[cabfpub] Limitation of Liability and Indemnification

Kirk Hall Kirk.Hall at entrustdatacard.com
Sat Oct 21 23:12:05 UTC 2017


You have stated the situation well, Peter.

Right now, the EVGL say a CA may limit its liability for a bad EV cert to $2,000 per subscriber or relying party, but in an extreme case there could be 500,000 valid claims for $2,000 each, or $1 billion in damages – tough on some CAs.

The draft ballot continues to allow a CA to limit liability for a bad EV cert to $2,000 per subscriber or relying party, but ALSO allows the CA to limit aggregate liability from all claims from a single bad EV cert to $100,000, AND ALSO allows a CA to limit liability in the aggregate for all claims during a 12 month period for all bad EV certs from all subscribers or relying parties to $5,000,000 (assuming a massive failure in the CA’s EV operations).  Imposing these limits is optional for the CA, who can mix and match the options – but a CA can’t choose lower numbers for any one of these limits.

You are noting there is another alternative, which to eliminate the EVGL paragraph on liability altogether.  That would allow a CA to say “Our liability for a bad EV cert is $0 to any subscriber or relying party and $0 dollars in the aggregate for all bad EV cert we ever issue in the history of our company.”  Some CAs use language like this for their DV and even OV certs.

When we drafted the EV Guidelines, we wanted to make EV certs “better” for users than DV and OV, and we as CAs wanted to demonstrate our confidence in the security of EV certs by putting our money where our work was – in the EV certs.  So from a personal standpoint, I’d don’t want to delete the current liability section of the EVGL entirely (which would allow a CA to choose $0 liability for EV certs) – I think Ben’s ballot is the better approach.  It correctly deals with the current “unlimited aggregate liability” problem in the existing EVGL language, but still makes CAs financially responsible for bad EV certs that actually cause financial harm to subscribers and relying parties.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Saturday, October 21, 2017 12:33 PM
To: Wayne Thayer <wthayer at godaddy.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Virginia Fournier <vfournier at apple.com>; Moudrick M. Dadashov <md at ssc.lt>
Subject: [EXTERNAL]Re: [cabfpub] Limitation of Liability and Indemnification

Echoing Wayne, my understanding is that this is not directly about relying parties and/or subscribers, rather it sets rules around what a CA may include in their agreements.

The current text in the EV Guidelines says:

"CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.”

Based on the prior comments from Moudrick and others, we suggest adding two new sentences at the end to make it clearer how things can be combined.

"CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.  Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to an amount equal to, or greater than (1) one hundred thousand US dollars – aggregated across all claims, Subscribers, and Relying Parties – per EV Certificate or (2) five million US dollars – aggregated across all claims, Subscribers, and Relying Parties – for all EV Certificates issued by the CA during any continuous 12 month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary."

On the other hand, if there is agreement that this paragraph is unnecessary or has no effect, then I suggest that we amend this ballot to simply remove the whole paragraph.

Thanks,
Peter


On Oct 12, 2017, at 3:41 PM, Wayne Thayer via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

Virginia,

As Ryan stated, this requirement is about constraining the liability limits that CAs are allowed to place  in their SA/RPA(s). If the CA isn’t permitted to enter in to an agreement with a liability limit lower than what is specified by the CA/B Forum and enforced by the root programs via audits, then I fail to see how these limitations ‘are not required’?

Thanks,

Wayne

From: Public <public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>> on behalf of Virginia Fournier via Public <public at cabforum.org<mailto:public at cabforum.org>>
Reply-To: Virginia Fournier <vfournier at apple.com<mailto:vfournier at apple.com>>, CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Date: Thursday, October 12, 2017 at 3:21 PM
To: "Moudrick M. Dadashov" <md at ssc.lt<mailto:md at ssc.lt>>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] Limitation of Liability and Indemnification

MD,

If you can get the Relying Parties and Subscribers to sign the agreement with the limitations of liability and indemnification in it, then they are bound.  But the rest does not require them to agree to those provisions.  It’s entirely up to the Relying Parties and Subscribers to decide whether they accept those provisions or not.

If you have any additional questions, you should discuss with your counsel.

Given that the limitations are not required, is there a need to proceed with this ballot?






Best regards,

Virginia Fournier
Senior Standards Counsel
 Apple Inc.
☏ 669-227-9595
✉︎ vmf at apple.com<mailto:vmf at apple.com>





On Oct 12, 2017, at 3:11 PM, Moudrick M. Dadashov <md at ssc.lt<mailto:md at ssc.lt>> wrote:

How about:

BR/EVG --> Webtrust/ETSI schemes --> Root Store schemes --> Audit report --> CP/CPS --> Binding RPA/Subscriber Agreement

Thanks,
M.D
On 10/13/2017 12:58 AM, Ryan Sleevi via Public wrote:


On Thu, Oct 12, 2017 at 5:38 PM, Virginia Fournier via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
Message: 3
Date: Fri, 13 Oct 2017 00:18:33 +0300
From: "Moudrick M. Dadashov" <md at ssc.lt<mailto:md at ssc.lt>>
To: Virginia Fournier via Public <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] Limitation of Liability and Indemnification
Message-ID: <3b9e4544-5b18-7535-c712-1cf544d7d8c5 at ssc.lt<mailto:3b9e4544-5b18-7535-c712-1cf544d7d8c5 at ssc.lt>>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Could you please explain why you think BR and EV Requirements are only
binding on members of the Forum?

Thanks,
M.D.

Hi M.D.

I can see why this would be hard to understand.

Entities who are not members of the Forum have nothing that would legally bind them to abide by those limitations.  They aren’t members, so they aren’t bound by any of the Forum documents - Bylaws, Baseline Requirements, etc.  They don’t have a written agreement with the Forum to abide by certain requirements, so they’re not bound that way either.

Members of the Forum also aren't bound to abide by the Baseline Requirements.

Given this, does that resolve your concern?

The best way to make the limitations binding on the Subscribers, Relying Parties, etc. would be for the CAs to enter into agreements with those parties, and try to get them to agree to the limitations.  But, again, they could just ignore the limitations.

Perhaps phrased differently - the BRs describe what such agreements MUST and SHOULD contain. This is allowing a further modification (a MAY) to such agreements. The enforcement and requirement that CAs agreements do or do not contain such provisions is done by the root stores that individual CAs partner with - not by the Forum.

No member of the Forum is bound to abide by the Baseline Requirements by the Forum. The only document any member is bound to is to the IPR policy (as per the mutual contracts signed).






_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public


_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171021/6ad1e89d/attachment-0003.html>


More information about the Public mailing list