[ludbb]

I can't wait to see how this industry will change after LE is fully running -- this is amazing. Are there any stats about the different cert types, specially about their deployment count and usage over time?

One thing I don't understand about the guarantees given by CAs is the one about the warranty, like the "$1,750,000 Warranty" from Comodo. How exactly can they provide that? Or is that some sort of MUST have if you want to partner with an insurance company?

[vtlynch]

What types of stats are you looking for? "Different types" meaning different CAs?

The warranty is odd. Its required to provide a warranty in certain situations by the CA/B Forum (industry standards body). This is partially because some countries laws require they be provided for the class of products/services that SSL falls under, so requiring it from everyone sort of levels the playing field.

But the large CAs (Symantec, Comodo, etc) are big fans regardless. They can advertise this preposterous "warranty" which protects you, and usually the customer does not ask too much about it and just likes the sound of it or assumes it will cover them if they are hacked (which is not what its for). It actually just covers some very small situations where the CA mis-issues your certificate.

Some lawyers and experts at TrendMicro and Firefox found that due to how the terms are written there is basically no way the end-user would ever actually see that money. Those insurance warranties have never been used.

[ludbb]

About the stats: by "specially about their deployment count and usage over time" I meant the number of certs deployed by cert type (DV, OV, EV) and how has their usage progressed over time? If the second part is not clear, let's say that 5 years ago EV certs represented 2% among issued certs, and today it represents 1.4% -- I'm looking for historic data about this.

Thanks about the warranty clarification, so it only protects you if the /CA/ does something bad to you? In that case wouldn't it possible to sue the entity for, possibly, an even larger sum?

[vtlynch]

Stats like that may be available but I can not think of anything at the moment. I will look into that and let you know.

>Thanks about the warranty clarification, so it only protects you if the /CA/ does something bad to you? In that case wouldn't it possible to sue the entity for, possibly, an even larger sum?

Yes, I believe the damage has to be due to the CAs behaviors. The two major situations I can think of that would qualify would be:

1. The CA issues a certificate for your domain/company to someone who was not authorized. However I would think that cert would then have to be used in an actual attack so you could quantify your damages.

2. The CA is breached in some way that allowed your certificate to be compromised or allowed an attacker to create a fraudulent certificate for your domain/company.

That is a very good question about suing the CA for other damages. I am not aware if this has ever occurred but it certainly seems like it could.

[1123581321]

In my experience, cert authority warranty is not factored into the premium by your business errors & omissions insurer. It's not necessary.