However I think in practice this approach might be problematic, for a variety of reasons. First, CAs have much fewer economic incentives to care about relying parties (who aren't actually their customers) than they do about subscribers (who are the ones paying them). Second, even assuming that the cost of getting sued by relying parties is such an economic incentive, it's quite possible that lawyers for CAs would be easily able to blunt the impact of such suits, e.g., by pointing to contributory negligence on the part of the relying party and/or escape hatches for the CA. ("You didn't view the certificate details and look at the certificate policy governing the certificate?" "You didn't read the relying party agreement, particularly the limitation of liability section?" And so on.)
One very quick comment: The point I was trying to make here is that I think it's unlikely that relying parties who got phished would actually be able to recover damages from CAs, which causes problems for a market-based approach involving insurance. Similar reasons to those holding back Bruce Schneier's idea of improving the security of software via holding software vendors liable (with insurers then prodding vendors to clean up their act) -- the s/w vendors today have little or no (legal) reason to care, and no one in a position to do so (e.g., government) is forcing them to care.
Till later,
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
