Hi all, I want to weigh in on this from a legal perspective.
The limitations on liabilities and indemnification provisions included in the Baseline Requirements and the EV Requirements are only binding on members of the Forum. In other words, these limitations are not binding on parties such as Subscribers and Relying Parties, and they do not have to accept the stated amounts. So, CAs can try to obtain the limitations you’ve enumerated below, but they do not have to be accepted. For example, a Subscriber could demand a unlimited liability, and the CA would have to decide how to proceed. Also, what is “legally recognizable and provable claims” intended to cover, or exclude? Best regards, Virginia Fournier Senior Standards Counsel Apple Inc. ☏ 669-227-9595 ✉︎ [email protected] On Oct 12, 2017, at 11:33 AM, [email protected] wrote: Send Public mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://cabforum.org/mailman/listinfo/public or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Public digest..." Today's Topics: 1. Re: Pre-Ballot 209 EV Liability (Moudrick M. Dadashov) ---------------------------------------------------------------------- Message: 1 Date: Thu, 12 Oct 2017 21:33:18 +0300 From: "Moudrick M. Dadashov" <[email protected]> To: Ben Wilson <[email protected]>, CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" Hi Ben, yes, much better... thanks! M.D. Sent from my Samsung device -------- Original message -------- From: Ben Wilson <[email protected]> Date: 10/12/17 21:27 (GMT+02:00) To: "Moudrick M. Dadashov" <[email protected]>, CA/Browser Forum Public Discussion List <[email protected]> Subject: RE: [cabfpub] Pre-Ballot 209 EV Liability Moudrick and others,?Is the following proposed change to section 18 of the EV Guidelines more clear?18. ?Liability and IndemnificationCAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than one or any combination of the following: (1)??? two thousand US dollars ($2,000) - per Subscriber or Relying Party per EV Certificate;(2)??? one hundred thousand US dollars ($100,000) ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; or(3)??? five million US dollars ($5,000,000) ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. ?Thanks,?Ben?From: Moudrick M. Dadashov [mailto:[email protected]] Sent: Wednesday, July 26, 2017 2:32 PM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Thanks, Ben. Assuming that any combination (of 1,2, 3) or no combination at all would be acceptable, could we add something like "at least one or any combination of following" so that it is explicitly clear? Thanks, M.D. CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than:? On 7/26/2017 5:12 AM, Ben Wilson wrote:Rather than tack on these two additional limits, what if it were simplified to read:?CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than: ???????????????? (1)? two thousand US dollars per Subscriber or Relying Party per EV Certificate;???????????????? (2)? one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and/or???????????????? (3)? five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. ?These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?A CA's indemnification obligations and a Root CA?s obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements.????From: Public [mailto:[email protected]] On Behalf Of Ben Wilson via Public Sent: Tuesday, July 25, 2017 6:37 PM To: Moudrick M. Dadashov <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Would this work??Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to not less than: (1) one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and/or (2) five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?From: Moudrick M. Dadashov [mailto:[email protected]] Sent: Tuesday, July 25, 2017 5:48 PM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Would you mind to show how it would sound now? :) Thanks, M.D.On 7/26/2017 2:14 AM, Ben Wilson wrote:And it should be an ?and? or a ?but?, but rephrased nevertheless.?Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Ben Wilson Sent: Tuesday, July 25, 2017 5:11 PM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]>; Moudrick M. Dadashov <[email protected]> Subject: RE: [cabfpub] Pre-Ballot 209 EV Liability?Never mind ? I think I now see your point.? Not ?up to? it needs to be ?not less than $5 million.?? Would that make it clearer??Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Public [mailto:[email protected]] On Behalf Of Ben Wilson via Public Sent: Tuesday, July 25, 2017 5:10 PM To: Moudrick M. Dadashov <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?It?s permissive ? a CA MAY limit its liability.?? Maybe we should say ?up to $5 million?. ??Then, would that be clearer - ?that it can be less than $5 million??Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Moudrick M. Dadashov [mailto:[email protected]] Sent: Tuesday, July 25, 2017 4:35 PM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?With "and" I don't see its optional. Again, just to understand the model: is per EV certificate amount is NOT fixed whereas 12-month continuous amount is the only option ($5 mln.)? Thanks, M.D.? On 7/26/2017 1:28 AM, Ben Wilson wrote:All of the provisions would provide optional caps that CAs could place on EV liability.? The 12-month $5 Million cap allows a CA to cap all EV liability to all those EV certificates issued within a single year.? ??Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Moudrick M. Dadashov [mailto:[email protected]] Sent: Tuesday, July 25, 2017 4:24 PM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Ok. Do I understand the intention correctly: to have a "floating liability" amount per EV certificate and "fixed liability" amount per continuous 12-month period? Thanks, M.D.On 7/26/2017 1:10 AM, Ben Wilson wrote:No. Because they MAY do both.? An ?or? would mean that they have to choose between the two, which isn?t the intent.?Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678?From: Moudrick M. Dadashov [mailto:[email protected]] Sent: Tuesday, July 25, 2017 4:09 PM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-Ballot 209 EV Liability?Hi Ben, could it be "or" between (1) and (2)? Thanks, M.D.On 7/25/2017 11:59 PM, Ben Wilson via Public wrote:Here is another pre-ballot for discussion.?Ballot 209 - EV Liability?In Section 18 of the EV Guidelines, add the following sentences to the end of the first paragraph:?Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to: (1) one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and (2) five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?Such that Section 18 of the EV Guidelines would read:?CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for leg ally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to: (1) one hundred thousand US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? per EV Certificate; and (2) five million US dollars ? aggregated across all claims, Subscribers, and Relying Parties ? for all EV Certificates issued by the CA during any continuous 12-month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary.?A CA's indemnification obligations and a Root CA?s obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements.?Ben Wilson, JD, CISA, CISSPVP Compliance+1 801 701 9678? _______________________________________________Public mailing [email protected]https://cabforum.org/mailman/listinfo/public????? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 5856 bytes Desc: not available URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment.jpg> -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 5686 bytes Desc: not available URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0001.jpg> -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 5796 bytes Desc: not available URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0002.jpg> -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 5651 bytes Desc: not available URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0003.jpg> -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.jpg Type: image/jpeg Size: 5762 bytes Desc: not available URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0004.jpg> -------------- next part -------------- A non-text attachment was scrubbed... Name: image006.jpg Type: image/jpeg Size: 5638 bytes Desc: not available URL: <http://cabforum.org/pipermail/public/attachments/20171012/0ffbf98e/attachment-0005.jpg> ------------------------------ Subject: Digest Footer _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public ------------------------------ End of Public Digest, Vol 66, Issue 46 ************************************** _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
