[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificates/Anonymity/Policy/True Names
Michael Froomkin writes:
[...hypothetical screwups by CA leading to lawsuits snipped...]
> Since (in the absence of any rules given the newness of the
> technology) it is very likely that a rich CA would get nuisance
> suits every time a deal in which it particiapted went sour, the
> absence of rules will either raise costs CAs have to charge (e.g.
> to buy insurance) or will keep rich folk out of the industry (which
> isn't good either, since you want CAs to buy security and to last).
> Thus the need for clear liability rules.
What about when the CA signing key is stolen, factored, or otherwise falls
into the wrong hands, thereby possibly making every signature made by the CA
worthless, or at least questionable?
I assume liability will be based on the CA's efforts to ensure the integrity
of the signatures it makes (and therefore the confidentiality of the secret
key components), but what constitutes due diligence? As we all know,
security measures cover a very wide range and can reach ridiculous
proportions on both ends of the spectrum... How much security will be
'enough' from a legal standpoint...?