2008-01-28 00:01:03 +00:00
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
|
|
|
|
|
|
<html>
|
|
|
|
<head><title>CAcert - 3rd Party Vendor -- Licence and Disclaimer </title></head>
|
|
|
|
<body>
|
|
|
|
|
|
|
|
<h3> -1. TO BE FIXED </h3>
|
|
|
|
|
|
|
|
|
2008-03-30 12:19:37 +00:00
|
|
|
<center> <b> w o r k -- i n -- p r o g r e s s</b> </center>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
|
|
|
<p> <i>
|
2009-12-13 10:18:42 +00:00
|
|
|
This is wip-V0.05 as of 20091213.
|
2008-01-28 00:01:03 +00:00
|
|
|
</i></p>
|
|
|
|
|
|
|
|
<hr>
|
|
|
|
|
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
<blockquote>
|
|
|
|
<h3> <a name="0"> 0. </a> Preamble </h3>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
<p><i>
|
|
|
|
This section is not part of the licence but may be explanatory.
|
|
|
|
<a href="#title">Skip to licence.</a>
|
|
|
|
</i></p>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
Being that,
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ul><li>
|
2009-12-13 10:18:42 +00:00
|
|
|
CAcert is a Certification Authority ("the CA"),
|
2008-01-28 00:01:03 +00:00
|
|
|
</li><li>
|
|
|
|
the CA offers a free certificate service to its subscribers,
|
|
|
|
</li><li>
|
2008-12-21 11:58:15 +00:00
|
|
|
for the direct benefit and RELIANCE of its Community of signed-up users
|
|
|
|
("Members"),
|
2009-12-13 10:18:42 +00:00
|
|
|
RELIANCE being defined as the Member's act in making a decision,
|
|
|
|
including taking a risk, in whole or in part based on the certificate,
|
|
|
|
and
|
2008-01-28 00:01:03 +00:00
|
|
|
</li><li>
|
2008-12-21 11:58:15 +00:00
|
|
|
where possible, of some indirect benefit and USE to other general users
|
2009-12-13 10:18:42 +00:00
|
|
|
("end-users") of the Internet,
|
|
|
|
where USE is defined as allowing a certificate to
|
|
|
|
participate in a protocol, as decided and facilitated
|
|
|
|
by the user's software, with no significant input or
|
|
|
|
knowledge being required of the user;
|
2008-01-28 00:01:03 +00:00
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
And that,
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ul><li>
|
2008-12-21 11:58:15 +00:00
|
|
|
the end-user has a choice in software
|
|
|
|
(such as browsers and email clients),
|
2008-01-28 00:01:03 +00:00
|
|
|
</li><li>
|
|
|
|
such software offers features which are wholly or partly
|
|
|
|
based on use of certificates,
|
|
|
|
</li><li>
|
|
|
|
which may include the certificates of the CA
|
|
|
|
and/or of any other certificate authority,
|
|
|
|
</li><li>
|
2008-12-21 11:58:15 +00:00
|
|
|
the end-user may have strictly limited or opaque
|
|
|
|
possibilities to choose or
|
2008-01-28 00:01:03 +00:00
|
|
|
control the usage made of certificates,
|
|
|
|
</li><li>
|
|
|
|
and that it may not be economic nor reasonable for software
|
2008-12-21 11:58:15 +00:00
|
|
|
to provide for a high degree of choice and control over certificates;
|
2008-01-28 00:01:03 +00:00
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
And that, in offering the USE of certificates to the end-user,
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ul><li>
|
|
|
|
the CA has no direct relationship with the the end-user,
|
|
|
|
</li><li>
|
|
|
|
it is not economic nor reasonable to expect such a
|
|
|
|
direct relationship,
|
|
|
|
</li><li>
|
|
|
|
by way of an open, indirect offering,
|
2009-12-13 10:18:42 +00:00
|
|
|
the CA offers its
|
2008-01-28 00:01:03 +00:00
|
|
|
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">
|
|
|
|
Non-Related Persons -- Disclaimer and Licence</a>
|
2009-12-13 10:18:42 +00:00
