.> I would argue that the PCA policy statement accept no liability except
.> regarding performance of the policy. The policy should then be as
.limited or > expansive as the PCA wishes. As stated earlier, I cannot
.imagine the PCA > accepting any liability for subjects.
.Why in the world would anybody use a PCA which accepted no liability for
.its actions?
.It I am going to pay money to a PCA I expect something in return!
.- - -
.Does anybody know what liability a notary accepts now by sealing a
.document?
.How about you Mike Baum, I now your lurking out there somewhere.
.- - -
.Tom Jones - ViaCrypt div. of Lemcom Sys
.dockmaster.ncsc.mil
Tom,
Note that my statement does not say that the PCA would accept no
liability, just that it couldn't reasonably be expected to accept
liability for events beyond it's control. Certainly a PCA would
would be expected to avoid liability for the actions of subjects
holding
certificates issued by CAs under that PCA !
The question is not whether you would subscribe to a PCA
(as a candidate CA) but whether the PCA will accept you !
If I were a PCA I would try to write a policy which would
place as much of the burden of proof of performance on my
subscribing CAs as possible. I would certainly explicity
reject liability for any action of the CA or it's subjects.
To borrow your notary analogy ... the PCA is more like the
issuer of the notary seal, the CA is like the notary. When
was the last time you remember an issuer of notary seals being
held responsible for the activity of a notary ? Isn't it rather
for the notary to "prove" compliance with the issuer's requirements ?
I don't remember any requirement to pay a PCA for services ...
The PCA issues a policy, and certificates to CA's who agree to
implement
that policy. It is not clear that the PCA must adhere to the policy
that it's CAs must adhere to.
I can imagine that a PCA might have a policy which requires CA's to
employ one set of identification procedures which the PCA itself does
not use !
John