[cabfpub] Limitation of Liability and Indemnification

Moudrick M. Dadashov md at ssc.lt
Thu Oct 12 14:18:33 MST 2017


Could you please explain why you think BR and EV Requirements are only 
binding on members of the Forum?

Thanks,
M.D.


On 10/13/2017 12:08 AM, Virginia Fournier via Public wrote:
> Hi all,
>
> I want to weigh in on this from a legal perspective.
>
> The limitations on liabilities and indemnification provisions included in the Baseline Requirements and the EV Requirements are only binding on members of the Forum.  In other words, these limitations are not binding on parties such as Subscribers and Relying Parties, and they do not have to accept the stated amounts.
>
> So, CAs can try to obtain the limitations you’ve enumerated below, but they do not have to be accepted.  For example, a Subscriber could demand a unlimited liability, and the CA would have to decide how to proceed.
>
> Also, what is “legally recognizable and provable claims” intended to cover, or exclude?
>
>
> Best regards,
>
> Virginia Fournier
> Senior Standards Counsel
>  Apple Inc.
> ☏ 669-227-9595
> ✉︎ vmf at apple.com
>
>
>
>
>
>
> On Oct 12, 2017, at 11:33 AM, public-request at cabforum.org wrote:
>
> Send Public mailing list submissions to
> 	public at cabforum.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://cabforum.org/mailman/listinfo/public
> or, via email, send a message with subject or body 'help' to
> 	public-request at cabforum.org
>
> You can reach the person managing the list at
> 	public-owner at cabforum.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Public digest..."
>
>
> Today's Topics:
>
>    1. Re: Pre-Ballot 209 EV Liability (Moudrick M. Dadashov)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 12 Oct 2017 21:33:18 +0300
> From: "Moudrick M. Dadashov" <md at ssc.lt>
> To: Ben Wilson <ben.wilson at digicert.com>, CA/Browser Forum Public
> 	Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability
> Message-ID: <w7gskva7akyemtebaqlepuod.1507833198914 at email.android.com>
> Content-Type: text/plain; charset="utf-8"
>
>
>
> Hi Ben, yes, much better... thanks!
> M.D.
>
>
> Sent from my Samsung device
>
> -------- Original message --------
> From: Ben Wilson <ben.wilson at digicert.com>
> Date: 10/12/17  21:27  (GMT+02:00)
> To: "Moudrick M. Dadashov" <md at ssc.lt>, CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: RE: [cabfpub] Pre-Ballot 209 EV Liability
>
> Moudrick and others,?Is the following proposed change to section 18 of the EV Guidelines more clear?18. ?Liability and IndemnificationCAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than one or any combination of the following: (1)??? two thousand US dollars ($2,000) - per Subscriber or Relying Party per EV Certificate;(2)??? one hundred thousand US dollars ($100,000) ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; or(3)??? five million US dollars ($5,000,000) ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. ?Thanks,?Ben?From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Wednesday, July 26, 2017 2:32 PM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Thanks, Ben.
>
> Assuming that any combination (of 1,2, 3) or no combination at all would be acceptable, could we add something like "at least one or any combination of following" so that it is explicitly clear?
>
> Thanks,
> M.D.
>
> CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than:?
>
> On 7/26/2017 5:12 AM, Ben Wilson wrote:Rather than tack on these two additional limits, what if it were simplified to read:?CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than: ???????????????? (1)? two thousand US dollars per Subscriber or Relying Party per EV Certificate;???????????????? (2)? one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and/or???????????????? (3)? five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. ?These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?A CA's indemnification obligations and a Root CA?s obligations with respect to subordinate
>   CAs are set forth in Section 9.9 of the Baseline Requirements.????From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson via Public
> Sent: Tuesday, July 25, 2017 6:37 PM
> To: Moudrick M. Dadashov <md at ssc.lt>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Would this work??Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to not less than: (1) one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and/or (2) five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Tuesday, July 25, 2017 5:48 PM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Would you mind to show how it would sound now? :)
>
> Thanks,
> M.D.On 7/26/2017 2:14 AM, Ben Wilson wrote:And it should be an ?and? or a ?but?, but rephrased nevertheless.?Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Ben Wilson
> Sent: Tuesday, July 25, 2017 5:11 PM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Moudrick M. Dadashov <md at ssc.lt>
> Subject: RE: [cabfpub] Pre-Ballot 209 EV Liability?Never mind ? I think I now see your point.? Not ?up to? it needs to be ?not less than $5 million.?? Would that make it clearer??Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson via Public
> Sent: Tuesday, July 25, 2017 5:10 PM
> To: Moudrick M. Dadashov <md at ssc.lt>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?It?s permissive ? a CA MAY limit its liability.?? Maybe we should say ?up to $5 million?. ??Then, would that be clearer - ?that it can be less than $5 million??Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Tuesday, July 25, 2017 4:35 PM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?With "and" I don't see its optional.
>
> Again, just to understand the model: is per EV certificate amount is NOT fixed whereas 12-month continuous amount is the only option ($5 mln.)?
>
> Thanks,
> M.D.? On 7/26/2017 1:28 AM, Ben Wilson wrote:All of the provisions would provide optional caps that CAs could place on EV liability.? The 12-month $5 Million cap allows a CA to cap all EV liability to all those EV certificates issued within a single year.? ??Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Tuesday, July 25, 2017 4:24 PM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Ok. Do I understand the intention correctly: to have a "floating liability" amount per EV certificate and "fixed liability" amount per continuous 12-month period?
>
> Thanks,
> M.D.On 7/26/2017 1:10 AM, Ben Wilson wrote:No. Because they MAY do both.? An ?or? would mean that they have to choose between the two, which isn?t the intent.?Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Moudrick M. Dadashov [mailto:md at ssc.lt]
> Sent: Tuesday, July 25, 2017 4:09 PM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Hi Ben,
>
> could it be "or" between (1) and (2)?
>
> Thanks,
> M.D.On 7/25/2017 11:59 PM, Ben Wilson via Public wrote:Here is another pre-ballot for discussion.?Ballot 209 - EV Liability?In Section 18 of the EV Guidelines, add the following sentences to the end of the first paragraph:?Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to: (1) one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and (2) five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?Such that Section 18 of the EV Guidelines would read:?CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for leg
> ally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to: (1) one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and (2) five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?A CA's indemnification obligations and a Root CA?s obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements.?Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?
>
>
>
> _______________________________________________Public mailing listPublic at cabforum.orghttps://cabforum.org/mailman/listinfo/public?????
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.jpg
> Type: image/jpeg
> Size: 5856 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment.jpg>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image002.jpg
> Type: image/jpeg
> Size: 5686 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0001.jpg>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image003.jpg
> Type: image/jpeg
> Size: 5796 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0002.jpg>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image004.jpg
> Type: image/jpeg
> Size: 5651 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0003.jpg>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image005.jpg
> Type: image/jpeg
> Size: 5762 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0004.jpg>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image006.jpg
> Type: image/jpeg
> Size: 5638 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0005.jpg>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
> ------------------------------
>
> End of Public Digest, Vol 66, Issue 46
> **************************************
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171013/cd01faf9/attachment-0001.html>


More information about the Public mailing list