Hi David,
On 24/12/08 02:23, David E. Ross wrote:
{long diatribe by iang on liability snipped}
See the thread "Unbelievable" in this newsgroup.
Now we have the situation in which Comodo allowed third-party CAs under
its root to issue site certificates without proper authentication of the
subscribers (e.g., whether they actually owned the domain). Apparently,
Comodo failed to enforce its own CP/CPS with regard to the operation of
external CAs for which Comodo signed their intermediate certificates.
That might be how it ends up being stated, sure.
It is known that bogus site certificates did indeed result (at least for
testing to determine if the situation was really happening).
Right, tested as possible, 2 certs.
Now, what is Comodo's liability to consumers if any of those consumers
were defrauded through this situation? I too am not an attorney.
None of us are attorneys, it seems.
I would expect that Comodo would say that their RPA sets the scene, the
baseline. I found this:
http://www.comodo.com/repository/
http://www.comodo.com/repository/docs/relying_party.html
Now, this might not be the right doc. But, let's assume it is, for
discussion purposes. In section 11, it says, rather cumbersomely:
====================
11.2 Subject to clause 11.1, Comodo shall not be liable to the Relying
Party whether in contract (including under any indemnity or warranty),
in tort (including negligence), under statute or otherwise for any loss
of profit, loss of revenue, loss of anticipated savings, loss or
corruption of data, loss of contract or opportunity or loss of goodwill
whether that loss is direct, indirect or consequential and if Comodo
shall be liable to the Relying Party in contract (including under any
indemnity or warranty), in tort (including negligence), under statute or
otherwise, Comodo's maximum liability to the Relying Party for SSL
Certificates shall be limited to
11.2.1 $0.01 for a TrialSSL Certificate, and
11.2.2 $50 for an InstantSSL Certificate, and
11.2.3 $2500 for an InstantSSL Pro Certificate, and
11.2.4 $10,000 for a PremiumSSL Certificate and PremiumSSL Wildcard
Certificate, and
====================
Amongst other things........ If I read this right, it says in simple terms:
*CA is not liable*. For anything we can think of.
And, if it is found liable (by a court?), the following applies
$0.01 for a Trial, and
$50 for an InstantSSL , and
$2500 for a Pro, and
$10,000 for a Premium, and...
(Yeah, I heavily edited that for readability and to make my point.)
However, it seems to me that any denial of liability by Comodo might be
nullified by its failure to enforce its publish policies.
This is one of those really difficult questions that can only be
answered in a real court case. Which has never happened. All we can
do, as armchair generals, is express opinions as to our current
understanding of how that court case might unfold.
My opinion is that it would be tough. Pointwise:
1. The RPA document is clear enough, and the user hasn't got much of
anything else as a document. 1.b I would be surprised if the CPS added
anything of benefit to the user, although I haven't looked. 1.c the
RPA does not say liability is higher if the CA mucks up, however expressed.
2. The user would have to claim that there was another agreement or
understanding than the above, that has some standing.
3. As the user hasn't paid anything, the user's standing is not strong.
4. Nobody else is standing up and saying that liability exists.
4.b Case in point: EV sets minimum liability limits of $2k when the CA
mucks up (only). For EV. This isn't EV, so we can conclude: almost
certainly less, probably zero, because of the context of EV. The
parties who wrote EV will say that EV Guidelines is the combined wisdom
of all the important parties; so that document is likely to impress the
court as to industry understanding.
5. What we do have is a sort of general understanding that "certs are
trusted."
But this means by itself means little in a court, the end-user would
have to present to the court why this is worth something. I am told
(which means I don't really understand) that the relevant doctrine is
"duty of care." Which is to say, we are hoping here that a CA has a
duty of care, and that the court recognises that. But this has never
been tried in a court, so the user has to make this case all by herself.
Which would be fine, if it were the case, but today's case does not
support the existence of a duty of care. 5.a The RPA doesn't support
it. 5.b No other RPA I have read accepts it. CAs are more or less
unified in this, so we can likely expect the other CAs RPAs to be
presented as evidence of a unified position.
5.c Mozo: Nothing Mozilla says supports the existence of a duty of
care; they instead rely on their policy, the audit process and their
own due diligence.
6. There is IMO no general party that is going to come to the
end-user's aid. 6.a Sure, there is a lot of angst on the list, but who
of those people are going to stand up on the witness stand and present a
compelling theory as to why this CA or any other has liability? 6.b
Mozo also have their own relationship with the end-user, and have not
commented on any other relationship, so they are in a sticky position.
If Mozo says anything about the position, it might also apply to them.
7. There might be something in distance selling or consumer protection
laws, such as from the EU.
8. Strategically, if there was a serious chance that a liability would
apply, the CA is likely to settle out of court, to avoid a case and
possible precedent. Which for the general end-user is likely the worst
possible result. Even if this particular end-user gets something, no
other end-user will benefit; they likely won't even know of the
lawsuit, let alone the result.
But, gee, I sure would like to get some general counsels in the room to
hear their opinions. Especially general counsels for the bodies that
are effected by this :)
iang (not speaking professionally, simply collected observations from a
decade of PKI watching.)
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
