[cabfpub] Second new BR on Financial Responsibility -- Limit on disclaimer of liability for DV and OV certs

i-barreira at izenpe.net i-barreira at izenpe.net
Wed Nov 5 09:52:28 UTC 2014

Well, this 2000 $ is another type of doing business of the US companies in which they indicates the máximum you can claim in case of an issue. I´m not very familiar with EU laws, but don´t think we work that way and don´t know how many EU CAs offer that option.

Again, don´t know/think this fits into the EU



Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net




ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de kirk_hall at trendmicro.com
Enviado el: miércoles, 05 de noviembre de 2014 1:03
Para: CABFPub (public at cabforum.org)
Asunto: [cabfpub] Second new BR on Financial Responsibility -- Limit on disclaimer of liability for DV and OV certs


In a previous email, I gave the background for two possible new Financial Responsibility Baseline Requirement rules relating to CA Financial Responsibility, and I offered a possible ballot in the previous email relating to minimum capital requirements.  


This email proposes a possible second Financial Responsibility requirement for preliminary discussion – in this case, greater potential liability among CAs to their customers and relying parties for certificate mis-issuance.


The BRs and EV Guidelines include a number of sections relating to CA liability:


Required Warranties to Subscribers (BR Sec. 7, EVGL Sec. 7)


Liability to Subscribers and Relying Parties (BR 18.1, EVGL 18)


Permitted *Limitation of Liability* to Subscribers and Relying Parties (BR 18.1, EVGL 18)


Indemnification of Application Software Suppliers (BR 18.2)


The required warranties under the BRs and EVGL are somewhat different.  However, the Liability / Limitation of Liability sections of the BRs and EVGL are basically the same except that the BRs allow the CA to limit its general liability to subscribers and relying parties to -$ZERO-, while the EVGL do not allow CAs to limit their general liability to less than $2,000 per certificate.  Here is how EVGL 18 reads:


EVGL Section 18. Liability and Indemnification


CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars ($2,000) per Subscriber or Relying Party per EV Certificate.


Here is what I would propose for discussion in the Forum as a possible second Financial Responsibility ballot:


·         Change Section 18 of the Baseline Requirements so  that the current $2,000 minimum liability figure for EV certificates applies to all types of certs (DV, OV, EV, and any other type of cert covered by the BRs).  This means that CAs could no longer limit their general liability for DV and OV certs to $0.


I think the reasons for this proposed change are self-evident – it means that all CAs are financially responsible for all their certificate offerings (not just EV certs).  This rule change would not create any new basis for CA legal liability – CAs would only be liable to subscribers and relying parties if applicable national law says they are liable, the same as today.  However, the change would prohibit CAs from disclaiming all liability for the DV and OV certs they issue.  Today, most CAs say their liability for DV and OV certs is capped at $0; after this ballot, that figure would $2,000 or any higher figure the CA chooses.


There have been very few claims against CAs over the past 10-15 years that I’m aware of, and some CAs already offer extra warranty protection.  But this potential ballot would be a way of making CAs step up and take at least some potential general liability for all their products, which is a good thing for the public and add to financial responsibilty.  


As a side benefit, I believe CAs could also get some good media coverage from a step like this (we would deserve it), and a BR change may help the public to value digital certificates more if they know CAs have agreed to be financially responsible for their products.


Any preliminary comments?


Kirk R. Hall

Operations Director, Trust Services

Trend Micro



The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141105/75113b96/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141105/75113b96/attachment-0003.png>

More information about the Public mailing list