On 12/24/2008 3:36 AM, Ian G wrote:
> Hi David,
>
> On 24/12/08 02:23, David E. Ross wrote:
> {long diatribe by iang on liability snipped}
>
>> See the thread "Unbelievable" in this newsgroup.
>>
>> Now we have the situation in which Comodo allowed third-party CAs under
>> its root to issue site certificates without proper authentication of the
>> subscribers (e.g., whether they actually owned the domain). Apparently,
>> Comodo failed to enforce its own CP/CPS with regard to the operation of
>> external CAs for which Comodo signed their intermediate certificates.
>
>
> That might be how it ends up being stated, sure.
>
>
>> It is known that bogus site certificates did indeed result (at least for
>> testing to determine if the situation was really happening).
>
> Right, tested as possible, 2 certs.
>
>> Now, what is Comodo's liability to consumers if any of those consumers
>> were defrauded through this situation? I too am not an attorney.
>
>
> None of us are attorneys, it seems.
>
> I would expect that Comodo would say that their RPA sets the scene, the
> baseline. I found this:
>
> http://www.comodo.com/repository/
> http://www.comodo.com/repository/docs/relying_party.html
>
> Now, this might not be the right doc. But, let's assume it is, for
> discussion purposes. In section 11, it says, rather cumbersomely:
>
> ====================
> 11.2 Subject to clause 11.1, Comodo shall not be liable to the Relying
> Party whether in contract (including under any indemnity or warranty),
> in tort (including negligence), under statute or otherwise for any loss
> of profit, loss of revenue, loss of anticipated savings, loss or
> corruption of data, loss of contract or opportunity or loss of goodwill
> whether that loss is direct, indirect or consequential and if Comodo
> shall be liable to the Relying Party in contract (including under any
> indemnity or warranty), in tort (including negligence), under statute or
> otherwise, Comodo's maximum liability to the Relying Party for SSL
> Certificates shall be limited to
>
> 11.2.1 $0.01 for a TrialSSL Certificate, and
>
> 11.2.2 $50 for an InstantSSL Certificate, and
>
> 11.2.3 $2500 for an InstantSSL Pro Certificate, and
>
> 11.2.4 $10,000 for a PremiumSSL Certificate and PremiumSSL Wildcard
> Certificate, and
> ====================
>
> Amongst other things........ If I read this right, it says in simple terms:
>
> *CA is not liable*. For anything we can think of.
>
> And, if it is found liable (by a court?), the following applies
> $0.01 for a Trial, and
> $50 for an InstantSSL , and
> $2500 for a Pro, and
> $10,000 for a Premium, and...
>
> (Yeah, I heavily edited that for readability and to make my point.)
>
>
>
>> However, it seems to me that any denial of liability by Comodo might be
>> nullified by its failure to enforce its publish policies.
>
>
> This is one of those really difficult questions that can only be
> answered in a real court case. Which has never happened. All we can
> do, as armchair generals, is express opinions as to our current
> understanding of how that court case might unfold.
>
>
>
> My opinion is that it would be tough. Pointwise:
>
> 1. The RPA document is clear enough, and the user hasn't got much of
> anything else as a document. 1.b I would be surprised if the CPS added
> anything of benefit to the user, although I haven't looked. 1.c the
> RPA does not say liability is higher if the CA mucks up, however expressed.
>
> 2. The user would have to claim that there was another agreement or
> understanding than the above, that has some standing.
>
> 3. As the user hasn't paid anything, the user's standing is not strong.
>
> 4. Nobody else is standing up and saying that liability exists.
>
> 4.b Case in point: EV sets minimum liability limits of $2k when the CA
> mucks up (only). For EV. This isn't EV, so we can conclude: almost
> certainly less, probably zero, because of the context of EV. The
> parties who wrote EV will say that EV Guidelines is the combined wisdom
> of all the important parties; so that document is likely to impress the
> court as to industry understanding.
>
>
> 5. What we do have is a sort of general understanding that "certs are
> trusted."
>
> But this means by itself means little in a court, the end-user would
> have to present to the court why this is worth something. I am told
> (which means I don't really understand) that the relevant doctrine is
> "duty of care." Which is to say, we are hoping here that a CA has a
> duty of care, and that the court recognises that. But this has never
> been tried in a court, so the user has to make this case all by herself.
>
> Which would be fine, if it were the case, but today's case does not
> support the existence of a duty of care. 5.a The RPA doesn't support
> it. 5.b No other RPA I have read accepts it. CAs are more or less
> unified in this, so we can likely expect the other CAs RPAs to be
> presented as evidence of a unified position.
>
> 5.c Mozo: Nothing Mozilla says supports the existence of a duty of
> care; they instead rely on their policy, the audit process and their
> own due diligence.
>
> 6. There is IMO no general party that is going to come to the
> end-user's aid. 6.a Sure, there is a lot of angst on the list, but who
> of those people are going to stand up on the witness stand and present a
> compelling theory as to why this CA or any other has liability? 6.b
> Mozo also have their own relationship with the end-user, and have not
> commented on any other relationship, so they are in a sticky position.
> If Mozo says anything about the position, it might also apply to them.
>
> 7. There might be something in distance selling or consumer protection
> laws, such as from the EU.
>
> 8. Strategically, if there was a serious chance that a liability would
> apply, the CA is likely to settle out of court, to avoid a case and
> possible precedent. Which for the general end-user is likely the worst
> possible result. Even if this particular end-user gets something, no
> other end-user will benefit; they likely won't even know of the
> lawsuit, let alone the result.
>
>
>
> But, gee, I sure would like to get some general counsels in the room to
> hear their opinions. Especially general counsels for the bodies that
> are effected by this :)
>
>
>
> iang (not speaking professionally, simply collected observations from a
> decade of PKI watching.)
Although end-users did not pay for certs and had no contractual
relationship with Comodo, liability might still exist. Just compare
this situation -- consumers trusting Comodo's certs -- with the
situation of public accounting firms and corporate fraud. Stockholders
and vendors of companies that go bust have successfully sued the
accounting firms that certified those companies' books even though the
accounting firms only did business with the companies and not with those
who sued.
--
David E. Ross
<http://www.rossde.com/>
Go to Mozdev at <http://www.mozdev.org/> for quick access to
extensions for Firefox, Thunderbird, SeaMonkey, and other
Mozilla-related applications. You can access Mozdev much
more quickly than you can Mozilla Add-Ons.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
