[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates

Fri Nov 4 14:11:04 UTC 2011

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

https://bugzilla.redhat.com/show_bug.cgi?id=474549

--- Comment #58 from Iang <iang at iang.org> 2011-11-04 10:10:59 EDT ---
Matt,

> [2 CAs] let me do this anonymously at my own risk if I validate
> the certificate;

:) so, there is one of the industry's dirty little secrets:  validate.

You are not allowed to rely *unless you validate the certificate*.  What does
that mean?  Well, to cut short a long debate, I'll assert it:  the requirement
to validate is complete.  You must validate the other party/certificate to the
extent that you do not need to rely on the certificate.  At all!

The description doesn't say it, but you will find out in court that this is
what it means.  In court, if you relied on my name being Iang from a
certificate, you will have to show you also checked it another way.  In short,
you will have to show that reliance was ignored or ignorable.  And because you
took it at your own risk, and because you did your own diligence, and you got
it wrong, then the CA isn't at fault.

Now, let's look at a legal definition of Reliance (just the 1st I found):

http://legal-dictionary.thefreedictionary.com/reliance

reliance n. acting upon another's statement of alleged fact, claim, or promise.
In contracts, if someone takes some steps ("changes his position" is the usual
legal language) in reliance on the other's statement, claim or promise then the
person upon whom the actor relied is entitled to contend there is a contract
he/she can enforce. However, the reliance must be reasonable. (See: reasonable
reliance)

Do you see what has happened?  The CAs have re-defined reliance to be not
reliance:  at own risk, must do own validation, disclaimer of liabilities, no
clause you can enforce, etc etc.  This is the Fort Knox definition of reliance:
 we have a lot of gold, but in order to get it, you'll be committing harakiri.

For those CAs, reliance is an empty term.  They could call it pink bananas and
it would have the same effect:  here is a list of things that *you have to do*
in order to use the certificate.  Legally, they don't offer you anything in
that you couldn't get other ways, and in legal assertion in the contract, you
must get those things other ways.

Now, CAcert declines to do that.  We decline to stand up before the judge and
say "your honour, we offer reliance, but our contract strips it of meaning!"

That's why we call the normal usage of certificates USE.

(Earlier, we discussed whether the RPAs are valid, and whether they are
potentially risky contracts.  We can now see an avenue of attack:  anything to
do with the use of the term "reliance" is a target for being written out by the
judge, because it redefines itself out of well-understood legal tradition.  A
risk... and that is yet another reason why CAcert does not join the rest of the
industry.)

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.