Warranty Certificate Extension

draft-ietf-pkix-warranty-extn-01

55th IETF Meeting

November 2002

2

Purpose and use• Warranty certificate extension is non-critical • Warranty extension explicitly offers immediate

evidence of CA warranty, thereby – Enhances confidence to encourage use of certificates– Automates this aspect of risk management for RP

• Provides information on the warranty provided: – Offers either:

• Base warranty, or • Explicit statement that there is no warranty (NULL),

– Optionally offers extended warranty

3

Format & Syntax

• ASN.1 id-pe-warrantyData with OID• Choice: NULL or information on base warranty • Non-null warranty MUST include base warranty

information• Non-null warranty may include extended warranty • Warranty period – before/after parameters• Warranty value – using ISO 4217 currency

identifiers– amount / (10 ** amtExp10)

4

Warranty Type

• Aggregated (0): claims are fulfilled until a ceiling value is reached; after that, no further claims are fulfilled.

• Per-transaction (1): a ceiling value is imposed on each claim, but each transaction is considered independently.

5

Optional qualifiers• WarrantyData

– Extended WarrantyInfo OPTIONAL:– Extended warranty information, with period, value and type

• WarrantyData– tcURL TermsAndConditionsURL OPTIONAL– Terms and conditions pointer – to CP or specific T&C about

warranty• The pointer is always a URL• URL MUST be a non-relative URL • MUST follow the URL syntax and encoding rules specified in RFC

1738

6

Benefits• Relying Party:

– Evidence of a warranty will give the relying party confidence that compensation is possible

– Risk may be reduced by the presence of a warranty extension with an explicit warranty stated

– Risk may be reduced by the presence of a warranty extension with NULL– Supports automated risk decisions– Explicit warranty if harmed by incorrect certificate:

• Specified maximum • Specified validity period

• Subscriber: – Potential for greater acceptance of certificate

• CA: – Potential to increase certificate acceptance in ecommerce-related

applications

7

Issues

• Should the extension be called a “disclaimer of liability” instead of a “warranty”, since the CA is providing warranty only up to a certain point, above which it does not offer a warranty – Is this a disclaimer of liability? (half-full vs. half-empty)

• Should tcURL be mandatory? If absent in the extension, then this could imply trust in the CA: The RP trusts the CA - and then, may not need a warranty. If the RP does not trust the CA, then the RP needs to know the T&C - therefore tcURL must be present. OTOH if tcURL is optional, then trust in the extension itself is implied – This may be sufficient for the RP, or the RP may go to the T&C.

8

Path forward

• Revise –01 and issue –02, addressing comments received– E.g., clarify text re warranty vs. liability

• Issues arising to be resolved via pkix list