilla Biler
Sent: Thursday, December 11, 2014 9:18 AM
To: 'Gervase Markham'; kirk_hall at trendmicro.com; 'CABFPub'
Subject: Re: [cabfpub] Reasons in support of Ballot 141

 

Of course by saying that "Again this means, for instance, a bigger CA which
has 100.000 active OV SSLs in the market will need to be liable for 500
million USD.", I do not mean misissuing this much SSL.

 

What I'm interpreting from Kirk's ballot is, for this much active (and
healthy) SSL in usage, I somehow need to guarantee the 5000 USD per SSL
financial liability which totals 500.000 USD, just in case. 

 

So, there should be a clear interpretation of the ballot statement "CAs must
retain minimum potential liability for DV certs of at least $2,000, for OV
certs $5,000, and for EV certs $10,000.". 

 

Question: What exactly does a CA having 100.000 active OV SSLs "must retain"
as a financial requirement according to this ballot?

 

 

 

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: 11 Aralık 2014 Perşembe 17:42
To: N. Atilla Biler; kirk_hall at trendmicro.com
<mailto:kirk_hall at trendmicro.com> ; 'CABFPub'
Subject: Re: [cabfpub] Reasons in support of Ballot 141

 

On 11/12/14 10:11, N. Atilla Biler wrote:

> If a CA has 1000 OV certs issued to 1000 different clients, does this 

> statement imply, for instance, that

> 

> ·         the CA should put aside some liquid assets that would sum up

> to 5 million USD for their liability? or alternatively

> 

> ·         the CA should have an insurance of 5 million USD for their

> liability?

 

Neither, necessarily (as I read it). The insurance is per Relying Party, and
it's not easy to count those.

 

The point is that if a CA misissues a DV cert and 1,000 people rely on it
and get scammed, then the CA's potential liability is $2M, if all of those
people successfully sue the CA (perhaps as part of a class action suit). If
100,000 people _all_ get scammed, the potential liability is higher. But the
chances of this happening are also extremely slim.

 

> In any case, the cost of this liability to that CA will be more than 

> "one penny" if the above understanding is true.

 

I believe what Kirk means is that there is no necessary additional cost

- the CA may choose to assume the risk of misissuance. If a CA wishes, in
the light of the new requirement, to insure against its own malpractice,
then perhaps there would be a cost for that insurance.

 

> Again this means, for

> instance, a bigger CA which has 100.000 active OV SSLs in the market 

> will need to be liable for 500 million USD. If we even consider the 

> relying parties for this CA, say 1 million end users as a minimum, the 

> liability amount will be 5 billion USDs where the things become
ridiculous.

 

If a CA has misissued 100,000 certs, then perhaps it's better if it goes out
of business! ;-))

 

Gerv

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141211/d31515f2/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141211/d31515f2/attachment-0001.p7s>


More information about the Public mailing list