|
|
|
to the end-user ("NRP"), in which
|
2008-01-28 00:01:03 +00:00
|
|
|
<ul><li>
|
|
|
|
the CA disclaims liability to NRPs,
|
|
|
|
</li><li>
|
|
|
|
the CA offers a free licence to USE to all NRPs,
|
|
|
|
</li><li>
|
|
|
|
the CA specifically does not permit the NRPs to RELY,
|
|
|
|
</li></ul>
|
2009-12-13 10:18:42 +00:00
|
|
|
</li><li>
|
|
|
|
and that NRPs have a choice of joining the Community
|
|
|
|
and thus becoming a Member (which overrides the NRP-DaL);
|
2008-01-28 00:01:03 +00:00
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
And that,
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ul><li>
|
|
|
|
<b>you are a third party vendor or distributor of software for end-users</b>
|
|
|
|
("the Vendor"),
|
|
|
|
</li><li>
|
|
|
|
the Vendor offers a free distribution of root certificates ("root list"),
|
2008-12-21 11:58:15 +00:00
|
|
|
within software,
|
2008-01-28 00:01:03 +00:00
|
|
|
</li><li>
|
|
|
|
that in choosing the Vendor's software,
|
|
|
|
the end-user would enter into an
|
|
|
|
End-User Licence Agreement ("EULA") with the Vendor,
|
|
|
|
</li><li>
|
|
|
|
the Vendor has the primary and only direct relationship with the end-user,
|
2008-12-21 11:58:15 +00:00
|
|
|
</li><li>
|
|
|
|
the Vendor chooses not to be a Member of CAcert,
|
2009-12-13 10:18:42 +00:00
|
|
|
</li><li>
|
|
|
|
and therefore Vendor needs a Licence to distribute the roots
|
|
|
|
to its end-users;
|
2008-01-28 00:01:03 +00:00
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
We both, CA and Vendor, agree that,
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ul><li>
|
|
|
|
we are committed to providing a
|
|
|
|
free and USABLE way to benefit from cryptography,
|
|
|
|
</li><li>
|
|
|
|
we are committed to the security of our respective communities,
|
|
|
|
</li><li>
|
|
|
|
the design, custom and history of the public key infrastructure
|
|
|
|
("the PKI") creates risks and liabilities
|
|
|
|
for inappropriate RELIANCE by the end-user,
|
|
|
|
</li><li>
|
|
|
|
it is not economically possible nor reasonable
|
|
|
|
to provide a free, open and unconstrained service
|
|
|
|
that can be RELIED upon by end-users.
|
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
2009-12-13 10:18:42 +00:00
|
|
|
With the above understanding,
|
|
|
|
the following Licence and Disclaimer is offered by CAcert to Vendor.
|
2008-12-21 11:58:15 +00:00
|
|
|
</p>
|
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
</blockquote>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
<table border="1" cellpadding="15" bgcolor="0xEEEEEE"><tr><td>
|
|
|
|
|
|
|
|
<center><b>
|
|
|
|
<a name="title"> 3rd Party Vendor - Licence and Disclaimer </a>
|
|
|
|
</b></center>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
|
|
|
<h3> <a name="1"> 1. </a> Agreement and Licence </h3>
|
|
|
|
|
|
|
|
<h4> <a name="1.1"> 1.1 </a> Agreement </h4>
|
|
|
|
|
|
|
|
<p>
|
2009-12-13 10:18:42 +00:00
|
|
|
We (the Vendor and the CA)
|
|
|
|
both agree to the terms and conditions in this agreement.
|
2008-01-28 00:01:03 +00:00
|
|
|
The relationship between the CA and the Vendor is based on this agreement.
|
|
|
|
Your agreement is given by your distribution of the root within your
|
|
|
|
distribution of your root list.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<h4> <a name="1.1"> 1.2 </a> Other Agreements </h4>
|
|
|
|
|
|
|
|
<p>
|
2009-12-13 10:18:42 +00:00
|
|
|
The relationship between the Vendor and the end-user
|
|
|
|
is based on Vendor's own agreement
|
2008-01-28 00:01:03 +00:00
|
|
|
("end-user licence agreement" or EULA).
