this document overtaken by RootDistributionLicense
git-svn-id: http://svn.cacert.org/CAcert/Policies@2012 14b1bab8-4ef6-0310-b690-991c95c89dfdpull/1/head
parent
d1a4a337a6
commit
5888da19c0
@ -1,444 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="utf-8"?>
|
|
||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
|
|
||||||
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
|
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
||||||
<head>
|
|
||||||
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
|
|
||||||
<title>CAcert - 3rd Party Vendor -- Licence and Disclaimer </title>
|
|
||||||
|
|
||||||
<style type="text/css"> <!-- to disappear from www.c.o/policy/ -->
|
|
||||||
<!--
|
|
||||||
body {
|
|
||||||
font-family : verdana, helvetica, arial, sans-serif;
|
|
||||||
}
|
|
||||||
th {
|
|
||||||
text-align : left;
|
|
||||||
}
|
|
||||||
.q {
|
|
||||||
color : green;
|
|
||||||
font-weight: bold;
|
|
||||||
text-align: center;
|
|
||||||
font-style:italic;
|
|
||||||
}
|
|
||||||
.change {
|
|
||||||
color : blue;
|
|
||||||
font-weight: bold;
|
|
||||||
}
|
|
||||||
.strike {
|
|
||||||
color : blue;
|
|
||||||
text-decoration:line-through;
|
|
||||||
}
|
|
||||||
|
|
||||||
a:hover {
|
|
||||||
color : gray;
|
|
||||||
}
|
|
||||||
-->
|
|
||||||
</style>
|
|
||||||
|
|
||||||
</head>
|
|
||||||
<body lang="en-GB">
|
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
<table align="center" bgcolor="pink" border="1" cellspacing="5"><tr><td>
|
|
||||||
<p align="center">
|
|
||||||
By policy group decision <a href="//wiki.cacert.org/PolicyDecisions#p20100710">p20100710</a>:<br /><br />
|
|
||||||
<i><b>"Finally, that other proposals (CC-BY-ND and 3pv-DaL) be taken off the table. Policy group contributors and editors are thanked for thought-provoking comments and useful debate."</b></i><br /><br />
|
|
||||||
This document is <b><big>dead</big></b>. <br />
|
|
||||||
It is no longer under consideration by policy group, being overtaken by
|
|
||||||
<a href="//www.cacert.org/policy/RootDistributionLicense.php">the RDL</a>."</b></i><br /><br />
|
|
||||||
</p>
|
|
||||||
</td></tr></table>
|
|
||||||
</blockquote>
|
|
||||||
|
|
||||||
<br /> <br />
|
|
||||||
|
|
||||||
<p class="q"> <big> D E A D </big> </p>
|
|
||||||
|
|
||||||
<hr>
|
|
||||||
|
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
<h3 id="s0"> 0. Preamble </h3>
|
|
||||||
|
|
||||||
<p><i>
|
|
||||||
This section is not part of the licence but may be explanatory.
|
|
||||||
<a href="#title">Skip to licence.</a>
|
|
||||||
</i></p>
|
|
||||||
|
|
||||||
<p id="s0.1">0.1
|
|
||||||
Being that,
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ul><li>
|
|
||||||
CAcert is a Certification Authority ("the CA"),
|
|
||||||
</li><li>
|
|
||||||
the CA offers a free certificate service to its subscribers,
|
|
||||||
</li><li>
|
|
||||||
for the direct benefit and RELIANCE of its Community of signed-up users
|
|
||||||
("Members"),
|
|
||||||
RELIANCE being defined as the Member's act in making a decision,
|
|
||||||
that takes on a risk or liability,
|
|
||||||
in whole or in part based on the certificate,
|
|
||||||
and
|
|
||||||
</li><li>
|
|
||||||
where possible, of some indirect benefit and USE to other general users
|
|
||||||
("end-users") of the Internet,
|
|
||||||
where USE is defined as allowing a certificate to
|
|
||||||
participate in a protocol, as decided and facilitated
|
|
||||||
by the user's software, with no significant input or
|
|
||||||
knowledge being required of the user;
|
|
||||||
</li></ul>
|
|
||||||
|
|
||||||
<p id="s0.2">0.2
|
|
||||||
And that,
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ul><li>
|
|
||||||
the end-user has a choice in software
|
|
||||||
(such as browsers and email clients),
|
|
||||||
</li><li>
|
|
||||||
such software offers features which are wholly or partly
|
|
||||||
based on use of certificates,
