Echoing Wayne, my understanding is that this is not directly about relying parties and/or subscribers, rather it sets rules around what a CA may include in their agreements.
The current text in the EV Guidelines says: "CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate.” Based on the prior comments from Moudrick and others, we suggest adding two new sentences at the end to make it clearer how things can be combined. "CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MAY NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. Notwithstanding the foregoing, a CA MAY limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to an amount equal to, or greater than (1) one hundred thousand US dollars – aggregated across all claims, Subscribers, and Relying Parties – per EV Certificate or (2) five million US dollars – aggregated across all claims, Subscribers, and Relying Parties – for all EV Certificates issued by the CA during any continuous 12 month period. These limitations are notwithstanding anything in the Baseline Requirements purportedly to the contrary." On the other hand, if there is agreement that this paragraph is unnecessary or has no effect, then I suggest that we amend this ballot to simply remove the whole paragraph. Thanks, Peter > On Oct 12, 2017, at 3:41 PM, Wayne Thayer via Public <[email protected] > <mailto:[email protected]>> wrote: > > Virginia, > > As Ryan stated, this requirement is about constraining the liability limits > that CAs are allowed to place in their SA/RPA(s). If the CA isn’t permitted > to enter in to an agreement with a liability limit lower than what is > specified by the CA/B Forum and enforced by the root programs via audits, > then I fail to see how these limitations ‘are not required’? > > Thanks, > > Wayne > > From: Public <[email protected] > <mailto:[email protected]>> on behalf of Virginia Fournier via > Public <[email protected] <mailto:[email protected]>> > Reply-To: Virginia Fournier <[email protected] > <mailto:[email protected]>>, CA/Browser Forum Public Discussion List > <[email protected] <mailto:[email protected]>> > Date: Thursday, October 12, 2017 at 3:21 PM > To: "Moudrick M. Dadashov" <[email protected] <mailto:[email protected]>> > Cc: CA/Browser Forum Public Discussion List <[email protected] > <mailto:[email protected]>> > Subject: Re: [cabfpub] Limitation of Liability and Indemnification > > MD, > > If you can get the Relying Parties and Subscribers to sign the agreement with > the limitations of liability and indemnification in it, then they are bound. > But the rest does not require them to agree to those provisions. It’s > entirely up to the Relying Parties and Subscribers to decide whether they > accept those provisions or not. > > If you have any additional questions, you should discuss with your counsel. > > Given that the limitations are not required, is there a need to proceed with > this ballot? > > > > > Best regards, > > Virginia Fournier > Senior Standards Counsel > Apple Inc. > ☏ 669-227-9595 > ✉︎ [email protected] <mailto:[email protected]> > > > > > > > On Oct 12, 2017, at 3:11 PM, Moudrick M. Dadashov <[email protected] > <mailto:[email protected]>> wrote: > > How about: > > BR/EVG --> Webtrust/ETSI schemes --> Root Store schemes --> Audit report --> > CP/CPS --> Binding RPA/Subscriber Agreement > > Thanks, > M.D > > On 10/13/2017 12:58 AM, Ryan Sleevi via Public wrote: >> >> >> On Thu, Oct 12, 2017 at 5:38 PM, Virginia Fournier via Public >> <[email protected] <mailto:[email protected]>> wrote: >>> Message: 3 >>> Date: Fri, 13 Oct 2017 00:18:33 +0300 >>> From: "Moudrick M. Dadashov" <[email protected] <mailto:[email protected]>> >>> To: Virginia Fournier via Public <[email protected] >>> <mailto:[email protected]>> >>> Subject: Re: [cabfpub] Limitation of Liability and Indemnification >>> Message-ID: <[email protected] >>> <mailto:[email protected]>> >>> Content-Type: text/plain; charset="utf-8"; Format="flowed" >>> >>> Could you please explain why you think BR and EV Requirements are only >>> binding on members of the Forum? >>> >>> Thanks, >>> M.D. >>> >>> Hi M.D. >>> >>> I can see why this would be hard to understand. >>> >>> Entities who are not members of the Forum have nothing that would legally >>> bind them to abide by those limitations. They aren’t members, so they >>> aren’t bound by any of the Forum documents - Bylaws, Baseline Requirements, >>> etc. They don’t have a written agreement with the Forum to abide by >>> certain requirements, so they’re not bound that way either. >> >> Members of the Forum also aren't bound to abide by the Baseline Requirements. >> >> Given this, does that resolve your concern? >> >>> The best way to make the limitations binding on the Subscribers, Relying >>> Parties, etc. would be for the CAs to enter into agreements with those >>> parties, and try to get them to agree to the limitations. But, again, they >>> could just ignore the limitations. >> >> Perhaps phrased differently - the BRs describe what such agreements MUST and >> SHOULD contain. This is allowing a further modification (a MAY) to such >> agreements. The enforcement and requirement that CAs agreements do or do not >> contain such provisions is done by the root stores that individual CAs >> partner with - not by the Forum. >> >> No member of the Forum is bound to abide by the Baseline Requirements by the >> Forum. The only document any member is bound to is to the IPR policy (as per >> the mutual contracts signed). >> >> >> >> >> _______________________________________________ >> Public mailing list >> [email protected] <mailto:[email protected]> >> https://cabforum.org/mailman/listinfo/public >> <https://cabforum.org/mailman/listinfo/public> > > _______________________________________________ > Public mailing list > [email protected] <mailto:[email protected]> > https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
