[cabfpub] Second new BR on Financial Responsibility -- Limit on disclaimer of liability for DV and OV certs

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Nov 5 00:03:14 UTC 2014

In a previous email, I gave the background for two possible new Financial Responsibility Baseline Requirement rules relating to CA Financial Responsibility, and I offered a possible ballot in the previous email relating to minimum capital requirements.

This email proposes a possible second Financial Responsibility requirement for preliminary discussion - in this case, greater potential liability among CAs to their customers and relying parties for certificate mis-issuance.

The BRs and EV Guidelines include a number of sections relating to CA liability:

Required Warranties to Subscribers (BR Sec. 7, EVGL Sec. 7)

Liability to Subscribers and Relying Parties (BR 18.1, EVGL 18)

Permitted *Limitation of Liability* to Subscribers and Relying Parties (BR 18.1, EVGL 18)

Indemnification of Application Software Suppliers (BR 18.2)

The required warranties under the BRs and EVGL are somewhat different.  However, the Liability / Limitation of Liability sections of the BRs and EVGL are basically the same except that the BRs allow the CA to limit its general liability to subscribers and relying parties to -$ZERO-, while the EVGL do not allow CAs to limit their general liability to less than $2,000 per certificate.  Here is how EVGL 18 reads:

EVGL Section 18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars ($2,000) per Subscriber or Relying Party per EV Certificate.

Here is what I would propose for discussion in the Forum as a possible second Financial Responsibility ballot:

*         Change Section 18 of the Baseline Requirements so  that the current $2,000 minimum liability figure for EV certificates applies to all types of certs (DV, OV, EV, and any other type of cert covered by the BRs).  This means that CAs could no longer limit their general liability for DV and OV certs to $0.

I think the reasons for this proposed change are self-evident - it means that all CAs are financially responsible for all their certificate offerings (not just EV certs).  This rule change would not create any new basis for CA legal liability - CAs would only be liable to subscribers and relying parties if applicable national law says they are liable, the same as today.  However, the change would prohibit CAs from disclaiming all liability for the DV and OV certs they issue.  Today, most CAs say their liability for DV and OV certs is capped at $0; after this ballot, that figure would $2,000 or any higher figure the CA chooses.

There have been very few claims against CAs over the past 10-15 years that I'm aware of, and some CAs already offer extra warranty protection.  But this potential ballot would be a way of making CAs step up and take at least some potential general liability for all their products, which is a good thing for the public and add to financial responsibilty.

As a side benefit, I believe CAs could also get some good media coverage from a step like this (we would deserve it), and a BR change may help the public to value digital certificates more if they know CAs have agreed to be financially responsible for their products.

Any preliminary comments?

Kirk R. Hall
Operations Director, Trust Services
Trend Micro

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141105/5cea46d0/attachment-0002.html>

More information about the Public mailing list