|
|
||||||
</li><li>
|
|
||||||
which may include the certificates of the CA
|
|
||||||
and/or of any other certificate authority,
|
|
||||||
</li><li>
|
|
||||||
the end-user may have strictly limited or opaque
|
|
||||||
possibilities to choose or
|
|
||||||
control the usage made of certificates,
|
|
||||||
</li><li>
|
|
||||||
and that it may not be economic nor reasonable for software
|
|
||||||
to provide for a high degree of choice and control over certificates;
|
|
||||||
</li></ul>
|
|
||||||
|
|
||||||
<p id="s0.3">0.3
|
|
||||||
And that, in offering the USE of certificates to the end-user,
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ul><li>
|
|
||||||
the CA has no direct relationship with the end-user,
|
|
||||||
</li><li>
|
|
||||||
it is not economic nor reasonable to expect such a
|
|
||||||
direct relationship,
|
|
||||||
</li><li>
|
|
||||||
by way of an open, indirect offering,
|
|
||||||
the CA offers its
|
|
||||||
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">
|
|
||||||
Non-Related Persons -- Disclaimer and Licence</a>
|
|
||||||
to the end-user ("NRP") in which
|
|
||||||
<ul><li>
|
|
||||||
the CA disclaims liability to NRPs,
|
|
||||||
</li><li>
|
|
||||||
the CA offers a free licence to USE to all NRPs,
|
|
||||||
</li><li>
|
|
||||||
the CA specifically does not permit the NRPs to RELY,
|
|
||||||
</li></ul>
|
|
||||||
</li><li>
|
|
||||||
and that NRPs have a choice of joining the Community
|
|
||||||
and thus becoming a Member (which overrides the NRP-DaL);
|
|
||||||
</li></ul>
|
|
||||||
|
|
||||||
<p id="s0.4">0.4
|
|
||||||
And that,
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ul><li>
|
|
||||||
<b>you are a third party vendor or distributor of software for end-users</b>
|
|
||||||
("the Vendor"),
|
|
||||||
</li><li>
|
|
||||||
the Vendor offers a free distribution of root certificates ("root list"),
|
|
||||||
within software,
|
|
||||||
</li><li>
|
|
||||||
that in choosing the Vendor's software,
|
|
||||||
the end-user would enter into an
|
|
||||||
End-User Licence Agreement ("EULA") with the Vendor,
|
|
||||||
</li><li>
|
|
||||||
the Vendor has the primary and only direct relationship with the end-user,
|
|
||||||
</li><li>
|
|
||||||
the Vendor chooses not to be a Member of CAcert,
|
|
||||||
</li><li>
|
|
||||||
and therefore Vendor needs a Licence to distribute the roots
|
|
||||||
to its end-users;
|
|
||||||
</li></ul>
|
|
||||||
|
|
||||||
<p id="s0.5">0.5
|
|
||||||
We both, CA and Vendor, agree that,
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ul><li>
|
|
||||||
we are committed to providing a
|
|
||||||
free and USABLE way to benefit from cryptography,
|
|
||||||
</li><li>
|
|
||||||
we are committed to the security of our respective communities,
|
|
||||||
</li><li>
|
|
||||||
the design, custom and history of the public key infrastructure
|
|
||||||
("the PKI") creates risks and liabilities
|
|
||||||
for inappropriate RELIANCE by the end-user,
|
|
||||||
</li><li>
|
|
||||||
it is not economically possible nor reasonable
|
|
||||||
to provide a free, open and unconstrained service
|
|
||||||
that can be RELIED upon by end-users.
|
|
||||||
</li></ul>
|
|
||||||
|
|
||||||
|
|
||||||
<p>
|
|
||||||
With the above understanding,
|
|
||||||
the following Licence and Disclaimer is offered by CAcert to Vendor.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</blockquote>
|
|
||||||
|
|
||||||
<table border="1" cellpadding="15" bgcolor="0xEEEEEE"><tr><td>
|
|
||||||
|
|
||||||
<center><b>
|
|
||||||
<a name="title"> 3rd Party Vendor - Licence and Disclaimer </a>
|
|
||||||
</b></center>
|
|
||||||
|
|
||||||
<h3 id="s1"> 1. Agreement and Licence </h3>
|
|
||||||
|
|
||||||
<h4 id="s1.1"> 1.1 Agreement </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
We (the Vendor and the CA)
|
|
||||||
both agree to the terms and conditions in this agreement.
