[cabf_validation] [EXTERNAL]Re: Change in liability for EV certificates

Kirk Hall Kirk.Hall at entrustdatacard.com
Sat Jun 3 08:49:38 MST 2017 

Peter – my original formulation is a bit more like traditional insurance policy language (limits of liability) than yours – did you have a reason for the change?  What do other recovering lawyers on the list think?

Also, I’m concerned that putting all the different limits in a single sentence runs the risk of misinterpretation – might be better to keep separate.

Also, what is the reason for this sentence?  “These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.”

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.  CA MAY limit their aggregate liability to all Subscribers and Relying Parties (1) for all claims arising from or relating to a single EV Certificate to an amount not less than $100,000, and (2) for all claims arising from or relating to all EV Certificates issued during any 12 month period to an amount not less than $5,000,000.


From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Saturday, June 3, 2017 8:23 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>; Ben Wilson <ben.wilson at digicert.com>; Ryan Hurst <rmh at google.com>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: [EXTERNAL]Re: [cabf_validation] Change in liability for EV certificates

Here is a revision of Version 2.
18. Liability and Indemnification
CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than the least of: (1) five million US dollars – aggregated across all claims, Subscribers, and Relying Parties –for all EV Certificates issued by the CA during any continuous 12 month period; (2) one hundred thousand US dollars – aggregated across all claims, Subscribers, and Relying Parties – per EV Certificate; and (3) two thousand US dollars per Subscriber or Relying Party per EV Certificate.  These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.
A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements.

I’ll put together a draft ballot if I can get a couple of endorsers.
Thanks,
Peter

On Jun 1, 2017, at 10:24 AM, Kirk Hall via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:

Here are two versions of what we discussed today.  Peter and Ben – do you want to take this and run with it?  You can create a draft ballot and put up for discussion on the next call June 8…


Version 1 – Aggregate Limit per EV Certificate Only

18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.  CA MAY limit their aggregate liability to all Subscribers and Relying Parties for all claims per EV Certificate to an amount not less than $100,000

A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in the Baseline Requirements.


Version 2 – Aggregate Limit per EV Certificate and All EV Certificates Issued in 12 Month Period

18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.  CA MAY limit their aggregate liability to all Subscribers and Relying Parties (1) for all claims arising from or relating to a single EV Certificate to an amount not less than $100,000, and (2) for all claims arising from or relating to all EV Certificates issued during any 12 month period to an amount not less than $5,000,000.

A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in the Baseline Requirements.


_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170603/8ccff774/attachment.html>

More information about the Validation mailing list