I would say countless companies have spent millions of dollars due to misissued certificates.
In either event, I think the suggestion of increasing liability needs only look at the way in which CAs use the liability requirements to attempt to impose privacy-harming or unreasonable expectations (such as manual examination of the certificate chain, as I have seen required in CP/CPSes). I certainly don't think we should be increasing it - especially given that it is a tiger-repelling rock. On Mon, Oct 23, 2017 at 1:37 PM, Phillip <[email protected]> wrote: > Has anyone ever established a loss as a result of a mis-issued certificate? > > > > The point of insurance is that an insurer is like an auditor except that > they have skin in the game. An auditor rarely suffers as a result of a > negligent audit. Arthur Andersen survived Sunbeam, DeLorean and numerous > others before Enron sunk them. An insurer is required to back their > assessment of risk with actual dollars. > > > > Nothing gives perfect security but insurance is a tool we need to learn > how to use as an industry. > > > > > > *From:* Public [mailto:[email protected]] *On Behalf Of *Ryan > Sleevi via Public > *Sent:* Monday, October 23, 2017 11:26 AM > *To:* Gervase Markham <[email protected]> > *Cc:* CA/Browser Forum Public Discussion List <[email protected]>; > Virginia Fournier <[email protected]> > *Subject:* Re: [cabfpub] Limitation of Liability and Indemnification > > > > > > > > On Mon, Oct 23, 2017 at 10:54 AM, Gervase Markham <[email protected]> > wrote: > > On 23/10/17 14:55, Ryan Sleevi wrote: > > I don't believe this is correct or supported by fact, Gerv, nor > > supported by the limits of liability if you review CA's CP/CPS. > > I'm not sure what you mean. If you mean the limits I'm suggesting are > currently not offered by CAs, well of course they aren't. > > > > No, I mean both with respect to the misissuance of EV (I can think of > several CAs that have done so) and to the terms of claiming liability (I > encourage you to read the CP/CPSes of those who have). > > > > I'm curious whether there has ever been a successful claim of liability. > Certainly, the claims of insurance to date have been rejected. > > > > > We are very much opposed to increasing liability, and I'm surprised to > > see Mozilla advocating it, given its past votes to abolish liability > > requirements from EV given the practical challenges they face. > > Reminder? > > You mean Google sees CA liability for misissuance as a paper tiger? > > > > Ballot 141 - https://cabforum.org/2015/01/19/ballot-141-elimination- > ev-insurance-requirement-financial-responsibility-mis-issued-certificates/ > - and Ballot 142 - https://cabforum.org/2015/01/19/ballot-142-elimination- > ev-insurance-requirement/ >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
