Policy-Discussion

[Ian G <iang AT systemics.com>]

Sven Anderson wrote:
> Hi all,
>
> Iang, 10.07.2006 16:16:
> > But for Grandma, she says (or her attorney says) "oh,
> > well, we don't recognise the CPS, we want *unlimited*
> > damages.  And, we rely on your public policy and
> > your statements as a reliable offerer of services..."
>
> Where did they read the "public policy" and the "statements"? If you put
> the disclaimer at the same place (one document), they cannot say, they
> read one thing but not the other.


Right, that's why we are going through this exercise.

Grandma picks up the "public policy" concept from
some place, makes a mistake, then sues.  Her lawyers
are then tasked to create and show that there was a
public policy concept in place, or that at best it
was confusing.

So, when our "message" is agreed upon -- that which
CAcert wishes grandma to hear -- then it has to be
put through all the documents and introduced into
training, contracts etc.

Because it needs to be so pervasive, and because we
really only have a small window to get through to
grandma (if we ever do), there is lots of incentive
to make the message as simple as possible.  Avoid
any rules, exceptions, choices, if possible.

In the absence of that, the lawyers will cherry pick
the best stuff to make *their* case.  They'll get
the "public policy" from this mail list for example.
They'll seize on statements like "grandma has to be
covered..." and "unless we promise users can rely
on us there is no point to running a CA!"

The lawyers then attempt to show how this was the
implied offering that grandma relied upon.  (This
is all routine stuff in court...)

Does that make sense?  A simple message, flooded
through all docs, etc, so as to wipe out any implied
message.

Right now, we could argue that there is an implied
offering of some sort ... based on the perception
of people in the CA ... which I don't dare write
down because that might make matters worse :)

> My opinion is BTW, that we should try to distribute the liabilities and
> risks to the personal liability of the assurers as much as possible, as
> this corresponds to the whole concept of the project. CAcert shouldn't
> appear as a provider of authentication, but only as a provider of a
> framework, which the assurers can use. CAcert and it's board should only
> be responsible for protecting the private keys of the root certs. Then
> grandma can only rely on the WOT, not on CAcert. And the WOT is nothing
> concrete, she has to track down the bad guys.

OK, that's a good perspective.  From that point
of view, perhaps:

  * CAcert disclaims all liability for itself,
    claiming it is a framework, not the authenticator

  * Assurers accept some liability

  * CAcert might facilitate the collection of
    that liability as part of the framework,
    but only as a feature.


OK.  I think I do agree that Assurers having some
liability is a good idea.  I worry about unlimited
liability though.


> Although I agree, that it is good to limit the assurers liability, to
> protect them against ridiculous claims. 1000$ is the right magnitude, I guess.
>
> That's my view.


So for internal disputes, people sign onto the
CPS, and the limit of liability sticks.

Then, for external disputes (grandma, criminal)
who picks up the liability after $1000?

Is this CAcert?  Is this a defence fund?  Is
this a general call to all members?  Do all
the Assurers contribute $50 to a pot?  fund
raising at events?

iang