[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates

Wed Nov 2 08:45:19 UTC 2011

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

https://bugzilla.redhat.com/show_bug.cgi?id=474549

--- Comment #44 from Matt McCutchen <matt at mattmccutchen.net> 2011-11-02 04:45:14 EDT ---
(In reply to comment #41)
> However
> we cannot disclaim the liability of a member to a user for communications that
> take place between the member and the user directly.

What would be an example of a suit against a member that you would want to
prevent?

> The only recourse is that we state "If you are not bound by the CCA you may not
> rely (as defined) upon anything CAcert says with its certificates" Because this
> then eliminates any reliance in statements made via CAcert certificates between
> the member and the user.

And as long as you insist on doing this, the root is non-free.

> So is this a "use restriction"? Absolutely. You may not use CAcert certificates
> as a base for your decision making.

But that is precisely what availability of the root in Fedora would invite
users to do.  This is the kind of legal trap that Red Hat has rightly stood
firm against.

> Because of the specific environment CAcert operates in and the specific needs
> of an open community in this space, our policies and licenses have to diverge
> from the standard OSS licenses, since they are tailored to different needs. So
> long as this is ignored no progress on this issue will be reachable.

Yep.  I don't see why Fedora should be any more willing to make an exception
for CAcert than for other projects that do not meet its licensing requirements
due to competing interests.

(In reply to comment #42)
> Imagine we get sued for
> some bank class action fraud…

You have disclaimed liability.  What is the problem?

> As you see in the CAcert RDL, we use the statement "you may not RELY" in order
> to make sure that you, as a non-member of CAcert, don't actually assume you can
> sue us if something goes wrong.

Non-members would be wrong to make that assumption anyway, because you have
disclaimed liability.

> However, what you do have as a visitor to some cert at a user level is a
> permission to USE.  This is really what is desired and is useful, because in
> the practical world of Internet and communications, we don't typically sue each
> other.

No, you are conflating relying with suing.  In the practical world, I choose to
rely (= make decisions based on certificates) all the time via the tool of my
browser, even though I know I cannot sue.

(In reply to comment #43)
> All CAs typically do not give
> permission to rely, unless you enter into a Relying Party Agreement.  (Google
> knows...)

Wrong.  StartCom allows unrelated parties to rely at their own risk
(http://www.startssl.com/policy.pdf, "Legal and Limitations").  VeriSign allows
unrelated parties the same provided that they "validate" the certificates,
whatever that means (http://www.verisign.com/repository/rpa.html).

> In summary, in order to say that CAcert's licence is bad (non-free is the term
> used above) we have to also say that all the other licences of all the other
> CAs are better (freer?).  Has that been done?

I hereby say it.  It's likely that some of the other root certificate licenses
strictly speaking do not meet Fedora's requirements, but CAcert's use
restriction is by far the most blatant.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.