|
|
||||||
The relationship between the CA and the Vendor is based on this agreement.
|
|
||||||
Your agreement is given by your distribution of the root within your
|
|
||||||
distribution of your root list.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h4 id="s1.2"> 1.2 Other Agreements </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
The relationship between the Vendor and the end-user
|
|
||||||
is based on Vendor's own agreement
|
|
||||||
("end-user licence agreement" or EULA).
|
|
||||||
Generally, the Vendor offers the EULA to the end-user
|
|
||||||
in the act of distributing the software and roots.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
The relationship between the CA and the end-user is based on CA's
|
|
||||||
Non-Related Persons -- Disclaimer and Licence
|
|
||||||
("<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>").
|
|
||||||
This Licence follows the style of popular open source licences,
|
|
||||||
in that it is offered to an unknown audience, without a necessary
|
|
||||||
expectation for explicit agreement by the end-user,
|
|
||||||
because of the methods and restrictions of delivery.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h4 id="s1.3"> 1.3 Licence to Distribute </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
CA offers this licence to permit Vendor to distribute CA's roots
|
|
||||||
within Vendor's root list to Vendor's end-users.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h4 id="s1.4"> 1.4 Vendor's Agreement with End-User </h4>
|
|
||||||
<p>
|
|
||||||
Vendor agrees
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ol><li>
|
|
||||||
to distribute both the NRP-DaL and this present agreement to end-user,
|
|
||||||
</li><li>
|
|
||||||
to advise the end-user of the NRP-DaL appropriately.
|
|
||||||
</li></ol>
|
|
||||||
|
|
||||||
<h4 id="s1.5"> 1.5 Fair and Non-Discriminatory </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Vendor agrees to make available CA's root key
|
|
||||||
in a fair and non-discriminatory way to Vendor's end-users.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
In accordance with the general principles of PKI
|
|
||||||
and the fact that the CA makes statements of interest
|
|
||||||
within certificates, the Vendor is strongly encouraged
|
|
||||||
to reasonably represent to the end-user
|
|
||||||
that the CA is the issuer of the certificate
|
|
||||||
and the maker of claims within the certificate.
|
|
||||||
The extent to which the end-user is aware that the
|
|
||||||
CA is the person making claims is likely to be
|
|
||||||
material in a dispute over claims.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h3 id="s2"> 2. Disclaimer </h3>
|
|
||||||
|
|
||||||
<h4 id="s2.1"> 2.1 All Liability </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Vendor's relationship with end-users creates risks, liabilities
|
|
||||||
and obligations due to the end-user's permitted USE of the certificates,
|
|
||||||
and potentially through other activities such as inappropriate
|
|
||||||
and non-permitted RELIANCE.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
We in general DISCLAIM ALL LIABILITY to each other.
|
|
||||||
Vendor acknowledges and confirms that
|
|
||||||
the CA disclaims all liability to the end-user
|
|
||||||
in NRP-DaL.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
|
|
||||||
<h4 id="s2.2"> 2.2 Monetary Limits on Liability </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Notwithstanding the general disclaimer on liability above,
|
|
||||||
we agree that,
|
|
||||||
liability of Vendor and of the CA is strictly limited to be 1000 euros.
|
|
||||||
This is the same limit of liability that applies to each
|
|
||||||
member of the CAcert Community.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h3 id="s3"> 3. Legal Matters </h3>
|
|
||||||
|
|
||||||
<h4 id="s3.3"> 3.1 Law </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
The Choice of Law is that of NSW, Australia.
|
|
||||||
Policies in force within CAcert are incorporated.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h4 id="s3.4"> 3.2 Dispute Resolution </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
We agree that all disputes arising out
|
|
||||||
of or in connection to this agreement
|
|
||||||
and the root and certificates of the CA
|
|
||||||
shall be referred to and finally resolved
|
|
||||||
by Arbitration under the
|
|
||||||
Dispute Resolution Policy of the CA
|
|
||||||
(<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">COD7</a>).
|
|
||||||
The ruling of the Arbitrator is binding and
|
|
||||||
final on CA and Vendor alike.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</td></tr></table>
|
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
The following parts are not part of the above licence,
|
|
||||||
but may shed light.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h3 id="sfaq"> Z. FAQ </h3>
|
|
||||||
|
|
||||||
<h4 id="sZ.1"> Z.1 Notes on Liability </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Liability agreement between CA and Vendor
|
|
||||||
suggests that the end-user be presented with the name of the CA
|
|
||||||
in any act where the certificate is USED.
