[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates

bugzilla at redhat.com bugzilla at redhat.com
Thu Nov 3 07:34:52 UTC 2011

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


--- Comment #53 from Matt McCutchen <matt at mattmccutchen.net> 2011-11-03 03:34:48 EDT ---
Phillip and Ian,

Please spare us the self-righteousness and the propaganda.  The topic of this
bug is whether the CAcert root meets Fedora's licensing requirements.

(In reply to comment #46)
> Well actually CAcert does the same thing. If you want to rely on a StarCom or
> Verisign Cert you need to enter into their separate Relying Party Agreement. If
> you want to rely on a CAcert Certificate you have to enter into the CCA
> http://www.cacert.org/policy/CAcertCommunityAgreement.php
> So where is the difference?

Sorry, I wasn't precise enough.  To rely under the CCA, one must register
affirmatively with CAcert (fails the dissident test) and agree to be bound by
arbitration, including potential liability up to 1000 euros; it's unclear
whether a party who does not obtain any certificates from CAcert can be certain
of avoiding this liability.  This is not something to which Fedora should
expose its users.  OTOH, the VeriSign RPA can be entered anonymously and allows
one to rely at one's own risk, provided that one "validates" the certificates,
without accepting any obligations or liabilities aside from a standard
indemnity.  StartCom doesn't purport to restrict reliance, and just makes clear
that it is at one's own risk.

(In reply to comment #51)
> If for example we had a small merchant with PeopleBank.com as a
> job sharing website, and his cert was stolen and used to defrauded
> PeoplesBank.com, a big financial institution, then we'd have an issue...

You're saying that even if the CAcert root is distributed with "absolutely no
warranty", someone may be able to use its lack of fitness for a particular
purpose as the basis of a suit against a third party?  I would like to think
that that is not possible, but IANAL and I would want an actual lawyer's
opinion.  If this issue is real, it might affect free software more generally.

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list