home :: security

Mon, 20 Aug 2007

Not even worth the electrons

Whilst checking one of my various mailserver logs, a site presented a certificate signed by VeriSign. It has an embedded URL, so I though I should check out what it said

It turned out to be a link to Versign's Relying Party Agreement. In it, it disclaims various liabilities related to Verisign primary function (authenticating identity and certifying trust) but also put monetary damages against things if they fail to do a good job.

Section 11.3 and 11.4 set out the damages. To wit (emphasis mine):

11.3 VERISIGN'S TOTAL LIABILITY FOR ALL DAMAGES SUSTAINED BY ALL RELYING PARTIES CONCERNING A SPECIFIC CERTIFICATE (OTHER THAN AN EXTENDED VALIDATION CERTIFICATE) SHALL BE DETERMINED ACCORDING TO THE CLASS OF THE CERTIFICATE RELIED UPON AND LIMITED, IN THE AGGREGATE, TO THE AMOUNT SET FORTH BELOW.

Class Liability Cap

Class 1 One Hundred U.S. Dollars (US $100.00) (or the local currency equivalent thereof)

Class 2 Five Thousand U.S. Dollars (US $5,000.00) (or the local currency equivalent thereof)

Class 3 One Hundred Thousand U.S. Dollars (US $100,000.00) (or the local currency equivalent thereof)

THE LIABILITY LIMITATIONS PROVIDED IN THIS SUBSECTION 11.3 SHALL BE THE SAME REGARDLESS OF THE NUMBER OF DIGITAL SIGNATURES, TRANSACTIONS, OR CLAIMS RELATED TO SUCH CERTIFICATE.

11.4 THIS SUBSECTION 11.4 APPLIES TO VERISIGN SSL CERTIFICATES WITH EXTENDED VALIDATION ONLY: IF VERISIGN FAILED TO ISSUE THE EXTENDED VALIDATION CERTIFICATE IN COMPLETE COMPLIANCE WITH THE EXTENDED VALIDATION GUIDELINES, THEN VERISIGN’S LIABILITY FOR LEGALLY RECOGNIZED AND PROVEN CLAIMS SHALL BE LIMITED TO USD$2000 PER RELYING PARTY PER CERTIFICATE.

Class	Liability Cap
Class 1	One Hundred U.S. Dollars (*US $100.00*) (or the local currency equivalent thereof)
Class 2	Five Thousand U.S. Dollars (*US $5,000.00*) (or the local currency equivalent thereof)
Class 3	One Hundred Thousand U.S. Dollars (*US $100,000.00*) (or the local currency equivalent thereof)

So, basically, an Extended Validation certificate is not even worth the electrons.

[ / security] Trackbacks (0) Comments (0) permanent link permanent link

About

ॐ (aum) - what was, what is and what will be, wildfire's musing

Anand Kumria
wildfire@progsoc.org

Calendar

Topics

beauty - 1
blogging - 3
books - 1
debian - 6
freedom - 2
general - 2
hardware - 3
dell - 2
disks - 1
helsinki - 1
security - 1
software - 16
blosxom - 2
moblog - 1
vcs - 2
zeroconf - 1
sydney - 5
travel - 1
work - 2
awayphone - 1
general - 1

Subscribe to a syndicated feed of my weblog, brought to you by the wonders of Atom.

Music

Blosxom

Rendered in only 0.0931 seconds.

ॐ (aum) - what was, what is and what will be