1996-01-08 - Certificates: limiting your liability with reuse limitations

Header Data

From: Michael Froomkin <froomkin@law.miami.edu>
To: cypherpunks <cypherpunks@toad.com>
Message Hash: 8d6a7fbf87df73651fb6084413c214bb1e8b0df95cbbf12b076fb27fc4a995b7
Message ID: <Pine.SUN.3.91.960108172534.14719h-100000@viper.law.miami.edu>
Reply To: N/A
UTC Datetime: 1996-01-08 22:39:02 UTC
Raw Date: Tue, 9 Jan 1996 06:39:02 +0800

Raw message

From: Michael Froomkin <froomkin@law.miami.edu>
Date: Tue, 9 Jan 1996 06:39:02 +0800
To: cypherpunks <cypherpunks@toad.com>
Subject: Certificates: limiting your liability with reuse limitations
Message-ID: <Pine.SUN.3.91.960108172534.14719h-100000@viper.law.miami.edu>
MIME-Version: 1.0
Content-Type: text/plain


Suppose I am a CA.  I am worried that by issuing a certificate with a 
lifespan of more than 2 milliseconds I am opening myself up to unlimited 
liability if for some reason, despite my best efforts, I issue an 
erroneous certificate.

I know I can write disclaimers, but that's not reliable since courts 
often ignore them, and anyway it scares off customers.

I know I can put an expiration date on the certificate, but that's not 
enough.  I can accumulate a lot of exposure in a few seconds, much less 
weeks.

I know I can put a reliance limit in the X.509 ver 3 certificate, but 
that's not enough.  Even a $1 limit could be used many millions of times.

Is it feasabile to say: Can only be relied on once per day/week/month?  
Is this something the relying parties can reasonably be expected to monitor?

It seems to me that this sort of a limit is essential if a CA is to feel 
comfortable outside Utah....

A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law | 
U. Miami School of Law     | froomkin@law.miami.edu
P.O. Box 248087            | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's warm here.






Thread