cacert-policies/Agreements/3PVDisclaimerAndLicence.html

447 lines
13 KiB
HTML
Raw Normal View History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
<title>CAcert - 3rd Party Vendor -- Licence and Disclaimer </title>
<style type="text/css"> <!-- to disappear from www.c.o/policy/ -->
<!--
body {
font-family : verdana, helvetica, arial, sans-serif;
}
th {
text-align : left;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
.strike {
color : blue;
text-decoration:line-through;
}
a:hover {
color : gray;
}
-->
</style>
</head>
<body lang="en-GB">
<h3> -1. TO BE FIXED </h3>
<p class="q"> <big> w o r k -- i n -- p r o g r e s s</big> </p>
<a href="http://www.cacert.org/policy/PolicyOnPolicy.php"><img style="float: right; border-width: 0" src="../Images/cacert-wip.png" alt="CAcert 3rd Party - Disclaimer and Licence - Status == wip" border="0"></a>
<p class="q">
This is wip-V0.06 as of 20100623.
Comments:
</p>
<ul class="q"><li>
Added FAQ section on <a href="#sZ.4">Persons, Parties, Numbers</a>, following confusion from STS 20100620
<!-- add more comments here... -->
</li></ul>
<p class="q">
Policy starts:
</p>
<hr>
<blockquote>
<h3 id="s0"> 0. Preamble </h3>
<p><i>
This section is not part of the licence but may be explanatory.
<a href="#title">Skip to licence.</a>
</i></p>
<p id="s0.1">0.1
Being that,
</p>
<ul><li>
CAcert is a Certification Authority ("the CA"),
</li><li>
the CA offers a free certificate service to its subscribers,
</li><li>
for the direct benefit and RELIANCE of its Community of signed-up users
("Members"),
RELIANCE being defined as the Member's act in making a decision,
that takes on a risk or liability,
in whole or in part based on the certificate,
and
</li><li>
where possible, of some indirect benefit and USE to other general users
("end-users") of the Internet,
where USE is defined as allowing a certificate to
participate in a protocol, as decided and facilitated
by the user's software, with no significant input or
knowledge being required of the user;
</li></ul>
<p id="s0.2">0.2
And that,
</p>
<ul><li>
the end-user has a choice in software
(such as browsers and email clients),
</li><li>
such software offers features which are wholly or partly
based on use of certificates,
</li><li>
which may include the certificates of the CA
and/or of any other certificate authority,
</li><li>
the end-user may have strictly limited or opaque
possibilities to choose or
control the usage made of certificates,
</li><li>
and that it may not be economic nor reasonable for software
to provide for a high degree of choice and control over certificates;
</li></ul>
<p id="s0.3">0.3
And that, in offering the USE of certificates to the end-user,
</p>
<ul><li>
the CA has no direct relationship with the end-user,
</li><li>
it is not economic nor reasonable to expect such a
direct relationship,
</li><li>
by way of an open, indirect offering,
the CA offers its
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">
Non-Related Persons -- Disclaimer and Licence</a>
to the end-user ("NRP") in which
<ul><li>
the CA disclaims liability to NRPs,
</li><li>
the CA offers a free licence to USE to all NRPs,
</li><li>
the CA specifically does not permit the NRPs to RELY,
</li></ul>
</li><li>
and that NRPs have a choice of joining the Community
and thus becoming a Member (which overrides the NRP-DaL);
</li></ul>
<p id="s0.4">0.4
And that,
</p>
<ul><li>
<b>you are a third party vendor or distributor of software for end-users</b>
("the Vendor"),
</li><li>
the Vendor offers a free distribution of root certificates ("root list"),
within software,
</li><li>
that in choosing the Vendor's software,
the end-user would enter into an
End-User Licence Agreement ("EULA") with the Vendor,
</li><li>
the Vendor has the primary and only direct relationship with the end-user,
</li><li>
the Vendor chooses not to be a Member of CAcert,
</li><li>
and therefore Vendor needs a Licence to distribute the roots
to its end-users;
</li></ul>
<p id="s0.5">0.5
We both, CA and Vendor, agree that,
</p>
<ul><li>
we are committed to providing a
free and USABLE way to benefit from cryptography,
</li><li>
we are committed to the security of our respective communities,
</li><li>
the design, custom and history of the public key infrastructure
("the PKI") creates risks and liabilities
for inappropriate RELIANCE by the end-user,
</li><li>
it is not economically possible nor reasonable
to provide a free, open and unconstrained service
that can be RELIED upon by end-users.
