this document overtaken by RootDistributionLicense
git-svn-id: http://svn.cacert.org/CAcert/Policies@2012 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
parent
d1a4a337a6
commit
5888da19c0
1 changed files with 0 additions and 444 deletions
|
@ -1,444 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
|
||||
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
|
||||
<title>CAcert - 3rd Party Vendor -- Licence and Disclaimer </title>
|
||||
|
||||
<style type="text/css"> <!-- to disappear from www.c.o/policy/ -->
|
||||
<!--
|
||||
body {
|
||||
font-family : verdana, helvetica, arial, sans-serif;
|
||||
}
|
||||
th {
|
||||
text-align : left;
|
||||
}
|
||||
.q {
|
||||
color : green;
|
||||
font-weight: bold;
|
||||
text-align: center;
|
||||
font-style:italic;
|
||||
}
|
||||
.change {
|
||||
color : blue;
|
||||
font-weight: bold;
|
||||
}
|
||||
.strike {
|
||||
color : blue;
|
||||
text-decoration:line-through;
|
||||
}
|
||||
|
||||
a:hover {
|
||||
color : gray;
|
||||
}
|
||||
-->
|
||||
</style>
|
||||
|
||||
</head>
|
||||
<body lang="en-GB">
|
||||
|
||||
<blockquote>
|
||||
<table align="center" bgcolor="pink" border="1" cellspacing="5"><tr><td>
|
||||
<p align="center">
|
||||
By policy group decision <a href="//wiki.cacert.org/PolicyDecisions#p20100710">p20100710</a>:<br /><br />
|
||||
<i><b>"Finally, that other proposals (CC-BY-ND and 3pv-DaL) be taken off the table. Policy group contributors and editors are thanked for thought-provoking comments and useful debate."</b></i><br /><br />
|
||||
This document is <b><big>dead</big></b>. <br />
|
||||
It is no longer under consideration by policy group, being overtaken by
|
||||
<a href="//www.cacert.org/policy/RootDistributionLicense.php">the RDL</a>."</b></i><br /><br />
|
||||
</p>
|
||||
</td></tr></table>
|
||||
</blockquote>
|
||||
|
||||
<br /> <br />
|
||||
|
||||
<p class="q"> <big> D E A D </big> </p>
|
||||
|
||||
<hr>
|
||||
|
||||
|
||||
<blockquote>
|
||||
<h3 id="s0"> 0. Preamble </h3>
|
||||
|
||||
<p><i>
|
||||
This section is not part of the licence but may be explanatory.
|
||||
<a href="#title">Skip to licence.</a>
|
||||
</i></p>
|
||||
|
||||
<p id="s0.1">0.1
|
||||
Being that,
|
||||
</p>
|
||||
|
||||
<ul><li>
|
||||
CAcert is a Certification Authority ("the CA"),
|
||||
</li><li>
|
||||
the CA offers a free certificate service to its subscribers,
|
||||
</li><li>
|
||||
for the direct benefit and RELIANCE of its Community of signed-up users
|
||||
("Members"),
|
||||
RELIANCE being defined as the Member's act in making a decision,
|
||||
that takes on a risk or liability,
|
||||
in whole or in part based on the certificate,
|
||||
and
|
||||
</li><li>
|
||||
where possible, of some indirect benefit and USE to other general users
|
||||
("end-users") of the Internet,
|
||||
where USE is defined as allowing a certificate to
|
||||
participate in a protocol, as decided and facilitated
|
||||
by the user's software, with no significant input or
|
||||
knowledge being required of the user;
|
||||
</li></ul>
|
||||
|
||||
<p id="s0.2">0.2
|
||||
And that,
|
||||
</p>
|
||||
|
||||
<ul><li>
|
||||
the end-user has a choice in software
|
||||
(such as browsers and email clients),
|
||||
</li><li>
|
||||
such software offers features which are wholly or partly
|
||||
based on use of certificates,
|
||||
</li><li>
|
||||
which may include the certificates of the CA
|
||||
and/or of any other certificate authority,
|
||||
</li><li>
|
||||
the end-user may have strictly limited or opaque
|
||||
possibilities to choose or
|
||||
control the usage made of certificates,
|
||||
</li><li>
|
||||
and that it may not be economic nor reasonable for software
|
||||
to provide for a high degree of choice and control over certificates;
|
||||
