[cabfpub] Second new BR on Financial Responsibility -- Limit on disclaimer of liability for DV and OV certs

Chema López González clopez at firmaprofesional.com
Thu Nov 13 13:27:40 UTC 2014 

I do not see the point to this proposal. As you say, Kirk, if applicable
national law says they are liable, clauses like "liability for DV and OV
certs is $0" are declare invalid (not applicable), in case there is a
lawsuit.

BRs

-- 
*Chema López*
*Gestor de Proyectos - Departamento Técnico*
*AC Firmaprofesional, S.A.*

Edificio ESADECREAPOLIS - 1B13
08173 Sant Cugat del Vallès, Barcelona.
T.  934 774 245
M. 666 429 224

2014-11-05 1:03 GMT+01:00 kirk_hall at trendmicro.com <kirk_hall at trendmicro.com
>:

>  In a previous email, I gave the background for two possible new
> Financial Responsibility Baseline Requirement rules relating to CA
> Financial Responsibility, and I offered a possible ballot in the previous
> email relating to minimum capital requirements.
>
>
>
> This email proposes a possible second Financial Responsibility requirement
> for preliminary discussion – in this case, greater potential liability
> among CAs to their customers and relying parties for certificate
> mis-issuance.
>
>
>
> The BRs and EV Guidelines include a number of sections relating to CA
> liability:
>
>
>
> Required Warranties to Subscribers (BR Sec. 7, EVGL Sec. 7)
>
>
>
> Liability to Subscribers and Relying Parties (BR 18.1, EVGL 18)
>
>
>
> Permitted **Limitation of Liability** to Subscribers and Relying Parties
> (BR 18.1, EVGL 18)
>
>
>
> Indemnification of Application Software Suppliers (BR 18.2)
>
>
>
> The required warranties under the BRs and EVGL are somewhat different.
> However, the Liability / Limitation of Liability sections of the BRs and
> EVGL are basically the same *except* that the BRs allow the CA to limit
> its general liability to subscribers and relying parties to -$ZERO-, while
> the EVGL do not allow CAs to limit their general liability to less than
> *$2,000* per certificate.  Here is how EVGL 18 reads:
>
>
>
> *EVGL Section 18. Liability and Indemnification*
>
>
>
> CAs MAY limit their liability as described in Section 18 of the Baseline
> Requirements *except that a CA MAY NOT limit its liability to Subscribers
> or Relying Parties for legally recognized and provable claims to a monetary
> amount less than two thousand US dollars ($2,000)* per Subscriber or
> Relying Party *per EV Certificate*.
>
>
>
> *Here is what I would propose* for discussion in the Forum as a possible
> second Financial Responsibility ballot:
>
>
>
> ·         Change Section 18 of the Baseline Requirements so  that the
> current $2,000 minimum liability figure for EV certificates applies to
> *all* types of certs (DV, OV, EV, and any other type of cert covered by
> the BRs).  This means that CAs could no longer limit their general
> liability for DV and OV certs to $0.
>
>
>
> I think the reasons for this proposed change are self-evident – it means
> that all CAs are financially responsible for all their certificate
> offerings (not just EV certs).  This rule change would not create any new
> basis for CA legal liability – CAs would only be liable to subscribers and
> relying parties if applicable national law says they are liable, the same
> as today.  However, the change would prohibit CAs from disclaiming *all*
> liability for the DV and OV certs they issue.  Today, most CAs say their
> liability for DV and OV certs is capped at $0; after this ballot, that
> figure would $2,000 or any higher figure the CA chooses.
>
>
>
> There have been very few claims against CAs over the past 10-15 years that
> I’m aware of, and some CAs already offer extra warranty protection.  But
> this potential ballot would be a way of making CAs step up and take at
> least some potential general liability for all their products, which is a
> good thing for the public and add to financial responsibilty.
>
>
>
> As a side benefit, I believe CAs could also get some good media coverage
> from a step like this (we would deserve it), and a BR change may help the
> public to value digital certificates more if they know CAs have agreed to
> be financially responsible for their products.
>
>
>
> Any preliminary comments?
>
>
>
> *Kirk R. Hall*
>
> Operations Director, Trust Services
>
> Trend Micro
>
> +1.503.753.3088
>
>
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141113/a82fa16d/attachment-0003.html>

More information about the Public mailing list