</li></ul>
<p>
With the above understanding,
the following Licence and Disclaimer is offered by CAcert to Vendor.
</p>
</blockquote>
<table border="1" cellpadding="15" bgcolor="0xEEEEEE"><tr><td>
<center><b>
<a name="title"> 3rd Party Vendor - Licence and Disclaimer </a>
</b></center>
<h3 id="s1"> 1. Agreement and Licence </h3>
<h4 id="s1.1"> 1.1 Agreement </h4>
<p>
We (the Vendor and the CA)
both agree to the terms and conditions in this agreement.
The relationship between the CA and the Vendor is based on this agreement.
Your agreement is given by your distribution of the root within your
distribution of your root list.
</p>
<h4 id="s1.2"> 1.2 Other Agreements </h4>
<p>
The relationship between the Vendor and the end-user
is based on Vendor's own agreement
("end-user licence agreement" or EULA).
Generally, the Vendor offers the EULA to the end-user
in the act of distributing the software and roots.
</p>
<p>
The relationship between the CA and the end-user is based on CA's
Non-Related Persons -- Disclaimer and Licence
("<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>").
This Licence follows the style of popular open source licences,
in that it is offered to an unknown audience, without a necessary
expectation for explicit agreement by the end-user,
because of the methods and restrictions of delivery.
</p>
<h4 id="s1.3"> 1.3 Licence to Distribute </h4>
<p>
CA offers this licence to permit Vendor to distribute CA's roots
within Vendor's root list to Vendor's end-users.
</p>
<h4 id="s1.4"> 1.4 Vendor's Agreement with End-User </h4>
<p>
Vendor agrees
</p>
<ol><li>
to distribute both the NRP-DaL and this present agreement to end-user,
</li><li>
to advise the end-user of the NRP-DaL appropriately.
</li></ol>
<h4 id="s1.5"> 1.5 Fair and Non-Discriminatory </h4>
<p>
Vendor agrees to make available CA's root key
in a fair and non-discriminatory way to Vendor's end-users.
</p>
<p>
In accordance with the general principles of PKI
and the fact that the CA makes statements of interest
within certificates, the Vendor is strongly encouraged
to reasonably represent to the end-user
that the CA is the issuer of the certificate
and the maker of claims within the certificate.
The extent to which the end-user is aware that the
CA is the person making claims is likely to be
material in a dispute over claims.
</p>
<h3 id="s2"> 2. Disclaimer </h3>
<h4 id="s2.1"> 2.1 All Liability </h4>
<p>
Vendor's relationship with end-users creates risks, liabilities
and obligations due to the end-user's permitted USE of the certificates,
and potentially through other activities such as inappropriate
and non-permitted RELIANCE.
</p>
<p>
We in general DISCLAIM ALL LIABILITY to each other.
Vendor acknowledges and confirms that
the CA disclaims all liability to the end-user
in NRP-DaL.
</p>
<h4 id="s2.2"> 2.2 Monetary Limits on Liability </h4>
<p>
Notwithstanding the general disclaimer on liability above,
we agree that,
liability of Vendor and of the CA is strictly limited to be 1000 euros.
This is the same limit of liability that applies to each
member of the CAcert Community.
</p>
<h3 id="s3"> 3. Legal Matters </h3>
<h4 id="s3.3"> 3.1 Law </h4>
<p>
The Choice of Law is that of NSW, Australia.
