Loading Events

Steven Roosa – The Devil is in the Indemnity Agreements: A Critique of the Certificate Authority Trust Model’s Putative Legal Foundation

Thursday, December 9, 2010
12:30 pm


Sherrerd Hall, 3rd floor open space
Princeton, NJ 08544 United States + Google Map

Food and discussion begins at 12:30 pm. Everyone invited.

Download the slides (PDF)

The major web browsers rely on the “CA Trust Model” to authenticate the identity of the owners/operators of websites to end-users. Browsers perform this authentication using digital certificates issued by third-party “certificate authorities” or “CAs.” The CAs, for their part, issue digital certificates to browsers as well as to websites. Browsers then use these CA-issued certificates to verify a website’s identity when a website offers a secure connection to an end-user. As a practical matter, the CA Trust Model plays a hugely important role in enabling commercial transactions and a wide assortment of other private communications over the Internet. The purpose of the Model is to allow end-users to have a high level of confidence in the identity of the party with whom they are communicating. Given the importance of the CA Trust Model to commerce and security, one would expect the legal relationships between CAs, websites, and end-users to be well-defined. But is that, in fact, the case? This presentation will seek to answer that question by briefly (and painlessly) analyzing key provisions in the standard CA-issued legal documents to determine whether those provisions are likely to be enforceable and, if so, assessing their potential impact on end-users, website operators, and the CAs. The presentation will also explore the legal relationship between the parties to the CA Trust Model in the absence of enforceable documents issued by the CA.


Steve Roosa is a litigator and partner at the global law firm Reed Smith LLP. He is a Visitor at CITP and recently coauthored, with Stephen Schultze, “The Certificate Authority Trust Model for SSL: A Defective Foundation for Encrypted Web Traffic and a Legal Quagmire,” which appeared in the November 2010 volume of the Intellectual Property and Technology Law Journal. Steve was also a section author and chapter editor for the American Bar Association’s new “InfoSec Handbook,” due to be published in the beginning of 2011. His sections in the InfoSec Handbook include one dealing with sources of law for public key infrastructures and another involving problems with the CA Trust Model. Steve is a member of Reed Smith’s Life Sciences and Healthcare Industry Practice Group and also collaborates with the firm’s Data Security Group. He is licensed to practice law in Washington D.C., New New York, and New Jersey.

Steven Roosa