[cabfpub] Limitation of Liability and Indemnification

Ryan Sleevi sleevi at google.com
Mon Oct 23 13:55:12 UTC 2017

On Mon, Oct 23, 2017 at 2:37 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> On 22/10/17 00:12, Kirk Hall via Public wrote:
> > The draft ballot continues to allow a CA to limit liability for a bad EV
> > cert to $2,000 per subscriber or relying party, but ALSO allows the CA
> > to limit aggregate liability from all claims from a single bad EV cert
> > to $100,000
> I can see why a CA might want this to make it easier to get insurance,
> as the liability is not unlimited. But the $100,000 figure in particular
> seems low to me. In fact, as does the $2,000 per subscriber. If someone
> has suffered significant harm, why should they not be able to claim more
> than $2,000?
> I'd like to see figures like:
> Per-subscriber: $50,000
> Per-cert: $1M
> Per-incident: $5M
> This still leaves the same per-incident cap, and so the same theoretical
> maximum.
> EV is supposed to be a solid, validated cert. In 10 years we have,
> AFAIK, had no confirmed cases of misissuance. The amounts available
> should reflect CAs' confidence in the vetting.

I don't believe this is correct or supported by fact, Gerv, nor supported
by the limits of liability if you review CA's CP/CPS.

We are very much opposed to increasing liability, and I'm surprised to see
Mozilla advocating it, given its past votes to abolish liability
requirements from EV given the practical challenges they face.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171023/6f7761e8/attachment-0003.html>

More information about the Public mailing list