Eddy Nigg wrote:
On 12/02/2008 11:24 PM, Ian G:
Liability: this is a huge issue that all should look towards. CAs set
liability to zero, approximately, in general. Mozilla should do the
same. Once this is done, it removes a false barrier that we keep
tripping over; and we can better add value once it is gone.
Ian, keep saying that there is no liability doesn't makes it the truth.
I never said there was no liability! I said they set the liability to
zero. There is a bit of a difference, and these differences matter.
(Actually, you are right, I should be more careful. The full claim I
make is that the CAs set their _expected liability_ to zero, which more
clearly makes the point that there is what we could call "residual
liability" or "undisclaimable liability.")
There is liability in various ways being it by law and otherwise. Even
Mozilla has a liability even if it declines it. Gross negligence and
other intend are pursuable always. Corporations protect themselves for
such events of failures, including CAs.
Yes, indeed.
Your intentions are rather obvious! But I have no intention discussing
them right now, I'll do that in due time should arise the need for it.
Just stop beating this drum - there is no false barrier, but perhaps a
barrier affecting your doings elsewhere! Denying it doesn't make it go
away...
Please present your alternate theory!
Here is my theory: CAs set the expected liability to zero (see above
caveat.) They do this by a number of techniques, which are sometimes
documented and sometimes not. Proof:
* liability discussions in the EV guidelines.
* RPAs for most CAs
Assuming that as the general rule, and recalling that the browsers are
the one who have a contractual or agreement-based relationship with the
users, the browsers are the ones who would be the first port of call for
any claims.
Now, Mozilla already disclaims its general liability, to zero, in its
agreement, from what I recall. The issue is that it doesn't explicitly
state that for certs. It should, IMO, to defend itself, and to present
to the users a fair and accurate story: certs may help you, but there
is no monetary liability to be expected.
(You might fairly ask whether it needs to disclaim explicitly for certs,
having disclaimed for "all" ... that's another debate.)
The benefit for all CAs is that when the user is presented a unified
zero-liability-without-explicit-agreement position by the browser as
well as the CA, then all can much better build their structure -- and
deliver better security -- with less fear that a judge will rule them
liable in a class-action case.
By way of example, you probably aren't allowed to read this, and I'm
probably not allowed to post this:
YOU MUST READ THIS RELYING PARTY AGREEMENT ("AGREEMENT") BEFORE
VALIDATING A VERISIGN CERTIFICATE , USING VERISIGN'S ONLINE CERTIFICATE
STATUS PROTOCOL ("OCSP") SERVICES, ACCESSING OR USING A VERISIGN OR
VERISIGN AFFILIATE DATABASE OF CERTIFICATE REVOCATIONS OR RELYING ON ANY
VERISIGN CERTIFICATE-RELATED INFORMATION (COLLECTIVELY, "VERISIGN
INFORMATION”). IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO
NOT SUBMIT A QUERY AND DO NOT DOWNLOAD, ACCESS, OR RELY ON ANY VERISIGN
INFORMATION. IN CONSIDERATION OF YOUR AGREEMENT TO THESE TERMS, YOU ARE
ENTITLED TO USE VERISIGN INFORMATION AS SET FORTH HEREIN.
That's so strict so as to disclaim liability. In a document, with you
the user. But this clashes with the notion that Mozilla distributes the
root to users! That particular issue would not be so pernickety if
there was a general industry standard that there was zero liability set,
generally, to the remote end-user, unless user had entered into a
specific agreement.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
