[cabfpub] Second new BR on Financial Responsibility -- Limit on disclaimer of liability for DV and OV certs

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Nov 13 08:08:24 MST 2014 

I should clarify – in the US at least, national law may say “A CA can be liable for mistakes”, but national law may ALSO say “But a CA may “disclaim” any responsibility for its liability to $0”.

So CAs today often say in their CPS and Subscriber Agreements “Even if national law says we could be liable for our mistakes, you agree that we don’t have to pay you anything (we disclaim our liability to $0).”  The BRs allow this today.  The EV Guidelines today say that a CA can’t diaclaim its liability “for legally recognized and provable claims to a monetary amount less than two thousand US dollars ($2,000) per Subscriber or Relying Party per EV Certificate.”

I’m just suggesting we change the BRs to say the same thing about DV and OV certs as the EV Guidelines say about EV certs – CAs must accept $2,000 liability, but can disclaim (avoid) liability for more than that.

From: me at chemalogo.com [mailto:me at chemalogo.com] On Behalf Of Chema López González
Sent: Thursday, November 13, 2014 5:28 AM
To: Kirk Hall (RD-US)
Cc: CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] Second new BR on Financial Responsibility -- Limit on disclaimer of liability for DV and OV certs

I do not see the point to this proposal. As you say, Kirk, if applicable national law says they are liable, clauses like "liability for DV and OV certs is $0" are declare invalid (not applicable), in case there is a lawsuit.

BRs

--
Chema López
Gestor de Proyectos - Departamento Técnico
AC Firmaprofesional, S.A.

Edificio ESADECREAPOLIS - 1B13
08173 Sant Cugat del Vallès, Barcelona.
T.  934 774 245
M. 666 429 224

2014-11-05 1:03 GMT+01:00 kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>>:
In a previous email, I gave the background for two possible new Financial Responsibility Baseline Requirement rules relating to CA Financial Responsibility, and I offered a possible ballot in the previous email relating to minimum capital requirements.

This email proposes a possible second Financial Responsibility requirement for preliminary discussion – in this case, greater potential liability among CAs to their customers and relying parties for certificate mis-issuance.

The BRs and EV Guidelines include a number of sections relating to CA liability:

Required Warranties to Subscribers (BR Sec. 7, EVGL Sec. 7)

Liability to Subscribers and Relying Parties (BR 18.1, EVGL 18)

Permitted *Limitation of Liability* to Subscribers and Relying Parties (BR 18.1, EVGL 18)

Indemnification of Application Software Suppliers (BR 18.2)

The required warranties under the BRs and EVGL are somewhat different.  However, the Liability / Limitation of Liability sections of the BRs and EVGL are basically the same except that the BRs allow the CA to limit its general liability to subscribers and relying parties to -$ZERO-, while the EVGL do not allow CAs to limit their general liability to less than $2,000 per certificate.  Here is how EVGL 18 reads:

EVGL Section 18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars ($2,000) per Subscriber or Relying Party per EV Certificate.

Here is what I would propose for discussion in the Forum as a possible second Financial Responsibility ballot:


•         Change Section 18 of the Baseline Requirements so  that the current $2,000 minimum liability figure for EV certificates applies to all types of certs (DV, OV, EV, and any other type of cert covered by the BRs).  This means that CAs could no longer limit their general liability for DV and OV certs to $0.

I think the reasons for this proposed change are self-evident – it means that all CAs are financially responsible for all their certificate offerings (not just EV certs).  This rule change would not create any new basis for CA legal liability – CAs would only be liable to subscribers and relying parties if applicable national law says they are liable, the same as today.  However, the change would prohibit CAs from disclaiming all liability for the DV and OV certs they issue.  Today, most CAs say their liability for DV and OV certs is capped at $0; after this ballot, that figure would $2,000 or any higher figure the CA chooses.

There have been very few claims against CAs over the past 10-15 years that I’m aware of, and some CAs already offer extra warranty protection.  But this potential ballot would be a way of making CAs step up and take at least some potential general liability for all their products, which is a good thing for the public and add to financial responsibilty.

As a side benefit, I believe CAs could also get some good media coverage from a step like this (we would deserve it), and a BR change may help the public to value digital certificates more if they know CAs have agreed to be financially responsible for their products.

Any preliminary comments?

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088<tel:%2B1.503.753.3088>


TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.



_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141113/18820c39/attachment-0001.html

More information about the Public mailing list