I had a two hours talk with Andrew Nash Friday Afternoon around the security of assertion based technologies. It was a very productive meeting and reminded me of several things.
One of the main one is the separation of the responsibility and the liability properties.
From the business perspective, the security decision is always made on the cost benefit analysis basis. Thus, it is important to know what would be the liability of given transaction. i.e., it is important to know the financial and other obligation associated with each transaction. Usually, these are written in a normal contract in two separate section. The main deal and the liability associated with it for a rainy day, i.e., what each party has to pay if they could not fulfill their obligation.
CX has the following items in its standard message:
1. Identifiers of the Parties.
2. The main deal
3. Remedy and Liability
4. Period, Renewal, and Termination
7. Signatures of the Parties
However, I have not specified that Liability section to have an explicit dollar amount in a structured way. (Well, it used to… but removed after Specs Coucil pointed out that he did not like it.) The discussion with Andrew reminded me of the importance of it, that cost benefit analysis portion of security decisions is so important that it would probably be beneficial to actually specify it in the core message. Needs to explore more.