[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates

bugzilla at redhat.com bugzilla at redhat.com
Wed Feb 2 20:56:27 UTC 2011 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=474549

Rod Montgomery <rod at thecomplex.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rod at thecomplex.com

--- Comment #36 from Rod Montgomery <rod at thecomplex.com> 2011-02-02 15:56:21 EST ---
After reviewing the CACert policy discussion archive, I offer the following
summary and a suggestion to reconsider the interpretation of RDL.

CACert seeks to avoid the potential liability of an end user relying on a
CACert certificate without being bound by the CCA (CACert Community Agreement),
which is a precondition of membership.

Sascha Thomas Spreitzer proposed that CACert use a more widely-known license,
CC-BY-ND, to distribute the root certificates.
https://lists.cacert.org/wws/arc/cacert-policy/2010-06/msg00151.html This
license does not specifically mention reliance. For this and other reasons, the
policy discussion did not find consensus to adopt CC-BY-ND.

CACert resolved to use the Root Distribution License (RDL), as mentioned in
Comment 21, and further discussion of CC-BY-ND and 3pv-DaL ceased.
https://wiki.cacert.org/PolicyDecisions#p20100710

RedHat Legal interpreted the RDL to have a use restriction which blocks this
bug.

Without some reconsideration, it appears that Fedora and CACert have created an
impasse. May I suggest that RedHat Legal reconsider the interpretation on the
grounds that:

a) the RDL language "specifically does not permit" is not the same as
"prohibits." CACert disclaims express or implied warranties, and specifically
withholds permission to rely (take on risk or liability).

b) all software under GPL carries the same restriction, "No warranty... the
entire risk as to the quality and performance of the program is with you [the
user]." It seems consistent to say, from another perspective, that relying on
the quality or performance of the program is specifically not permitted by the
GPL. The RDL language is a restatement of warranty disclaimer for clarity and
emphasis, it is not an incremental restriction.

In either reading, the user is free to assume risk or liability absent the
permission of CACert. CACert is not held liable for the use of the certificates
distributed under the RDL.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list