Policy-Discussion

[Bernhard Froehlich <ted AT convey.de>]

Ian G wrote:
> Sven Anderson wrote:
> > Hi all,
> >
> > Iang, 10.07.2006 16:16:
> > > But for Grandma, she says (or her attorney says) "oh,
> > > well, we don't recognise the CPS, we want *unlimited*
> > > damages.  And, we rely on your public policy and
> > > your statements as a reliable offerer of services..."
> >
> > Where did they read the "public policy" and the "statements"? If you put
> > the disclaimer at the same place (one document), they cannot say, they
> > read one thing but not the other.
>
>
> Right, that's why we are going through this exercise.
>
> Grandma picks up the "public policy" concept from
> some place, makes a mistake, then sues.  Her lawyers
> are then tasked to create and show that there was a
> public policy concept in place, or that at best it
> was confusing.
>
> So, when our "message" is agreed upon -- that which
> CAcert wishes grandma to hear -- then it has to be
> put through all the documents and introduced into
> training, contracts etc.
>
> Because it needs to be so pervasive, and because we
> really only have a small window to get through to
> grandma (if we ever do), there is lots of incentive
> to make the message as simple as possible.  Avoid
> any rules, exceptions, choices, if possible.
>
> In the absence of that, the lawyers will cherry pick
> the best stuff to make *their* case.  They'll get
> the "public policy" from this mail list for example.
> They'll seize on statements like "grandma has to be
> covered..." and "unless we promise users can rely
> on us there is no point to running a CA!"
>
> The lawyers then attempt to show how this was the
> implied offering that grandma relied upon.  (This
> is all routine stuff in court...)
>
> Does that make sense?  A simple message, flooded
> through all docs, etc, so as to wipe out any implied
> message.
>
> Right now, we could argue that there is an implied
> offering of some sort ... based on the perception
> of people in the CA ... which I don't dare write
> down because that might make matters worse :)
Thinking of a simple message, how about this:

A certificate of CAcert is only given to someone who can prove his or 
her personal attributes (like name or email address) correspond to those 
listed in the certificate. CAcert disclaims all liability on the use of 
the certificate for any other purpose. In case a certificate is issued 
in error CACert limits liability for damages done by one person (or 
certificate, account, assurance?) to $x.000

This still is not as simple as I'd like to have it. And in contrary to 
other parts of the replied mail it would assume that CAcert first covers 
liability, possibly to forward it to the assurer. I have given up 
formulating a simple message (understandable by grandma) for the 
framework model.

Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature