[cabfpub] Limitation of Liability and Indemnification

Ryan Sleevi sleevi at google.com
Tue Oct 24 00:12:04 UTC 2017


I would say countless companies have spent millions of dollars due to
misissued certificates.

In either event, I think the suggestion of increasing liability needs only
look at the way in which CAs use the liability requirements to attempt to
impose privacy-harming or unreasonable expectations (such as manual
examination of the certificate chain, as I have seen required in CP/CPSes).
I certainly don't think we should be increasing it - especially given that
it is a tiger-repelling rock.

On Mon, Oct 23, 2017 at 1:37 PM, Phillip <philliph at comodo.com> wrote:

> Has anyone ever established a loss as a result of a mis-issued certificate?
>
>
>
> The point of insurance is that an insurer is like an auditor except that
> they have skin in the game. An auditor rarely suffers as a result of a
> negligent audit. Arthur Andersen survived Sunbeam, DeLorean and numerous
> others before Enron sunk them. An insurer is required to back their
> assessment of risk with actual dollars.
>
>
>
> Nothing gives perfect security but insurance is a tool we need to learn
> how to use as an industry.
>
>
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Ryan
> Sleevi via Public
> *Sent:* Monday, October 23, 2017 11:26 AM
> *To:* Gervase Markham <gerv at mozilla.org>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>;
> Virginia Fournier <vfournier at apple.com>
> *Subject:* Re: [cabfpub] Limitation of Liability and Indemnification
>
>
>
>
>
>
>
> On Mon, Oct 23, 2017 at 10:54 AM, Gervase Markham <gerv at mozilla.org>
> wrote:
>
> On 23/10/17 14:55, Ryan Sleevi wrote:
> > I don't believe this is correct or supported by fact, Gerv, nor
> > supported by the limits of liability if you review CA's CP/CPS.
>
> I'm not sure what you mean. If you mean the limits I'm suggesting are
> currently not offered by CAs, well of course they aren't.
>
>
>
> No, I mean both with respect to the misissuance of EV (I can think of
> several CAs that have done so) and to the terms of claiming liability (I
> encourage you to read the CP/CPSes of those who have).
>
>
>
> I'm curious whether there has ever been a successful claim of liability.
> Certainly, the claims of insurance to date have been rejected.
>
>
>
> > We are very much opposed to increasing liability, and I'm surprised to
> > see Mozilla advocating it, given its past votes to abolish liability
> > requirements from EV given the practical challenges they face.
>
> Reminder?
>
> You mean Google sees CA liability for misissuance as a paper tiger?
>
>
>
> Ballot 141 - https://cabforum.org/2015/01/19/ballot-141-elimination-
> ev-insurance-requirement-financial-responsibility-mis-issued-certificates/
> - and Ballot 142 - https://cabforum.org/2015/01/19/ballot-142-elimination-
> ev-insurance-requirement/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171023/e96761e9/attachment-0003.html>


More information about the Public mailing list