+1
Thanks,
M.D.
On 6/5/2017 7:16 PM, Ryan Sleevi via dev-security-policy wrote:
On Mon, Jun 5, 2017 at 11:52 AM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Has there ever been an effort by the root programs to directly assess
monetary penalties to the CAs -- never for inclusion -- but rather as part
of a remediation program?
The extent upon which there can be meaningful discussion about this is
going to be understandably significantly limited, for non-technical reasons.
I can simply point you to the existing precedent and discussions around
such proposals:
1) Examine the DigiNotar case, both with respect to liability and with
respect to insurance
2) Examine the CA/Browser Forum's multiple discussions around CA liability
in the context of EV, with Browsers uniformly voting against imposing
additional liability due to the fact that no liability claim for
misissuance has ever been successfully claimed, and thus it merely
represents an artificial barrier to market entry that predominantly Western
CAs use to exclude those in other jurisdictions
3) Examine CAs' CP/CPS statements with respect to disclaiming liability.
4) Examine CA's Relying Party Agreements regarding the obligations of an RP
prior to having liability
While on paper the idea sounds quite good, it turns out to simply trade
technical complexity for complexity of the non-technical sort. As such,
it's best to focus on meaningful and actionable technical solutions.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
