RisksLiabilitiesObligations

Including: NRP definition

"Membership has its rewards."

Being a participant in CAcert also has carries Risks, Liabilities and Obligations. This page lists the R/L/O in DRAFT Form. It is primarily driven by DRC A.6

Party

Risks

Liabilities

Obligations

Comments

CA

loss/compromise of root keys; unavailability of systems; theft/compromise of user database

remedies ruled by Arbitrator

provide DR, provide Doc, protect system, keep Board in good order to back up everything else

Management is deficient

Non-related person (NRP)

gets phished, RELIES inappropriately outside RDL and CCA

own actions

"none" As she does not know CAcert, she cannot be "obliged".

Grandma: as member of the public, using via a browser, who does not know CAcert.

Member

gets phished; loss/compromise of user data; certificate proves unreliable

may lose access, may lose value

as listed in CAcert Community Agreement

new member of community

Anonymous Subscriber

Theft of private key, User name revealed,

revocation, loss of access, loss of points

keep key secure, use key responsibly

Use of an anonymous cert may subject to a higher degree of responsibility due to the protection afforded by anonymity.

Named Subscriber

Theft of private key, ID + Info revealed

ditto

ditto

RA Assurers

poorly conducted assurance

may lose assurance points, Assurer status, as ruled by Arbitrator

best effort at Assurance, keep Paperwork

Registration Authorities are those who check credentials of Subscribers. In this case, they are CAcert's Assurers

All Members

subject to judgement from Arbitrator in DR, legal suite by NRP outside our jurisdiction, subpoena/order by NRP

remedies as ruled by Arbitrator, or by Court (in case of NRP/Grandma suit)

accept CCA, CPS, PP, etc, act within, work to benefit of CAcert and within spirit of principles

covers all who are registered and thus signed up

Everyone

liable for criminal actions

Terms:

Specific risks and obligations with code signing certificates (CSCs)

A summary of the discussion about code signing certificates

Party

Risks

Liabilities

Obligations

Comments

Signer

Key may be compromised and used to sign malware

Responsible for the code, according to own licence statement

Keep key secure, revoke compromised key; write own offered licence agreement in accord with code-signing agreement with CAcert

May be considered "distributor"?

CAcert

may have to answer to claims from NRPs, vendor

Has to issue certificates according to the policy

has to allocate R/L/O between Signer on one hand and vendor on the other hand

OS / Browser vendor

may have to answer to claims from NRPs

May only include root certs which conform to their policy; must offer licence to end-users that is compatible with CA's licence; should enable end-users to check certificates for CA name,

Assurer

gets tricked by malicious coder

to Arbitrator

special CSC assurance

special CSC assurance is a notional thing so far!

Member

May run malware

Has to decide wether the signer is trustable

NRP

May run malware

May not rely on certificates issued by CAcert

Questions

If we want a code signer to sign an additional agreement, what should be contained in the Agreement? Some brainstorming about this topic:

Other ideas

Dispute Resolution

Remedies by Arbitrator, being things that the Arbitrator can rule against any User

Dispute Resolution is described at ArbitrationForum

NRP - Grandma

Within R/L/O, the following was directed (as AD1 200606xx) for Non-related Persons, otherwise known as Grandma:

Grandma is allowed to USE certificates but is not permitted to RELY This matches the normal browser paradigm, where she downloads or installs free software, with no relationship with the supplier. She takes on all the risk of her activity.

A disclaimer and licence for Grandma is found in RDL.

In case she wishes to RELY and make some claim against CAcert, she must join, and become a Member.

Problem: Just in case we manage to get the CAcert root into any browser, the browser (and implicitly many NRPs) may RELY on CAcert-issued certificates.

Liability risks for assurers

The precise liability of an Assurer in any particular case is determined firstly by CAcert's dispute resolution, and may also be determined by external courts in criminal or NRP cases.

The following are notes of guidance only:

If the assurer can be made liable the next question is to what extent s/he can be made liable. One view might be to undo the direct consequences of her/his actions. This can not cover "rebuying grandma's house" which is why grandma is not permitted to rely. Members of CAcert are obliged to not rely in excess.

Country views

Remember that the jurisdiction for Assurances is firstly the CAcert Dispute Resolution system of Arbitration, and the law is firstly that of NSW, Australia.

There are however some exceptions: Criminal areas, cases with NRPs, and countries that do not have an Arbitration Act.

More information on the topic of liability/negligence:

Feel free to add other countries views above.


RisksLiabilitiesObligations (last edited 2015-12-23 15:21:48 by AlesKastner)