Re: draft-ietf-pkix-warranty-extn-01.txt

[lynn.wheeler@xxxxxxxxxxxxx]

note also that warrenties/insurance tend to be between parties in a
business relationship. that has been one of the problems with certificates.
A certification authority can have a relationship with the end-user that
purchases the certificate.

A certification authority can warrenty/insure something with respect to the
person that purchases the certificate. Such warrenty/insurance might be if
a relying-party happens to sue the person that purchases the certificate
... then that person has coverage from the certification authority. If
something bad happens to a relying-party because of some certificate
related thing ... then for the relying-party to be able to collect ...
there typically has to be a business relationship between the relying party
and the institution providing the warrenty/insurance.  possibly the
relying-party can sue the end-user ... and then have the certification
authority insurance/warrenty cover the cost of that litigation. This is
possibly somewhat like home insurance that has a rider covering workers
hired by the home owner that are injured while at the home.

i presume this is the case somewhat of the previously mentioned reference
to GSA certificates .... certification authorities are providing
certificates as a business agent of the GSA ... and relying parties have
contracts with GSA. Presumably such contracts could include payment by the
relying parties to the GSA for the cost of any insurance/warrenties. It is
frequently difficult for a business entity to provide a service like
insurance or warrenties ... when there hasn't been any fees and/or other
funding which would cover the cost of providing such a service. Possibly
the only kinds of insurance and warrenties that don't require any funding
are the kind that nobody figures on ever having to make good on (totally
w/o substance or concrete validity).

not having any warrenties or insurance (or liability) somewhat implies that
there is no incremental upfront cost of doing business if something goes
wrong.

warrenties or insurance typically are related to some liability that might
be incured if something goes wrong.

warrenties and insurance are an incremental cost of doing business and must
be covered by some sort of revenue associated with doing that business.
furthermore the entities underwriting the insurance will want to understand
the parameters of the insurance risk ... in order to set the premiums. this
is something that the insurance industry is revising in the wake of 9/11
... there were possibly significant amount of unanticipated risk for which
the premiums are insufficient to cover the risk exposure. this is analogous
to security proportional to risk (in this case, insurance can be considered
a form of security):
http://www.garlic.com/~lynn/2001h.html#61

warrenties and insurance associated with some liability of doing business
is typically with respect to entities that have some business relationship.
For a typical TTP environment with respect to a relying party ... it is
frequently not possible to show a business relationship between the TTP and
the relying party (i think that in part is the purpose of the various GSA
legal instruments).





anders.rundgren <anders.rundgren@xxxxxxxxx on 11/28/2002 2:19 pm wrote:

Alice,

I do sympathize with the idea, but I maintain that it is not fully
recommendable to mix warranties and liabilities as they are at least are
perceived as different.

CA liability do address a serious commercial aspect.  Very few CAs are
likely to go beyond liability due to the following reasons:

A problem with a "warranty" worth its name, is that it must cope with
transaction-accumulation, which is technically impossible to support.  An
identity thief performing massive parallel attacks of some kind, like
sending fake purchase orders to different parties, will erode any valid
reason for having a warranty in the form we usually define it.

A car can only break down once at a time, while PKI break-downs can be like
forest-fire.

Another problem with "warranties" is that not everything have an a priori
known value.  Like authentication.

Also I don't think this is how PKI is actually used (or even should be used
for that matter), you'd rather accept a CA or not.

If you split the ID in two pieces I'm sure that at least the liability-ID
could be a real success.  If lawyers accept the liability extensions (it is
really reductions...) in case of a lawsuit that is.  Otherwise
the whole thing gets redundant.

cheers,
Anders

PS It must be a challenge to be "Alice" in the world of PKI where "Bob and
Alice" are the two main players :-) DS



----- Original Message -----
From: "Alice Sturgeon" <asturgeon@xxxxxxxxxx>
To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>; <ietf-pkix@xxxxxxx>
Sent: Thursday, November 28, 2002 20:36
Subject: RE: draft-ietf-pkix-warranty-extn-01.txt


Anders,

I respectfully disagree.  You're right that a CA is not like GM or Ford,
but why can a CA not offer a warranty?  Perhaps what is missing here is a
definition of warranty, which, in insurance terms, is attestation of the
intent to provide compensation for harm incurred by using a certificate
(that is, a certificate that is faulty in some way).  Warranty is not the
same as liability; warranty is something that the CA can control, whereas
it cannot completely control liability.  The CA (or indeed any product- or
service-offering company) may try to limit its liability, but regardless of
this attempt, the extent of liability will ultimately be decided by the
courts.

You seem to be defining warranty rather narrowly, as replacement or refund
in the event of an inherent flaw.

Similarly, it seems to me that I define risk management more broadly than
you suggest.  Every time an RP enters into a transaction, or considers
doing so, the RP makes a risk management decision.  This can be quite a
natural and intuitive process, or it can be explicitly defined; either way,
the decision is made, and it will be based on more or less information.
The more information an RP has, the more informed the risk management
decision will be.  If a certificate contains information pertaining to the
existence of compensation in the event of harm, then the RP has more
information on which to make a risk decision.  Armed with this information,
as well as information about other factors of the transaction, such as
value, sensitivity of information, parties to the transaction (e.g., known
or unknown), etc., the RP's risk is reduced by virtue of knowing more about
all of the risk factors - including warranty.  If there is a TTP involved,
this again becomes a factor in the RP's risk management decision.

My 2 Canadian cents again.

Alice



Alice Sturgeon
Chair
Canadian Advisory Committee - Information Technology Security
ISO/IEC JTC1 SC 27
and
System Policy Architect
SPYRUS
Phone:     613-232-2350
Cell:         613-291-0331



-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
Behalf Of Anders Rundgren
Sent: November 28, 2002 12:29 PM
To: ietf-pkix@xxxxxxx
Subject: Re: draft-ietf-pkix-warranty-extn-01.txt


Hi,

After reading this draft I believe the name "warranty" is a bit misleading.
It is, (or should IMHO at least be), focused on CA liability issues as a CA
cannot be compared to a car maker, as the only the latter will repair or
replace their products in case of faults.  Well, to get a "replacement"
certificate would be the equivalence but that is sort of taken for granted
anyway. :-)

                  CA-liability-extn

seems to be closer to what we are actually dealing with.

I would also be very cautious about RP "risk management" because that's
rather fictional.  The risk you take by accepting an unknown[*] business
partner is likely to be magnitudes bigger than accepting their
certificates.   If the CA is unknown as well you have nothing to build PKI
trust on either.

For TTP CAs OTOH, "risk management" with respect to client-certificates is
a part of their daily bread.

Just my 2 öres

Anders

*] with respect to performance, trustworthiness, credibility etc.