[cabfpub] Second new BR on Financial Responsibility -- Limit on disclaimer of liability for DV and OV certs

Chema López González clopez at firmaprofesional.com
Wed Nov 19 08:43:03 UTC 2014 

Thanks for the clarification. I do not know how it works in the USA but in
Spain, AFAIK, the following statement would be declared invalid if tha
national law says CAs are liable :"Even if national law says we could be
liable for our mistakes, you agree that we don’t have to pay you anything
(we disclaim our liability to $0)."

I can not believe that a private organizaton can jump national laws. It is
like a gun maker says "Even if national law says you can not kill, you can
kill with our guns."

-- 
*Chema López*
*Gestor de Proyectos - Departamento Técnico*
*AC Firmaprofesional, S.A.*

Edificio ESADECREAPOLIS - 1B13
08173 Sant Cugat del Vallès, Barcelona.
T.  934 774 245
M. 666 429 224

2014-11-13 16:08 GMT+01:00 kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com>:

>  I should clarify – in the US at least, national law may say “A CA can be
> liable for mistakes”, but national law may ALSO say “But a CA may
> “disclaim” any responsibility for its liability to $0”.
>
>
>
> So CAs today often say in their CPS and Subscriber Agreements “Even if
> national law says we could be liable for our mistakes, you agree that we
> don’t have to pay you anything (we disclaim our liability to $0).”  The BRs
> allow this today.  The EV Guidelines today say that a CA can’t diaclaim its
> liability “*for legally recognized and provable claims to a monetary
> amount less than two thousand US dollars ($2,000)* per Subscriber or
> Relying Party *per EV Certificate.*”
>
>
>
> I’m just suggesting we change the BRs to say the same thing about DV and
> OV certs as the EV Guidelines say about EV certs – CAs must accept $2,000
> liability, but can disclaim (avoid) liability for more than that.
>
>
>
> *From:* me at chemalogo.com [mailto:me at chemalogo.com] *On Behalf Of *Chema
> López González
> *Sent:* Thursday, November 13, 2014 5:28 AM
> *To:* Kirk Hall (RD-US)
> *Cc:* CABFPub (public at cabforum.org)
> *Subject:* Re: [cabfpub] Second new BR on Financial Responsibility --
> Limit on disclaimer of liability for DV and OV certs
>
>
>
> I do not see the point to this proposal. As you say, Kirk, if applicable
> national law says they are liable, clauses like "liability for DV and OV
> certs is $0" are declare invalid (not applicable), in case there is a
> lawsuit.
>
>
>
> BRs
>
>
>   --
>
> *Chema López*
>
> *Gestor de Proyectos - Departamento Técnico*
>
> *AC Firmaprofesional, S.A.*
>
>
>
> Edificio ESADECREAPOLIS - 1B13
>
> 08173 Sant Cugat del Vallès, Barcelona.
>
> T.  934 774 245
>
> M. 666 429 224
>
>
>
> 2014-11-05 1:03 GMT+01:00 kirk_hall at trendmicro.com <
> kirk_hall at trendmicro.com>:
>
> In a previous email, I gave the background for two possible new Financial
> Responsibility Baseline Requirement rules relating to CA Financial
> Responsibility, and I offered a possible ballot in the previous email
> relating to minimum capital requirements.
>
>
>
> This email proposes a possible second Financial Responsibility requirement
> for preliminary discussion – in this case, greater potential liability
> among CAs to their customers and relying parties for certificate
> mis-issuance.
>
>
>
> The BRs and EV Guidelines include a number of sections relating to CA
> liability:
>
>
>
> Required Warranties to Subscribers (BR Sec. 7, EVGL Sec. 7)
>
>
>
> Liability to Subscribers and Relying Parties (BR 18.1, EVGL 18)
>
>
>
> Permitted **Limitation of Liability** to Subscribers and Relying Parties
> (BR 18.1, EVGL 18)
>
>
>
> Indemnification of Application Software Suppliers (BR 18.2)
>
>
>
> The required warranties under the BRs and EVGL are somewhat different.
> However, the Liability / Limitation of Liability sections of the BRs and
> EVGL are basically the same *except* that the BRs allow the CA to limit
> its general liability to subscribers and relying parties to -$ZERO-, while
> the EVGL do not allow CAs to limit their general liability to less than
> *$2,000* per certificate.  Here is how EVGL 18 reads:
>
>
>
> *EVGL Section 18. Liability and Indemnification*
>
>
>
> CAs MAY limit their liability as described in Section 18 of the Baseline
> Requirements *except that a CA MAY NOT limit its liability to Subscribers
> or Relying Parties for legally recognized and provable claims to a monetary
> amount less than two thousand US dollars ($2,000)* per Subscriber or
> Relying Party *per EV Certificate*.
>
>
>
> *Here is what I would propose* for discussion in the Forum as a possible
> second Financial Responsibility ballot:
>
>
>
> ·         Change Section 18 of the Baseline Requirements so  that the
> current $2,000 minimum liability figure for EV certificates applies to
> *all* types of certs (DV, OV, EV, and any other type of cert covered by
> the BRs).  This means that CAs could no longer limit their general
> liability for DV and OV certs to $0.
>
>
>
> I think the reasons for this proposed change are self-evident – it means
> that all CAs are financially responsible for all their certificate
> offerings (not just EV certs).  This rule change would not create any new
> basis for CA legal liability – CAs would only be liable to subscribers and
> relying parties if applicable national law says they are liable, the same
> as today.  However, the change would prohibit CAs from disclaiming *all*
> liability for the DV and OV certs they issue.  Today, most CAs say their
> liability for DV and OV certs is capped at $0; after this ballot, that
> figure would $2,000 or any higher figure the CA chooses.
>
>
>
> There have been very few claims against CAs over the past 10-15 years that
> I’m aware of, and some CAs already offer extra warranty protection.  But
> this potential ballot would be a way of making CAs step up and take at
> least some potential general liability for all their products, which is a
> good thing for the public and add to financial responsibilty.
>
>
>
> As a side benefit, I believe CAs could also get some good media coverage
> from a step like this (we would deserve it), and a BR change may help the
> public to value digital certificates more if they know CAs have agreed to
> be financially responsible for their products.
>
>
>
> Any preliminary comments?
>
>
>
> *Kirk R. Hall*
>
> Operations Director, Trust Services
>
> Trend Micro
>
> +1.503.753.3088
>
>
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential
>
> and may be subject to copyright or other intellectual property protection.
>
> If you are not the intended recipient, you are not authorized to use or
>
> disclose this information, and we request that you notify us by reply mail or
>
> telephone and delete the original message from your mail system.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141119/245c39ac/attachment-0003.html>

More information about the Public mailing list