</li></ul>
|
||||
|
||||
<p id="s0.3">0.3
|
||||
And that, in offering the USE of certificates to the end-user,
|
||||
</p>
|
||||
|
||||
<ul><li>
|
||||
the CA has no direct relationship with the end-user,
|
||||
</li><li>
|
||||
it is not economic nor reasonable to expect such a
|
||||
direct relationship,
|
||||
</li><li>
|
||||
by way of an open, indirect offering,
|
||||
the CA offers its
|
||||
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">
|
||||
Non-Related Persons -- Disclaimer and Licence</a>
|
||||
to the end-user ("NRP") in which
|
||||
<ul><li>
|
||||
the CA disclaims liability to NRPs,
|
||||
</li><li>
|
||||
the CA offers a free licence to USE to all NRPs,
|
||||
</li><li>
|
||||
the CA specifically does not permit the NRPs to RELY,
|
||||
</li></ul>
|
||||
</li><li>
|
||||
and that NRPs have a choice of joining the Community
|
||||
and thus becoming a Member (which overrides the NRP-DaL);
|
||||
</li></ul>
|
||||
|
||||
<p id="s0.4">0.4
|
||||
And that,
|
||||
</p>
|
||||
|
||||
<ul><li>
|
||||
<b>you are a third party vendor or distributor of software for end-users</b>
|
||||
("the Vendor"),
|
||||
</li><li>
|
||||
the Vendor offers a free distribution of root certificates ("root list"),
|
||||
within software,
|
||||
</li><li>
|
||||
that in choosing the Vendor's software,
|
||||
the end-user would enter into an
|
||||
End-User Licence Agreement ("EULA") with the Vendor,
|
||||
</li><li>
|
||||
the Vendor has the primary and only direct relationship with the end-user,
|
||||
</li><li>
|
||||
the Vendor chooses not to be a Member of CAcert,
|
||||
</li><li>
|
||||
and therefore Vendor needs a Licence to distribute the roots
|
||||
to its end-users;
|
||||
</li></ul>
|
||||
|
||||
<p id="s0.5">0.5
|
||||
We both, CA and Vendor, agree that,
|
||||
</p>
|
||||
|
||||
<ul><li>
|
||||
we are committed to providing a
|
||||
free and USABLE way to benefit from cryptography,
|
||||
</li><li>
|
||||
we are committed to the security of our respective communities,
|
||||
</li><li>
|
||||
the design, custom and history of the public key infrastructure
|
||||
("the PKI") creates risks and liabilities
|
||||
for inappropriate RELIANCE by the end-user,
|
||||
</li><li>
|
||||
it is not economically possible nor reasonable
|
||||
to provide a free, open and unconstrained service
|
||||
that can be RELIED upon by end-users.
|
||||
</li></ul>
|
||||
|
||||
|
||||
<p>
|
||||
With the above understanding,
|
||||
the following Licence and Disclaimer is offered by CAcert to Vendor.
|
||||
</p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<table border="1" cellpadding="15" bgcolor="0xEEEEEE"><tr><td>
|
||||
|
||||
<center><b>
|
||||
<a name="title"> 3rd Party Vendor - Licence and Disclaimer </a>
|
||||
</b></center>
|
||||
|
||||
<h3 id="s1"> 1. Agreement and Licence </h3>
|
||||
|
||||
<h4 id="s1.1"> 1.1 Agreement </h4>
|
||||
|
||||
<p>
|
||||
We (the Vendor and the CA)
|
||||
both agree to the terms and conditions in this agreement.
|
||||
The relationship between the CA and the Vendor is based on this agreement.
|
||||
Your agreement is given by your distribution of the root within your
|
||||
distribution of your root list.
|
||||
</p>
|
||||
|
||||
<h4 id="s1.2"> 1.2 Other Agreements </h4>
|
||||
|
||||
<p>
|
||||
The relationship between the Vendor and the end-user
|
||||
is based on Vendor's own agreement
|
||||
("end-user licence agreement" or EULA).
|
||||
Generally, the Vendor offers the EULA to the end-user
|
||||
in the act of distributing the software and roots.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
The relationship between the CA and the end-user is based on CA's
|
||||
Non-Related Persons -- Disclaimer and Licence
|
||||
("<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>").
