[cabfpub] Pre-ballot on Insurance and Financial Responsibility

Ryan Sleevi sleevi at google.com
Tue Nov 25 23:30:35 UTC 2014 

Hi Kirk,

I don't see how this addresses the root concern, which is establishing
liability.

You focus on disclaiming liability for valid claims, but you fail to
identify what is a valid claim. This is hidden in the "legally recognized
and provable claims" language that retains its (effectively unworkable)
ambiguity.

For example, many CP/CPS disclaim liability if the RP application did not
perform (CRL, OCSP) checking in hard fail mode. CAs hopefully realize why
this would be unacceptable for browsers to deploy, and indeed none do, but
it has the effect of eliminating the CA's obligations of liability due to
the fact that the client failed to meet the CA's definition of liability.

Likewise, most CP/CPSes restrict liability to financial transactions. As I
discussed in great detail previously, on our calls and via email, this
allows a CA to disclaim liability if user's password is compromised due to
a misissuance, and that compromised password used on some secondary site to
perform a financial transaction. This indirection through a secondary site
allows CAs to argue the liability is on the secondary site for not having
stronger password controls, such as mandatory rotation or two factor auth.

As such, while I greatly appreciate your efforts to continue to explore
this, it still falls short of addressing the many concerns with the
liability provisions in general, and the "actual security" provided by this
is equivalent to the security provided by OCSP in soft fail - that is, no
value at all, except from the most ignorant of (attacker, CA). Which is not
much at all.
On Nov 26, 2014 12:14 AM, "kirk_hall at trendmicro.com" <
kirk_hall at trendmicro.com> wrote:

>  Here is the pre-ballot I have been working on for several weeks to
> replace the existing EV insurance requirements with new financial
> responsibility provisions.  (Gerv, I just noticed you also have a
> pre-ballot – please take a look at this one as well.)
>
>
>
> As you know, Trend Micro was the first to suggest the existing EVGL
> insurance requirements didn’t make much sense in terms of making sure CAs
> were financially responsible for their product (certificates) and making
> sure CAs were financially capable of dealing with certificate mis-issuance,
> a breach, and/or possible termination expenses.
>
>
>
> In recent emails, I suggested two possible substitutes for mandatory CA
> insurance:
>
>
>
> 1.  Minimum capital requirements (similar to the measurements we already
> have at the end of current EVGL Sec. 8.4 on insurance) – I’m still working
> on that proposal, and will come back with something shortly.
>
>
>
> 2.  Making CAs potentially liable for certificate mis-issuance for all
> their certs – DV, OV, and EV – not just for EV certs.  This proposal is
> very simple, and is included in the attached pre-ballot.
>
>
>
> Today, CAs can disclaim (deny) their legal liability for DV and OV certs
> all the way to zero – meaning, even if they are found liable by a court for
> damages to customers and relying parties for mis-issued certificates, they
> can avoid making any payments to anyone.  That’s just plain wrong.  The EV
> Guidelines presently allow CAs to limit what they pay to customers and
> relying parties for mis-issued certificates to $2,000 – that’s too low,
> considering all the potential risks to the public.
>
>
>
> The attached pre-ballot simply raises the potential liability cap to
> $10,000 for mis-issued EV certs, and requires that CAs potentially be
> liable up to $5,000 for mis-issued OV certs and $2,000 for mis-issued DV
> certs.  This recognizes the different levels of verification that are
> applied to each type of cert.
>
>
>
> *Please note*:  This ballot does *not* create or impose legal liability
> on any CA – that already exists under applicable national law.  What the
> ballot does is say that a CA must be willing to back up whatever legal
> liability it has by some amount of money, and can’t just say to customers
> and relying parties who have valid legal claims for damages “Too bad, I’m
> not going to pay you anything.”  We do, however, allow CAs to cap their
> liability at the $2,000 / $5,000 / $10,000 per cert levels, which would
> help keep aggregate damage claims within an overall limit.
>
>
>
> We have done so many other things to avoid and detect certificate
> mis-issuance (e.g., the Network and Certificate Systems Security
> Requirements, Certificate Transparency, etc.) that this is a natural
> extension of that effort – and it will reinforce the value of SSL
> certificates from trusted CAs.
>
>
>
> Several CAs I’ve consulted with already support these three liability
> levels.  I’d be happy for endorsers for this pre-ballot.
>
>
>
> *Kirk R. Hall*
>
> Operations Director, Trust Services
>
> Trend Micro
>
> +1.503.753.3088
>
>
>
> *****
>
>
>
> *Pre-Ballot on Insurance and Financial Responsibility*
>
>
>
> 1.  EV Guideline 8.4 is deleted.
>
>
>
> 2.  EV Guideline Section 18 is amended to read as follows:
>
>
>
> *18. Liability and Indemnification*
>
>
>
> CAs MAY limit their liability as described in Section 18 of the Baseline
> Requirements except that a CA MAY NOT limit its liability to Subscribers or
> Relying Parties for legally recognized and provable claims to a monetary
> amount less than two *ten* thousand US dollars per Subscriber or Relying
> Party per EV Certificate.
>
>
>
> A CA's indemnification obligations and a Root CA’s obligations with
> respect to subordinate CAs are set forth in the Baseline Requirements.
>
>
>
> 3. Baseline Requirements Section 18.1 is amended to read as follows:
>
>
>
> *18.1 Liability to Subscribers and Relying Parties *
>
>
>
> If the CA has issued and managed the Certificate in compliance with these
> Requirements and its Certificate Policy and/or Certification Practice
> Statement, the CA MAY disclaim liability to the Certificate Beneficiaries
> or any other third parties for any losses suffered as a result of use or
> reliance on such Certificate beyond those specified in the CA's Certificate
> Policy and/or Certification Practice Statement. If the CA has not issued or
> managed the Certificate in compliance with these Requirements and its
> Certificate Policy and/or Certification Practice Statement, the CA MAY seek
> to limit its liability to the Subscriber and to Relying Parties, regardless
> of the cause of action or legal theory involved, for any and all claims,
> losses or damages suffered as a result of the use or reliance on such
> Certificate by any appropriate means that the CA desires. If the CA chooses
> to limit its liability for Certificates that are not issued or managed in
> compliance with these Requirements or its Certificate Policy and/or
> Certification Practice Statement, then the CA SHALL include the limitations
> on liability in the CA’s Certificate Policy and/or Certification Practice
> Statement.  *Notwithstanding the foregoing, a CA MAY NOT limit its
> liability to Subscribers or Relying Parties for legally recognized and
> provable claims to a monetary amount less than two thousand US dollars per
> Subscriber or Relying Party per DV Certificate or less than five thousand
> US dollars per Subscriber or Relying Party per OV Certificate*.
>
>
>
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141126/710b538e/attachment-0003.html>

More information about the Public mailing list