[cabf_validation] [EXTERNAL]Re: Change in liability for EV certificates

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Jun 5 22:30:52 MST 2017


Hmmm… still have my same concerns.  Normally, a limitation is for “all claims arising from or relating to” something.  Could you add that in?

Your language is as follows.  You say “a CA MAY limit its aggregate liability to***”.  My question is – its aggregate liability for what?  You do not specify.

This is still not very similar to typical insurance language / limitation of liability language.  Maybe we should all consult our risk management groups as well as our legal counsel.

Notwithstanding the foregoing, a CA MAY limit its aggregate liability to (1) five million US dollars – aggregated across all claims, Subscribers, and Relying Parties – for all EV Certificates issued by the CA during any continuous 12 month period and (2) one hundred thousand US dollars – aggregated across all claims, Subscribers, and Relying Parties – per EV Certificate.   These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.


From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Monday, June 5, 2017 8:11 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org>; Ben Wilson <ben.wilson at digicert.com>; Ryan Hurst <rmh at google.com>; Moudrick M. Dadashov <md at ssc.lt>
Subject: Re: [EXTERNAL]Re: [cabf_validation] Change in liability for EV certificates

Kirk,

After conferring with my counsel, we proposed the following revised language:

18. Liability and Indemnification
CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. Notwithstanding the foregoing, a CA MAY limit its aggregate liability to (1) five million US dollars – aggregated across all claims, Subscribers, and Relying Parties – for all EV Certificates issued by the CA during any continuous 12 month period and (2) one hundred thousand US dollars – aggregated across all claims, Subscribers, and Relying Parties – per EV Certificate.   These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.
A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements.
The additional sentence is to ensure that this language will not be inadvertently impacted by any future changes to the Baseline Requirements.  Any changes will have to update this section explicitly.

Moudrick, Ben, Ryan, anyone else: Would you endorse this revised language?

Thanks,
Peter

On Jun 3, 2017, at 8:49 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:

Peter – my original formulation is a bit more like traditional insurance policy language (limits of liability) than yours – did you have a reason for the change?  What do other recovering lawyers on the list think?ave to

Also, I’m concerned that putting all the different limits in a single sentence runs the risk of misinterpretation – might be better to keep separate.

Also, what is the reason for this sentence?  “These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.”

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.  CA MAY limit their aggregate liability to all Subscribers and Relying Parties (1) for all claims arising from or relating to a single EV Certificate to an amount not less than $100,000, and (2) for all claims arising from or relating to all EV Certificates issued during any 12 month period to an amount not less than $5,000,000.


From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Saturday, June 3, 2017 8:23 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>; Ben Wilson <ben.wilson at digicert.com<mailto:ben.wilson at digicert.com>>; Ryan Hurst <rmh at google.com<mailto:rmh at google.com>>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>
Subject: [EXTERNAL]Re: [cabf_validation] Change in liability for EV certificates

Here is a revision of Version 2.
18. Liability and Indemnification
CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than the least of: (1) five million US dollars – aggregated across all claims, Subscribers, and Relying Parties –for all EV Certificates issued by the CA during any continuous 12 month period; (2) one hundred thousand US dollars – aggregated across all claims, Subscribers, and Relying Parties – per EV Certificate; and (3) two thousand US dollars per Subscriber or Relying Party per EV Certificate.  These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.
A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements.

I’ll put together a draft ballot if I can get a couple of endorsers.
Thanks,
Peter

On Jun 1, 2017, at 10:24 AM, Kirk Hall via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:

Here are two versions of what we discussed today.  Peter and Ben – do you want to take this and run with it?  You can create a draft ballot and put up for discussion on the next call June 8…


Version 1 – Aggregate Limit per EV Certificate Only

18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.  CA MAY limit their aggregate liability to all Subscribers and Relying Parties for all claims per EV Certificate to an amount not less than $100,000

A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in the Baseline Requirements.


Version 2 – Aggregate Limit per EV Certificate and All EV Certificates Issued in 12 Month Period

18. Liability and Indemnification

CAs MAY limit their liability as described in Section 18 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.  CA MAY limit their aggregate liability to all Subscribers and Relying Parties (1) for all claims arising from or relating to a single EV Certificate to an amount not less than $100,000, and (2) for all claims arising from or relating to all EV Certificates issued during any 12 month period to an amount not less than $5,000,000.

A CA's indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are set forth in the Baseline Requirements.


_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170606/510833a8/attachment-0001.html>


More information about the Validation mailing list