This is a blast ;-)
I was poking around www.godaddy.com, and I noticed that their SSL Certificates offer a "$1000 Warranty":
https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=418
Obviously, CAs taking liability for issuing certificates would be a great step forward, so I looked to see if I could find out exactly what this warranty entailed. I clicked the link and got the following description:
"Your Secure Certificate Provides Warranty Protection:
Our warranty program provides $1000 of financial protection for your customers if they were to suffer financial loss as a direct result of relying on a certificate that was issued through our negligence."
This sounded really good. However, having checked their legal page, I couldn't find a document which explained in more detail exactly what this warranty was, and under what circumstances they might pay out. So I called to ask...
"Hello, Go Daddy sales, XXXXX speaking."
"Hello. I was looking at your site and noticed that you offer a $1000 warranty on your certificates."
"Sure."
"But I was looking around the website for the legal agreement which shows exactly what that means, but I couldn't find it. Could you tell me where it is?"
"Certainly. Click on the green "Legal" link at the bottom of the page. There's a list of agreements there."
"Yeah, I looked through that list, but I couldn't find a relevant one."
<long pause>
"You're right; we don't seem to have an agreement for that. What exactly was your question about the warranty?"
"Well if, for example, I have www.happycompany.com and a Verisign certificate. Then, a fraudster registers www.happy-company.com, gets a certificate from you and rips off my customers. Is that situation covered? Would you pay out?"
"Well, no. You see, we're not securing you, we're securing the other guy. You have to be registered with us."
"So under what circumstances might you pay out?"
"Well... you are covered if it's through our negligence. So, for example, if the encryption failed for some reason."
"The encryption failed?"
"Yeah."
"But if that happened, then everyone's encryption would fail, the entire Internet would be insecure, and you've got a massive world crisis. Are there any less apocalyptic scenarios where you might pay out?"
"Well, not really, no."
"Have you ever paid out under the warranty program?"
"No. It's really there just to reassure you that it's a true 128-bit certificate, and to make you feel better about purchasing it."
"Say no more. Thanks for your time."
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
