[cabfpub] Limitation of Liability and Indemnification

Gervase Markham gerv at mozilla.org
Sun Oct 22 23:37:53 MST 2017


On 22/10/17 00:12, Kirk Hall via Public wrote:
> The draft ballot continues to allow a CA to limit liability for a bad EV
> cert to $2,000 per subscriber or relying party, but ALSO allows the CA
> to limit aggregate liability from all claims from a single bad EV cert
> to $100,000

I can see why a CA might want this to make it easier to get insurance,
as the liability is not unlimited. But the $100,000 figure in particular
seems low to me. In fact, as does the $2,000 per subscriber. If someone
has suffered significant harm, why should they not be able to claim more
than $2,000?

I'd like to see figures like:

Per-subscriber: $50,000
Per-cert: $1M
Per-incident: $5M

This still leaves the same per-incident cap, and so the same theoretical
maximum.

EV is supposed to be a solid, validated cert. In 10 years we have,
AFAIK, had no confirmed cases of misissuance. The amounts available
should reflect CAs' confidence in the vetting.

Gerv


More information about the Public mailing list