|
|
||||||
This is useful for identifying the particular characteristics
|
|
||||||
of the CA, and accepts that all CAs are different.
|
|
||||||
Each CA has its ways of checking, its relevent laws, and its
|
|
||||||
particular view as to the interests of the end-user,
|
|
||||||
and it is PKI practice and CPS practice that the
|
|
||||||
obligation falls on the end-user to understand this.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
The Vendor should present the name of the CA so as to inform
|
|
||||||
the end-user of what can be known about the claim being made.
|
|
||||||
In the event that the Vendor does not present the CA's name,
|
|
||||||
the CA is taking on the risk and liability that is
|
|
||||||
equivalent to other CAs. Such a position can be seen
|
|
||||||
rationally as the <i>lowest-common-denominator</i>, that is,
|
|
||||||
the claim is no better than the worst claim made by the
|
|
||||||
worst of CAs.
|
|
||||||
Therefore the liability that is accepted by this CA is
|
|
||||||
the lowest that can be applied to any CA in the same position.
|
|
||||||
This liability limit would generally be zero.
|
|
||||||
Any additional liability would therefore fall to the Vendor.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
If the CA has been presented to the end-user, the end-user
|
|
||||||
is able to discriminate. CAs are no longer equivalent.
|
|
||||||
In this case, it is reasonable for the CA to share
|
|
||||||
the liability, over and above the lowest common denominator,
|
|
||||||
up to the limit expressed in the above licence.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Always remembering that this is strictly within the
|
|
||||||
relationship with the Vendor.
|
|
||||||
As there are millions and one day, billions of users, and as
|
|
||||||
the software and the certificates are free, the liability
|
|
||||||
to the end-user must be disclaimed totally.
|
|
||||||
In other words, set to zero.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h4 id="sZ.2"> Z.2 Reasonably Shown </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
To reasonably show the name of the CA is undefined,
|
|
||||||
as security user interfaces currently are not representative
|
|
||||||
of reasonable descriptions, and the area is an open research
|
|
||||||
topic (sometimes known as "usable security").
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
A reasonable man test is known in law, and selects someone
|
|
||||||
who would be the reasonable person who would use the software.
|
|
||||||
This might hypothetically examine whether a majority of
|
|
||||||
random users would have "got it" when presented with the
|
|
||||||
same information, however this is not quite how it is tested
|
|
||||||
in law; instead, it is more of a gut-feeling.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h4 id="sZ.3"> Z.3 Recursive Distribution </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
This licence is not intended to limit the ability of
|
|
||||||
a re-distributor of Vendor's root list from operating under
|
|
||||||
the same conditions as the Vendor. The licence applies
|
|
||||||
equally to all distributors of CA's roots.
|
|
||||||
It is the re-distributor's responsibility
|
|
||||||
to be aware of this licence and to take appropriate
|
|
||||||
steps. The primary Vendor discharges any responsibility
|
|
||||||
to the re-distributor by making available this licence
|
|
||||||
on the same basis as its other licences.
|
|
||||||
See <a href="#1.4">§1.4-1</a>.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h4 id="sZ.4"> Z.4 Persons, Parties, Numbers </h4>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
As a convention of contract law, the participants
|
|
||||||
are typically called parties.
|
|
||||||
The CA is the first party.
|
|
||||||
The Member is the second party,
|
|
||||||
under a direct contract with CA
|
|
||||||
(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>).
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
The end-user however is typically not a direct party to the contract
|
|
||||||
known as
|
|
||||||
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>
|
|
||||||
because she has typically not seen it nor agreed to it.
|
|
||||||
In deference to this difficult position, she is termed
|
|
||||||
the second person rather than second party,
|
|
||||||
and more formally known as a Non-Related Person to
|
|
||||||
underscore that situation.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Therefore,
|
|
||||||
in order to keep the above terms constant and less confusing,
|
|
||||||
any distributor is therefore termed the third person.
|
|
||||||
Hence this present agreement is between the first and third persons,
|
|
||||||
and the title reflects that.
|
|
||||||
(The use of the term Vendor does not imply there is a sale,
|
|
||||||
it is only industry convention to include free distributors
|
|
||||||
under this label.)
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</blockquote>
|
|
||||||
|
|
||||||
|
|
||||||
</body></html>
|
|
Loading…
Reference in New Issue