On Mon, Jun 5, 2017 at 9:16 AM, Ryan Sleevi via dev-security-policy <[email protected]> wrote: > On Mon, Jun 5, 2017 at 11:52 AM, Matthew Hardeman via dev-security-policy < > [email protected]> wrote: >> >> Has there ever been an effort by the root programs to directly assess >> monetary penalties to the CAs -- never for inclusion -- but rather as part >> of a remediation program? > > The extent upon which there can be meaningful discussion about this is > going to be understandably significantly limited, for non-technical reasons. > > I can simply point you to the existing precedent and discussions around > such proposals: > > 2) Examine the CA/Browser Forum's multiple discussions around CA liability > in the context of EV, with Browsers uniformly voting against imposing > additional liability due to the fact that no liability claim for > misissuance has ever been successfully claimed, and thus it merely > represents an artificial barrier to market entry that predominantly Western > CAs use to exclude those in other jurisdictions
It is also worth noting that many CAs are fairly small companies. Many CAs are privately held or small portions of much larger companies, so estimating their sizes can be hard. However there are a few data points: Buypass posts total revenue (https://www.buypass.no/om-buypass/selskapet/n%C3%B8kkeltall): They reported revenue of 192 million Norweigan Krones in 2015; using today's exchange rate, this is about $23 million US dollars. WISeKey reported QuoVadis (whom they acquired) had revenue of $18 million US dollars in 2016 (https://www.wisekey.com/press/wisekey-completes-acquisition-of-cybersecurity-company-quovadis-and-becomes-an-pki-internet-of-things-security-industry-leader/) There are almost surely EV CAs that do even less revenue per year. Therefore what is small to one company may be huge to another. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
