Page 454

that the documented policies and procedures for identification and authentication relevant to the CA were not followed.

—A  CA has limited liability for not revoking certificates according to its revocation policy.

—A CA has limited liability for revoking a certificate for a reason not specified in its revocation policy.

—A  CA has limited liability if, despite its having followed published policies and procedures, a certificate in the database is modified or deleted.

• Liability Policy. The extent of liability in the above situations is conceivably a part of the policy under which a CA or key-generation facility operates. The policy must distinguish between direct liability on the one hand and indirect and consequential damages on the other.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement