[cabfpub] Pre-ballot on Insurance and Financial Responsibility

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Nov 25 16:49:12 MST 2014 

Ryan – I’ll try to address your concern below – let me know if we are talking past each other.

Each country has its own national laws on when the seller of a product or service can be held liable by a customer and/or by a third party who is injured by a defect (such as a mis-issued cert).  I can only speak to US law (based on UK law, but changed over the years).

Speaking very broadly, there are two sources of potential liability under US law for a defective product – contract law, and tort law (a tort is a legal wrong that exists independent of a contract, such as if I hit your car).  Contract law means the seller is liable generally for whatever the contract says (and is usually not liable to a third party, such as a relying party).  But under something called the UCC, there is a presumption that the product meets general requirements for the product (e.g., the toaster will toast bread).  However, this can be disclaimed to some degree in a contract.  Most CAs try to limit or deny liability to relying parties in Relying Party Agreements.

As to tort liability, the seller will be generally liable for a product that explodes and hurts the customer or even an unknown third party (like a relying party), if the product was defective.  In most cases, the claimant has to prove four elements to collect damages – duty, breach of duty (the first two elements are “negligence”), causation of damages, and amount of damages.  However, if a thing is inherently dangerous (like an exploding toaster), the injured party generally doesn’t have to prove negligence, and it’s up to the maker/seller to prove there was no negligence.

I’m going through all this to try to point out that current law does potentially impose both contractual and tort liability on CAs – but probably can be disclaimed by the CAs in the Subscriber Agreement and the Relying Party Agreement (maybe).  Of course, this legal analysis will be different for every country where the CA does business.  As I understand it, it may be harder for a CA to avoid legal liability in Europe than the US.

My ballot did not attempt to describe the cases in which a CA could or would be legally liable to subscribers (customers) or relying parties – that’s simply too hard to do.  What my ballot is trying to do is say to CAs “Whatever your legal liability is in a given country, you can’t eliminate that liability through your Subscriber Agreement or Relying Party Agreement to a figure below [what is in the ballot]”.  That is a big improvement on the current situation, where a CA may be liable for a mis-issued DV or OV cert, but can walk away from injured parties without paying a cent – that would end with this ballot.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Tuesday, November 25, 2014 3:31 PM
To: Kirk Hall (RD-US)
Cc: CABFPub
Subject: Re: [cabfpub] Pre-ballot on Insurance and Financial Responsibility


Hi Kirk,

I don't see how this addresses the root concern, which is establishing liability.

You focus on disclaiming liability for valid claims, but you fail to identify what is a valid claim. This is hidden in the "legally recognized and provable claims" language that retains its (effectively unworkable) ambiguity.

For example, many CP/CPS disclaim liability if the RP application did not perform (CRL, OCSP) checking in hard fail mode. CAs hopefully realize why this would be unacceptable for browsers to deploy, and indeed none do, but it has the effect of eliminating the CA's obligations of liability due to the fact that the client failed to meet the CA's definition of liability.

Likewise, most CP/CPSes restrict liability to financial transactions. As I discussed in great detail previously, on our calls and via email, this allows a CA to disclaim liability if user's password is compromised due to a misissuance, and that compromised password used on some secondary site to perform a financial transaction. This indirection through a secondary site allows CAs to argue the liability is on the secondary site for not having stronger password controls, such as mandatory rotation or two factor auth.

As such, while I greatly appreciate your efforts to continue to explore this, it still falls short of addressing the many concerns with the liability provisions in general, and the "actual security" provided by this is equivalent to the security provided by OCSP in soft fail - that is, no value at all, except from the most ignorant of (attacker, CA). Which is not much at all.
On Nov 26, 2014 12:14 AM, "kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>" <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Here is the pre-ballot I have been working on for several weeks to replace the existing EV insurance requirements with new financial responsibility provisions.  (Gerv, I just noticed you also have a pre-ballot – please take a look at this one as well.)

As you know, Trend Micro was the first to suggest the existing EVGL insurance requirements didn’t make much sense in terms of making sure CAs were financially responsible for their product (certificates) and making sure CAs were financially capable of dealing with certificate mis-issuance, a breach, and/or possible termination expenses.

In recent emails, I suggested two possible substitutes for mandatory CA insurance:

1.  Minimum capital requirements (similar to the measurements we already have at the end of current EVGL Sec. 8.4 on insurance) – I’m still working on that proposal, and will come back with something shortly.

2.  Making CAs potentially liable for certificate mis-issuance for all their certs – DV, OV, and EV – not just for EV certs.  This proposal is very simple, and is included in the attached pre-ballot.

Today, CAs can disclaim (deny) their legal liability for DV and OV certs all the way to zero – meaning, even if they are found liable by a court for damages to customers and relying parties for mis-issued certificates, they can avoid making any payments to anyone.  That’s just plain wrong.  The EV Guidelines presently allow CAs to limit what they pay to customers and relying parties for mis-issued certificates to $2,000 – that’s too low, considering all the potential risks to the public.

The attached pre-ballot simply raises the potential liability cap to $10,000 for mis-issued EV certs, and requires that CAs potentially be liable up to $5,000 for mis-issued OV certs and $2,000 for mis-issued DV certs.  This recognizes the different levels of verification that are applied to each type of cert.

Please note:  This ballot does not create or impose legal liability on any CA – that already exists under applicable national law.  What the ballot does is say that a CA must be willing to back up whatever legal liability it has by some amount of money, and can’t just say to customers and relying parties who have valid legal claims for damages “Too bad, I’m not going to pay you anything.”  We do, however, allow CAs to cap their liability at the $2,000 / $5,000 / $10,000 per cert levels, which would help keep aggregate damage claims within an overall limit.

We have done so many other things to avoid and detect certificate mis-issuance (e.g., the Network and Certificate Systems Security Requirements, Certificate Transparency, etc.) that this is a natural extension of that effort – and it will reinforce the value of SSL certificates from trusted CAs.

Several CAs I’ve consulted with already support these three liability levels.  I’d be happy for endorsers for this pre-ballot.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088<tel:%2B1.503.753.3088>

*****

Pre-Ballot on Insurance and Financial Responsibility

1.  EV Guideline 8.4 is deleted.

2.  EV Guideline Section 18 is amended to read as follows:

18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two ten thousand US dollars per Subscriber or Relying Party per EV Certificate.

A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in the Baseline Requirements.

3. Baseline Requirements Section 18.1 is amended to read as follows:

18.1 Liability to Subscribers and Relying Parties

If the CA has issued and managed the Certificate in compliance with these Requirements and its Certificate Policy and/or Certification Practice Statement, the CA MAY disclaim liability to the Certificate Beneficiaries or any other third parties for any losses suffered as a result of use or reliance on such Certificate beyond those specified in the CA's Certificate Policy and/or Certification Practice Statement. If the CA has not issued or managed the Certificate in compliance with these Requirements and its Certificate Policy and/or Certification Practice Statement, the CA MAY seek to limit its liability to the Subscriber and to Relying Parties, regardless of the cause of action or legal theory involved, for any and all claims, losses or damages suffered as a result of the use or reliance on such Certificate by any appropriate means that the CA desires. If the CA chooses to limit its liability for Certificates that are not issued or managed in compliance with these Requirements or its Certificate Policy and/or Certification Practice Statement, then the CA SHALL include the limitations on liability in the CA’s Certificate Policy and/or Certification Practice Statement.  Notwithstanding the foregoing, a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per DV Certificate or less than five thousand US dollars per Subscriber or Relying Party per OV Certificate.




TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.



_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141125/52bc3311/attachment-0001.html

More information about the Public mailing list