|
||||
This Licence follows the style of popular open source licences,
|
||||
in that it is offered to an unknown audience, without a necessary
|
||||
expectation for explicit agreement by the end-user,
|
||||
because of the methods and restrictions of delivery.
|
||||
</p>
|
||||
|
||||
<h4 id="s1.3"> 1.3 Licence to Distribute </h4>
|
||||
|
||||
<p>
|
||||
CA offers this licence to permit Vendor to distribute CA's roots
|
||||
within Vendor's root list to Vendor's end-users.
|
||||
</p>
|
||||
|
||||
<h4 id="s1.4"> 1.4 Vendor's Agreement with End-User </h4>
|
||||
<p>
|
||||
Vendor agrees
|
||||
</p>
|
||||
|
||||
<ol><li>
|
||||
to distribute both the NRP-DaL and this present agreement to end-user,
|
||||
</li><li>
|
||||
to advise the end-user of the NRP-DaL appropriately.
|
||||
</li></ol>
|
||||
|
||||
<h4 id="s1.5"> 1.5 Fair and Non-Discriminatory </h4>
|
||||
|
||||
<p>
|
||||
Vendor agrees to make available CA's root key
|
||||
in a fair and non-discriminatory way to Vendor's end-users.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
In accordance with the general principles of PKI
|
||||
and the fact that the CA makes statements of interest
|
||||
within certificates, the Vendor is strongly encouraged
|
||||
to reasonably represent to the end-user
|
||||
that the CA is the issuer of the certificate
|
||||
and the maker of claims within the certificate.
|
||||
The extent to which the end-user is aware that the
|
||||
CA is the person making claims is likely to be
|
||||
material in a dispute over claims.
|
||||
</p>
|
||||
|
||||
<h3 id="s2"> 2. Disclaimer </h3>
|
||||
|
||||
<h4 id="s2.1"> 2.1 All Liability </h4>
|
||||
|
||||
<p>
|
||||
Vendor's relationship with end-users creates risks, liabilities
|
||||
and obligations due to the end-user's permitted USE of the certificates,
|
||||
and potentially through other activities such as inappropriate
|
||||
and non-permitted RELIANCE.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
We in general DISCLAIM ALL LIABILITY to each other.
|
||||
Vendor acknowledges and confirms that
|
||||
the CA disclaims all liability to the end-user
|
||||
in NRP-DaL.
|
||||
</p>
|
||||
|
||||
|
||||
<h4 id="s2.2"> 2.2 Monetary Limits on Liability </h4>
|
||||
|
||||
<p>
|
||||
Notwithstanding the general disclaimer on liability above,
|
||||
we agree that,
|
||||
liability of Vendor and of the CA is strictly limited to be 1000 euros.
|
||||
This is the same limit of liability that applies to each
|
||||
member of the CAcert Community.
|
||||
</p>
|
||||
|
||||
<h3 id="s3"> 3. Legal Matters </h3>
|
||||
|
||||
<h4 id="s3.3"> 3.1 Law </h4>
|
||||
|
||||
<p>
|
||||
The Choice of Law is that of NSW, Australia.
|
||||
Policies in force within CAcert are incorporated.
|
||||
</p>
|
||||
|
||||
<h4 id="s3.4"> 3.2 Dispute Resolution </h4>
|
||||
|
||||
<p>
|
||||
We agree that all disputes arising out
|
||||
of or in connection to this agreement
|
||||
and the root and certificates of the CA
|
||||
shall be referred to and finally resolved
|
||||
by Arbitration under the
|
||||
Dispute Resolution Policy of the CA
|
||||
(<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">COD7</a>).
|
||||
The ruling of the Arbitrator is binding and
|
||||
final on CA and Vendor alike.
|
||||
</p>
|
||||
|
||||
</td></tr></table>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p>
|
||||
The following parts are not part of the above licence,
|
||||
but may shed light.
|
||||
</p>
|
||||
|
||||
<h3 id="sfaq"> Z. FAQ </h3>
|
||||
|
||||
<h4 id="sZ.1"> Z.1 Notes on Liability </h4>
|
||||
|
||||
<p>
|
||||
Liability agreement between CA and Vendor
|
||||
suggests that the end-user be presented with the name of the CA
|
||||
in any act where the certificate is USED.
