[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificates: limiting your liability with reuse limitations



Suppose I am a CA.  I am worried that by issuing a certificate with a 
lifespan of more than 2 milliseconds I am opening myself up to unlimited 
liability if for some reason, despite my best efforts, I issue an 
erroneous certificate.

I know I can write disclaimers, but that's not reliable since courts 
often ignore them, and anyway it scares off customers.

I know I can put an expiration date on the certificate, but that's not 
enough.  I can accumulate a lot of exposure in a few seconds, much less 
weeks.

I know I can put a reliance limit in the X.509 ver 3 certificate, but 
that's not enough.  Even a $1 limit could be used many millions of times.

Is it feasabile to say: Can only be relied on once per day/week/month?  
Is this something the relying parties can reasonably be expected to monitor?

It seems to me that this sort of a limit is essential if a CA is to feel 
comfortable outside Utah....

A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law | 
U. Miami School of Law     | [email protected]
P.O. Box 248087            | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's warm here.