CFP: PKI research workshop

John S. Denker jsd at research.att.com
Mon Jan 14 12:09:20 EST 2002 

pasward at big.uwaterloo.ca wrote: 
>...
> People running around in business selling
> products and services and then disclaiming any liability with regard
> to their performance _for_their_intended_task_ is, IMHO, wrong.

IMHO this presents an unsophisticated notion of 
"right versus wrong".

By way of analogy:  Suppose you go skiing in Utah.
A rut left by a previous skier causes you to fall
and break your leg, or worse.  Now everybody involved
has been using the ski area _in_the_intended_manner_
yet something bad happened.  So who is liable? The 
ski area could have groomed that trail, but they 
didn't.  They could have enforced a speed limit, but
they didn't.  They could at least have bought insurance
to cover you, but they didn't.  They simply disclaimed
all liability for your injury.  Not only is this 
disclaimer a matter of contract (a condition of sale
of the lift ticket) it is codified in Utah state law.
Other states are similar.  If you don't like it, don't
ski.

Returning to PKI in particular and software defects in 
particular:  Let's not make this a Right-versus-Wrong
issue.  There are intricate and subtle issues here.
Most of these issues are negotiable.

In particular, you can presumably get somebody to insure
your whole operation, for a price.  In the grand scheme
of things, it doesn't matter very much whether you (the
PKI buyer/user) obtain the insurance directly, or whether
the other party (the PKI maker/vendor) obtains the insurance
and passes the cost on to you.  The insurer doesn't much
care; the risk is about the same either way.

The fact is that today most people choose to self-insure
for PKI defects.  If you don't like it, you have many 
options:
 -- Call up some PKI vendor(s) and negotiate for better
warranty terms.  Let us know what this does to the price.
 -- Call up http://www.napslo.org/ or some such and get
your own insurance.  Let us know the price.
 -- Write your own PKI.  Then defray costs, if desired, 
by becoming a vendor.
 -- Et cetera.

In general, there is a vast gray area between "Right"
and "Wrong".  Most things in my life can be described
as not perfect, but way better than nothing.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list