|
||||
This is useful for identifying the particular characteristics
|
||||
of the CA, and accepts that all CAs are different.
|
||||
Each CA has its ways of checking, its relevent laws, and its
|
||||
particular view as to the interests of the end-user,
|
||||
and it is PKI practice and CPS practice that the
|
||||
obligation falls on the end-user to understand this.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
The Vendor should present the name of the CA so as to inform
|
||||
the end-user of what can be known about the claim being made.
|
||||
In the event that the Vendor does not present the CA's name,
|
||||
the CA is taking on the risk and liability that is
|
||||
equivalent to other CAs. Such a position can be seen
|
||||
rationally as the <i>lowest-common-denominator</i>, that is,
|
||||
the claim is no better than the worst claim made by the
|
||||
worst of CAs.
|
||||
Therefore the liability that is accepted by this CA is
|
||||
the lowest that can be applied to any CA in the same position.
|
||||
This liability limit would generally be zero.
|
||||
Any additional liability would therefore fall to the Vendor.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
If the CA has been presented to the end-user, the end-user
|
||||
is able to discriminate. CAs are no longer equivalent.
|
||||
In this case, it is reasonable for the CA to share
|
||||
the liability, over and above the lowest common denominator,
|
||||
up to the limit expressed in the above licence.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Always remembering that this is strictly within the
|
||||
relationship with the Vendor.
|
||||
As there are millions and one day, billions of users, and as
|
||||
the software and the certificates are free, the liability
|
||||
to the end-user must be disclaimed totally.
|
||||
In other words, set to zero.
|
||||
</p>
|
||||
|
||||
<h4 id="sZ.2"> Z.2 Reasonably Shown </h4>
|
||||
|
||||
<p>
|
||||
To reasonably show the name of the CA is undefined,
|
||||
as security user interfaces currently are not representative
|
||||
of reasonable descriptions, and the area is an open research
|
||||
topic (sometimes known as "usable security").
|
||||
</p>
|
||||
|
||||
<p>
|
||||
A reasonable man test is known in law, and selects someone
|
||||
who would be the reasonable person who would use the software.
|
||||
This might hypothetically examine whether a majority of
|
||||
random users would have "got it" when presented with the
|
||||
same information, however this is not quite how it is tested
|
||||
in law; instead, it is more of a gut-feeling.
|
||||
</p>
|
||||
|
||||
<h4 id="sZ.3"> Z.3 Recursive Distribution </h4>
|
||||
|
||||
<p>
|
||||
This licence is not intended to limit the ability of
|
||||
a re-distributor of Vendor's root list from operating under
|
||||
the same conditions as the Vendor. The licence applies
|
||||
equally to all distributors of CA's roots.
|
||||
It is the re-distributor's responsibility
|
||||
to be aware of this licence and to take appropriate
|
||||
steps. The primary Vendor discharges any responsibility
|
||||
to the re-distributor by making available this licence
|
||||
on the same basis as its other licences.
|
||||
See <a href="#1.4">§1.4-1</a>.
|
||||
</p>
|
||||
|
||||
<h4 id="sZ.4"> Z.4 Persons, Parties, Numbers </h4>
|
||||
|
||||
<p>
|
||||
As a convention of contract law, the participants
|
||||
are typically called parties.
|
||||
The CA is the first party.
|
||||
The Member is the second party,
|
||||
under a direct contract with CA
|
||||
(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>).
|
||||
</p>
|
||||
|
||||
<p>
|
||||
The end-user however is typically not a direct party to the contract
|
||||
known as
|
||||
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>
|
||||
because she has typically not seen it nor agreed to it.
|
||||
In deference to this difficult position, she is termed
|
||||
the second person rather than second party,
|
||||
and more formally known as a Non-Related Person to
|
||||
underscore that situation.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Therefore,
|
||||
in order to keep the above terms constant and less confusing,
|
||||
any distributor is therefore termed the third person.
|
||||
Hence this present agreement is between the first and third persons,
|
||||
and the title reflects that.
|
||||
(The use of the term Vendor does not imply there is a sale,
|
||||
it is only industry convention to include free distributors
|
||||
under this label.)
|
||||
</p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
</body></html>
|
Loading…
Reference in a new issue