[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
bugzilla at redhat.com
bugzilla at redhat.com
Thu Nov 3 11:28:14 UTC 2011
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=474549
--- Comment #54 from Iang <iang at iang.org> 2011-11-03 07:28:06 EDT ---
Matt, comment #53
> (In reply to comment #51)
> > If for example we had a small merchant with PeopleBank.com as a
> > job sharing website, and his cert was stolen and used to defrauded
> > PeoplesBank.com, a big financial institution, then we'd have an issue...
>
> You're saying that even if the CAcert root is distributed with "absolutely no
> warranty", someone may be able to use its lack of fitness for a particular
> purpose as the basis of a suit against a third party?
Yes, that's what I'm saying, more or less. Obviously, there are many different
methods of legal attacking any CA's contract, and it's beyond the scope of this
forum to examine what they would be. And this applies to all CAs, not just
CAcert.
> I would like to think
> that that is not possible, but IANAL and I would want an actual lawyer's
> opinion.
Steve Schultze and Steve Roosa for example recently published a paper on this,
but the tradition is long standing.
https://freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model
Quote, for others skimming through:
"Given the absence of notice to the end-user and assent by the end-user, it
would appear that many CAs would have a difficult time holding an end-user to
the terms of the relying party agreements or certification practice statements.
To date, the CA Trust Model's legal architecture has apparently not been the
subject of any published court decision and remains untested.
The bottom line is that the CA Trust Model's legal architecture inures to
the benefit of no one. Neither website operators, certificate authorities, nor
end-users can be sure of their rights or exposure. The Model's legal structure
may therefore be just as troubling as its security vulnerabilities."
End quote. Within the legal field, it is normal for law profs to look at the
general CA contracts and declare them unfit, and assert that the contracts
would likely have a lot of trouble standing up in court.
> If this issue is real, it might affect free software more generally.
No, you may rest easy :)
(Free) software is not effected by this because it isn't a business that
ordinarily involves claims and liabilities and claims of fitness. CAs and
certificates do, a certificate is a claim that it is fit for some purpose or
other. So, CAs have to go to a great deal more extent to refine their legal
posture, and protect themselves and their stakeholders.
E.g., our legal project is 100 pages of contract & policy, and 3 years in the
making.
In contrast, a pure play open source operation just copies one of the standard
licences. And it's done. It's safe, it can even change midstream by issuing
under dual licences without any problems.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the package-review
mailing list