|
|
|
|
Generally, the Vendor offers the EULA to the end-user
|
|
|
|
in the act of distributing the software and roots.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The relationship between the CA and the end-user is based on CA's
|
|
|
|
Non-Related Persons -- Disclaimer and Licence
|
|
|
|
("<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>").
|
|
|
|
This Licence follows the style of popular open source licences,
|
|
|
|
in that it is offered to an unknown audience, without a necessary
|
|
|
|
expectation for explicit agreement by the end-user,
|
|
|
|
because of the methods and restrictions of delivery.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<h4> <a name="1.3"> 1.3 </a> Licence to Distribute </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
CA offers this licence to permit Vendor to distribute CA's roots
|
|
|
|
within Vendor's root list to Vendor's end-users.
|
|
|
|
</p>
|
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
<h4> <a name="1.4"> 1.4 </a> Vendor's Agreement with End-User </h4>
|
2008-01-28 00:01:03 +00:00
|
|
|
<p>
|
2009-12-13 10:18:42 +00:00
|
|
|
Vendor agrees
|
2008-01-28 00:01:03 +00:00
|
|
|
</p>
|
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
<ol><li>
|
|
|
|
to distribute both the NRP-DaL and this present agreement to end-user,
|
2008-01-28 00:01:03 +00:00
|
|
|
</li><li>
|
2009-12-13 10:18:42 +00:00
|
|
|
to advise the end-user of the NRP-DaL appropriately.
|
|
|
|
</li></ol>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
<h4> <a name="1.5"> 1.5 </a> Fair and Non-Discriminatory </h4>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
|
|
|
<p>
|
2009-12-13 10:18:42 +00:00
|
|
|
Vendor agrees to make available CA's root key
|
|
|
|
in a fair and non-discriminatory way to Vendor's end-users.
|
2008-01-28 00:01:03 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
2009-12-13 10:18:42 +00:00
|
|
|
In accordance with the general principles of PKI
|
|
|
|
and the fact that the CA makes statements of interest
|
|
|
|
within certificates, the Vendor is strongly encouraged
|
|
|
|
to reasonably represent to the end-user
|
|
|
|
that the CA is the issuer of the certificate
|
|
|
|
and the maker of claims within the certificate.
|
|
|
|
The extent to which the end-user is aware that the
|
|
|
|
CA is the person making claims is likely to be
|
|
|
|
material in a dispute over claims.
|
2008-01-28 00:01:03 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<h3> <a name="2"> 2. </a> Disclaimer </h3>
|
|
|
|
|
|
|
|
<h4> <a name="2.1"> 2.1 </a> All Liability </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Vendor's relationship with end-users creates risks, liabilities
|
|
|
|
and obligations due to the end-user's permitted USE of the certificates,
|
|
|
|
and potentially through other activities such as inappropriate
|
2009-12-13 10:18:42 +00:00
|
|
|
and non-permitted RELIANCE.
|
2008-01-28 00:01:03 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
2009-12-13 10:18:42 +00:00
|
|
|
We in general DISCLAIM ALL LIABILITY to each other.
|
|
|
|
Vendor acknowledges and confirms that
|
|
|
|
the CA disclaims all liability to the end-user
|
|
|
|
in NRP-DaL.
|
2008-01-28 00:01:03 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4> <a name="2.2"> 2.2 </a> Monetary Limits on Liability </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Notwithstanding the general disclaimer on liability above,
|
2009-12-13 10:18:42 +00:00
|
|
|
we agree that,
|
|
|
|
liability of Vendor and of the CA is strictly limited to be 1000 euros.
|
2008-01-28 00:01:03 +00:00
|
|
|
This is the same limit of liability that applies to each
|
|
|
|
member of the CAcert Community.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<h3> <a name="3"> 3. </a> Legal Matters </h3>
|
|
|
|
|
|
|
|
<h4> <a name="2.3"> 3.1 </a> Law </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The Choice of Law is that of NSW, Australia.
|
2009-12-13 10:18:42 +00:00
|
|
|
Policies in force within CAcert are incorporated.
