January 30, 2007

EV - liability situation is SNAFU

Over in MozoLand, they have opened up a bug track on the problems with Extended Validation certificates, as their way of carrying out the debate as to what Mozo should do. Using bug tracking systems doesn't mean "EV is a bug," it just fits the process and culture of the people concerned.

As I'd commented before about EV, and hit on the liability issue as one big area, the following is a more clear description of the issue: possibly suitable for filing as a bug. I just find it easier to wax on in blog form when it reaches a certain level of complexity.

Classically and simply, the certificate business is one that promises coverage of some form for MITMs (such as phishing attacks) to Internet browser users (relying parties, perhaps), while charging server users (subscribers) for the privilege. It is structured as a systemic franchise, meaning a group of interlinked but independent business units such as CAs, server vendors and browser vendors, operating to provide a single cohesive service; which term I just coined to capture the lack of transparency and potential problems incumbent in that opacity.

In practice, the promise of "safe Internet browsing" is generally false, as evidenced by phishing. In particular, CAs more or less generally seek to reduce their liability to Internet browser users to zero, using a variety of tricks [1]. For example, in law, there is generally no liability if there is no contract or no specific legislation; so a common trick is for CAs is to hand out contracts that spell out that liability only exists if the crypto has been breached or other conditions that are statistically or security-wise irrelevant.

The new EV Guidelines may then be viewed on whether they improve on this position, from the pov of users and other stakeholders. Some comments follow that attempt to interpret/predict any new liability position that arises for CAs to browser users under EV [2].

The big picture within the Guidelines is at page 42. Here is my summary:

37.(a). CA Liability

(1) Subscribers and Relying Parties.

A. If the CA is compliant with EVG, then it is not liable.
B. If the CA is *not* compliant then it may seek to limit liability.
C. But not to any lower than $2000 per customer.

So what we have is that if CAs did the "right thing," then they are not liable, but even if they did the wrong thing, then they are only liable for up to $2000!

Let's get specific:

1. We know that the average phish is around $1000. Many are more, of course, and some frauds have reached towards $100,000. Now, maybe we don't want to limit liability to $100k ... but something a lot greater than twice the average phish -- data which we know have for some 3 years -- would be somewhat more impressive.

2. It has been suggested that the base price of an EV certificate will be around twice the existing "best of class" cert. That is, around $2000 from Verisign.

So in effect, for any one customer, the issuer is likely only liable for the same amount as the monies which they have accepted, albeit from the subscriber. This happens to be a normal watermark in both contract and law anyway.

3. Even when phished, you aren't covered. If there is a flaw in the Guidelines, you're not covered. If there is a flaw in the browser, you're not covered (but see "Indemnification" for more confusion).

4. Only if there is an error in the CA's actions are you covered. This could be as egregious as issuing a summer madness discount package of certs for all the Banks in in all the Americas to the Russian mobsters... and the CA still may limit liability to $2000!

5. Further, there is no hint anywhere that CAs should take on an expected liability of $2000. This is not an insurance policy by any stretch of the imagination; quite the reverse, as the CA

may seek to limit its liability ... by any means that the CA desires ...

provided that the monetary amount is capped at $2000.

What does this mean in plain words for liability? Knock yourselves out, guys: Use all those old barriers and reduce the expected liability to zero. Just state that the monetary damages upper limit is $2000.

6. For one tiny example, the statement that CAs are not liable if they are compliant with EVG is simply that: a trick to reduce liability. EVG is no contract, it is simply yet another document to wave in front of the judge and make him or her want to clear this horrible case from the calendar.

7. For further small example, what lawyer will take on a legal case for $2000? US attorneys won't deal, and no expert witness will testify on your behalf on whether the CA made a mistake (yes, you will need expert help, unless you actually understand the Guidelines....). And, um, how many attornies do the CAs have call on?

8. Bottom line is that EVG has practically knocked out all possibility of an individual case. This doesn't exclude for example class-action cases ... but if that's the case, it should just say that, if there was any interest in serving users. It doesn't, and there isn't.

To summarise. There are some benefits on behalf of the user here. It is useful for users and courts to at least know that with EV certs, there is the admission of potential liability . And with pre-EV certs, there is no admission of any useful liability at all; nix liability, zero, zip, nada, m'lord. It can then be up to a court to determine just how viable these disclaimers and limits are.

It's also beneficial to put these above numbers in perspective. Try this free test: go to your favourite computer store, pick up any soho-grade UPS like an APS or a Belkin, and read the blurb on the box.

(You don't need to buy to read...)

An uninterruptible power supply (in the US at least) carries a guarantee or warranty that claims that it will pay you for damages incurred if it fails to protect your PC. The limits are something like $50,000 for a $50 unit and $100,000 for a $100 unit. ('scuse flaky memory here ...)

Serious surge protection is needed about as frequently as lighting strikes hit your block. UPS manufacturers are prepared to cover you for the surges that fry your whole office, but EV issuers won't cover more than your laptop, and on past acturial bases, they're only paying out if you are unfortunate to be struck twice.

If EV and the authors get away with this tailoring of our Emporer's new suit, then these benefits are so limited, so measly, so out of tune with validated threats of the real world (phishing, etc) that no user, no subscriber, and no software vendor would be thinking rationally to pay for these "benefits."

The only business case here is is one of deception; in this case achieved by franchising out the decision of secure browsing to some august body that writes and talks well. A rational analysis, one that could see through the systemic franchise of confusion, would conclude that there be choices that are to the benefits of the users.

The first of which is to ignore the whole thing, as it delivers insufficient benefits to users. Whether users are offered a choice in secure browsing or not is certainly an interesting question; to date, the answer is Definately Not.

[1] For a wider but equally polemic treatment, see PKI Considered Harmful.
[2] Disclosure: I audit a CA, and in that act I have come across these and other problems with liability.

Posted by iang at January 30, 2007 11:18 PM | TrackBack

Why on earth would the CA be held liable if there were a problem in the browser? They are simply issuing credentials. If anything, EV is an improvement over the existing state of the SSL industry, where each CA offers a different degree of vetting ... while browsers show all certs in the same way.

Posted by: Charter77 at January 31, 2007 09:15 AM

Whilst trying to fix the keychain in OSX I discovered there is a Certificate Assistant built into it for managing certs.

It also happens to let you setup your own CA - I think that is a first for a GUI.

Posted by: f at January 31, 2007 09:45 AM


> Why on earth would the CA be held liable if there were a problem in the browser? They are simply issuing credentials.

Looks like our friend 'f' above wants to simply issue credentials, so no problem at all?

Of course, the issue turns around whether the browsers accept the EV certs. If the browser incurs the liability, why would they accept them? If the CA accepts the liability, that might be a good deal for the browsers.

The devil is in the details between those extremes. If the CA tries to hide/obfuscate/minimise the liability, who gets it? In the old deal it was the users, who were sold on "safe browsing" and "trust" but in fact ... were just simply issued credentials, as you say.

How does EV improve on that old story? They ain't simply credentials, if the 70 page guidelines mean anything.

Posted by: Iang at February 1, 2007 06:10 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.