[6344] in cryptography@c2.net mail archive
Re: PGP on an e-commerce site
daemon@ATHENA.MIT.EDU (Steve Cook)
Fri Jan 7 16:14:59 2000
Message-Id: <3.0.3.32.20000107105711.035083f8@odin.c2.net>
Date: Fri, 07 Jan 2000 10:57:11 -0800
To: "William H. Geiger III" <whgiii@openpgp.net>, bram <bram@gawth.com>
From: Steve Cook <steve@c2.net>
Cc: Dave Del Torto <ddt@lsd.com>, cryptography@c2.net,
PGP Users <pgp-users@joshua.rivertown.net>
In-Reply-To: <200001070004.TAA01917@domains.invweb.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
The party that might have a claim against the CA, however, would be the
site that was spoofed by an interloper using a bogus certificate improperly
issued by the CA. I'm not a lawyer, but off the top of my head I can think
of several claims the compromised site could make, including perhaps
trademark infringement, interference with contract, neglience, conspiracy...
Actually, from that perspective, I don't see why an individual who relied
on representations of trustworthness made by a CA and was adversely
affected by the negligent actions of that CA would not have a claim,
either. Depending on the scale, it might even get picked up by the Federal
Trade Commission and/or filed as a class action.
At 11:46 PM 1/3/00 -0600, William H. Geiger III wrote:
>Well I seriously have my doubts on the liability of any CA as to the
>accuracy of their assertions of identity. If you go to a website that has
>a VeriSign cert, and the identity info in the cert is wrong, there is no
>contractual obligation between VeriSign and yourself. It would be
>different if you were paying VeriSign to provide you with certified
>identities of 3rd parties but last I looked this is not the business model
>that they are using (nor is any other CA).