|
2008-01-28 00:01:03 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<h4> <a name="2.4"> 3.2 </a> Dispute Resolution </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
We agree that all disputes arising out
|
|
|
|
of or in connection to this agreement
|
2009-12-13 10:18:42 +00:00
|
|
|
and the root and certificates of the CA
|
2008-01-28 00:01:03 +00:00
|
|
|
shall be referred to and finally resolved
|
|
|
|
by Arbitration under the
|
|
|
|
Dispute Resolution Policy of the CA
|
2009-12-13 10:18:42 +00:00
|
|
|
(<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">COD7</a>).
|
2008-01-28 00:01:03 +00:00
|
|
|
The ruling of the Arbitrator is binding and
|
|
|
|
final on CA and Vendor alike.
|
|
|
|
</p>
|
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
</td></tr></table>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
2009-12-13 10:18:42 +00:00
|
|
|
<blockquote>
|
2008-01-28 00:01:03 +00:00
|
|
|
|
|
|
|
<p>
|
|
|
|
The following parts are not part of the above licence,
|
|
|
|
but may shed light.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<h3> <a name="faq"> Z. </a> FAQ </h3>
|
|
|
|
|
|
|
|
<h4> <a name="Z.1"> Z.1 </a> Notes on Liability </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Liability agreement between CA and Vendor
|
|
|
|
suggests that the end-user be presented with the name of the CA.
|
|
|
|
This is useful for identifying the particular characteristics
|
|
|
|
of the CA, and accepts that all CAs are different.
|
|
|
|
Each CA has its ways of checking, its relevent laws, and its
|
|
|
|
particular view as to the interests of the end-user.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The Vendor should present the name of the CA so as to inform
|
|
|
|
the end-user of what can be known.
|
|
|
|
In the event that the Vendor does not present the CA,
|
|
|
|
the CA is taking on all the risk and liability that the
|
|
|
|
CA is equivalent to others, which can only be rationally
|
|
|
|
measured as the <i>lowest-common-denominator</i>, that is,
|
|
|
|
the lowest of the liabilities that is accepted across all
|
|
|
|
CAs that are shipped by the CA.
|
|
|
|
This would generally be zero.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
If the CA has been presented to the end-user, the end-user
|
|
|
|
is able to discriminate.
|
|
|
|
In this case, it is reasonable for the CA to offer to share
|
|
|
|
the liability, and to accept some limit
|
|
|
|
to that liability.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Always remembering that this is strictly within the
|
|
|
|
relationship with the Vendor.
|
|
|
|
As there are millions and one day, billions of users, and as
|
|
|
|
the software and the certificates are free, the liability
|
|
|
|
to the end-user must be disclaimed totally.
|
|
|
|
In other words, set to zero.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<h4> <a name="Z.2"> Z.2 </a> Reasonably Shown </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
To reasonably show the name of the CA is undefined,
|
|
|
|
as security user interfaces currently are not representative
|
|
|
|
of reasonable descriptions, and the area is an open research
|
|
|
|
topic (sometimes known as "usable security").
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
A reasonable man test is known in law, and selects someone
|
|
|
|
who would be the reasonable person who would use the software.
|
|
|
|
This might hypothetically examine whether a majority of
|
|
|
|
random users would have "got it" when presented with the
|
|
|
|
same information, however this is not quite how it is tested
|
|
|
|
in law; instead, it is more of a gut-feeling.
|
|
|
|
</p>
|
2009-12-13 10:18:42 +00:00
|
|
|
|
|
|
|
<h4> <a name="Z.3"> Z.3 </a> Recursive Distribution </h4>
|
|
|
|
|
|
|
|
<p>
|
|
|
|
This licence is not intended to limit the ability of
|
|
|
|
a re-distributor of Vendor's root list from operating under
|
|
|
|
the same conditions as the Vendor. The licence applies
|
|
|
|
equally to all distributors of CA's roots.
|
|
|
|
It is the re-distributor's responsibility
|
|
|
|
to be aware of this licence and to take appropriate
|
|
|
|
steps. The primary Vendor discharges any responsibility
|
|
|
|
to the re-distributor by making available this licence
|
|
|
|
on the same basis as its other licences.
|
|
|
|
</p>
|
|
|
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
|
|
</body></html>
|