Policies in force within CAcert are incorporated.
</p>
<h4 id="s3.4"> 3.2 Dispute Resolution </h4>
<p>
We agree that all disputes arising out
of or in connection to this agreement
and the root and certificates of the CA
shall be referred to and finally resolved
by Arbitration under the
Dispute Resolution Policy of the CA
(<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">COD7</a>).
The ruling of the Arbitrator is binding and
final on CA and Vendor alike.
</p>
</td></tr></table>
<blockquote>
<p>
The following parts are not part of the above licence,
but may shed light.
</p>
<h3 id="sfaq"> Z. FAQ </h3>
<h4 id="sZ.1"> Z.1 Notes on Liability </h4>
<p>
Liability agreement between CA and Vendor
suggests that the end-user be presented with the name of the CA
in any act where the certificate is USED.
This is useful for identifying the particular characteristics
of the CA, and accepts that all CAs are different.
Each CA has its ways of checking, its relevent laws, and its
particular view as to the interests of the end-user,
and it is PKI practice and CPS practice that the
obligation falls on the end-user to understand this.
</p>
<p>
The Vendor should present the name of the CA so as to inform
the end-user of what can be known about the claim being made.
In the event that the Vendor does not present the CA's name,
the CA is taking on the risk and liability that is
equivalent to other CAs. Such a position can be seen
rationally as the <i>lowest-common-denominator</i>, that is,
the claim is no better than the worst claim made by the
worst of CAs.
Therefore the liability that is accepted by this CA is
the lowest that can be applied to any CA in the same position.
This liability limit would generally be zero.
Any additional liability would therefore fall to the Vendor.
</p>
<p>
If the CA has been presented to the end-user, the end-user
is able to discriminate. CAs are no longer equivalent.
In this case, it is reasonable for the CA to share
the liability, over and above the lowest common denominator,
up to the limit expressed in the above licence.
</p>
<p>
Always remembering that this is strictly within the
relationship with the Vendor.
As there are millions and one day, billions of users, and as
the software and the certificates are free, the liability
to the end-user must be disclaimed totally.
In other words, set to zero.
</p>
<h4 id="sZ.2"> Z.2 Reasonably Shown </h4>
<p>
To reasonably show the name of the CA is undefined,
as security user interfaces currently are not representative
of reasonable descriptions, and the area is an open research
topic (sometimes known as "usable security").
</p>
<p>
A reasonable man test is known in law, and selects someone
who would be the reasonable person who would use the software.
This might hypothetically examine whether a majority of
random users would have "got it" when presented with the
same information, however this is not quite how it is tested
in law; instead, it is more of a gut-feeling.
</p>
<h4 id="sZ.3"> Z.3 Recursive Distribution </h4>
<p>
This licence is not intended to limit the ability of
a re-distributor of Vendor's root list from operating under
the same conditions as the Vendor. The licence applies
equally to all distributors of CA's roots.
It is the re-distributor's responsibility
to be aware of this licence and to take appropriate
steps. The primary Vendor discharges any responsibility
to the re-distributor by making available this licence
on the same basis as its other licences.
See <a href="#1.4">&sect;1.4-1</a>.
</p>
<h4 id="sZ.4"> Z.4 Persons, Parties, Numbers </h4>
<p>
As a convention of contract law, the participants
are typically called parties.
The CA is the first party.
The Member is the second party,
under a direct contract with CA
(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>).
</p>
<p>
The end-user however is typically not a direct party to the contract
known as
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>
because she has typically not seen it nor agreed to it.
In deference to this difficult position, she is termed
the second person rather than second party,
and more formally known as a Non-Related Person to
underscore that situation.
</p>
<p>
Therefore,
in order to keep the above terms constant and less confusing,
any distributor is therefore termed the third person.
Hence this present agreement is between the first and third persons,
and the title reflects that.
(The use of the term Vendor does not imply there is a sale,
it is only industry convention to include free distributors
under this label.)
</p>
</blockquote>
</body></html>