RE: draft-ietf-pkix-warranty-ext-01

["Alice Sturgeon" <asturgeon@xxxxxxxxxx>]

Hi Denis, and others.
Sorry to take so long reply but it took some time to digest all of your
useful comments.
Please see some of my responses in between yours.  I have done a fair amount
of cutting to keep this thread from growing out of control, and inserted
identifying initials in [ ] i.e., my original comments are [AS1]; yours
Denis are [DP]; my responses today are [AS2].  Seems complex?  Intent is to
make it easier to read.

Thanks.
Alice Sturgeon
Chair Canadian Advisory Committee - Information Technology Security
ISO/IEC JTC1 SC 27
and
System Policy Architect SPYRUS

-----Original Message-----
 Sent: July 31, 2002 11:13 AM
 Subject: Re: draft-ietf-pkix-warranty-ext-01

[AS1] Issue # 1:  Should the warranty be an aspect of certification policy?
If so, policy qualifiers would indicate the amount of coverage.  The reason
for a warranty program is that a CA is not an insurance company and
therefore cannot issue a policy of insurance in favor of the subscriber.
[DP] Whether or not the insurance is direct or subcontracted is not the main
point. The insurance is provided by the CA because the CA pays for it.
[AS2] Agree. The insurance is provided by the CA through its insurer. The CA
pays its insurer. The cost of insurance might or might not be passed on to
subscribers; that would be a business decision on the part of the CA.
[AS1] The CA will take out a certificate insurance policy with a licensed
insurance company.  Different certificates will have different certificate
policies and therefore will have a different risk profile.
[DP] Since the certificate policy describes ALL aspects of the policy, if
two certificates have the same CP then they have the same insurance and
warranty limits. As RFC 3280 states: "Optional qualifiers, which MAY be
present, are not expected to change the definition of the policy".
[AS2] Agree. I think I did not word this properly.  Obviously, if two
certificates have the same CP, then of course they have the same insurance
coverage (assuming, as we do (as noted above) that the CA implementing the
CP in certificates is providing the insurance to RPs through its (the CA's)
insurer).
[AS1] The insurance company will cover each certificate and type of
certificate issued.  Hence the insurance company will sit behind the
operations of the CA to cover the extended warranty program.  There will be
a contractual relationship between the CA and  the subscriber, likely
through the use of a Subscriber Agreement.  With respect to the relying
party, the subscriber, if the subscriber opts for the extended warranty, has
the opportunity to extend the financial trust relationship between them.  A
relying party in encountering a certificate warranty program will know that
an insurance company is covering the CA for any claims that fit within the
warranty program.
[DP] "any claims that fit within the warranty program". This is not
understandable or machine processable. This is not visible in the warranty
amount but this is even more important than the amount. So it is very
questionable why the amount should be made visible and machine processable
whereas the conditions of the warranty are not. I am not saying that it
should be done visible as well, but this is more an argument to say that the
amount only is quite insufficient.
[AS2] In most cases, the amount will be sufficient to instill confidence in
the transaction and to enable it to progress.  That's the basic intent of
the proposed extension - building confidence in e-business. Again, perhaps
my wording was misleading - I could have said, "for any claims that do not
exceed the maximum amount as shown in 'currency amount' in the certificate".
Is that more understandable?  It would be machine processable.
CurrencyAmount  ::=  SEQUENCE  {
       currency             INTEGER (1..999),
       amount               INTEGER (0..MAX),