[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates

bugzilla at redhat.com bugzilla at redhat.com
Wed Nov 2 09:43:44 UTC 2011

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


--- Comment #51 from Iang <iang at iang.org> 2011-11-02 05:43:41 EDT ---
Matt writes in comment #44:
> > Imagine we get sued for
> > some bank class action fraud…
> You have disclaimed liability.  What is the problem?

Liabilities are not set in contract, but in court.  The judge looks at the
whole case, and determines the wrong & right of it all.  This holistic view
requires us also to look holistically, and do what we can to make things right.

In our view, a boilerplate disclaimer is not sufficient.  The primary reason
for this is that the user-public falsely believes - and vendors and CAs
continue to perpetuate by absence of clarity - that users have a universal
right to rely.  As is evidenced above, this is far from reality.

So we have gone further to create a more clear arrangement, and we have added
an explicit USE permission in the void for those who haven't agreed to the CCA
(our RPA).  In this we are explicitly speaking both to our users and to the
judge in a future case.  Clarity for both, which makes it a bit unusual.

> What would be an example of a suit against a member that you would want to

The big ones are if a financial institution is defrauded by many users, using a
manipulated cert in some sense.  E.g., a successful phishing operation pulls in
maybe 100k.  If for example we had a small merchant with PeopleBank.com as a
job sharing website, and his cert was stolen and used to defrauded
PeoplesBank.com, a big financial institution, then we'd have an issue...

As has been seen from the DigiNotar case (finally) a cert delivered by one CA
can be used to defraud another CA's customers.  So this means our CA could be
used to breach Bank of America, or the Whitehouse, or whoever.  The smallest CA
could be used to breach the biggest customer...

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list