From 7a09142e48e6667575bd085966137e81f6e38a17 Mon Sep 17 00:00:00 2001 From: Ian Grigg Date: Wed, 23 Jun 2010 05:50:17 +0000 Subject: [PATCH] Incorporated some notes from discussion with STS, general tidy-up, may be ready for policy group debate. git-svn-id: http://svn.cacert.org/CAcert/Policies@1934 14b1bab8-4ef6-0310-b690-991c95c89dfd --- Agreements/3PVDisclaimerAndLicence.html | 179 +++++++++++++++++------- 1 file changed, 130 insertions(+), 49 deletions(-) diff --git a/Agreements/3PVDisclaimerAndLicence.html b/Agreements/3PVDisclaimerAndLicence.html index ab9e54e..3b537ff 100644 --- a/Agreements/3PVDisclaimerAndLicence.html +++ b/Agreements/3PVDisclaimerAndLicence.html @@ -1,33 +1,73 @@ - + + + + + + CAcert - 3rd Party Vendor -- Licence and Disclaimer - -CAcert - 3rd Party Vendor -- Licence and Disclaimer - + + + +

-1. TO BE FIXED

-
w o r k -- i n -- p r o g r e s s
+

w o r k -- i n -- p r o g r e s s

-CAcert 3rd Party - Disclaimer and Licence - Status == wip

-This is wip-V0.05 as of 20091213. -

+CAcert 3rd Party - Disclaimer and Licence - Status == wip +

+This is wip-V0.06 as of 20100623. +Comments: +

- -

+

0.2 And that,

@@ -72,12 +113,12 @@ And that, to provide for a high degree of choice and control over certificates; -

+

0.3 And that, in offering the USE of certificates to the end-user,

-

+

0.5 We both, CA and Vendor, agree that,

@@ -155,9 +196,9 @@ the following Licence and Disclaimer is offered by CAcert to Vendor. 3rd Party Vendor - Licence and Disclaimer -

1. Agreement and Licence

+

1. Agreement and Licence

-

1.1 Agreement

+

1.1 Agreement

We (the Vendor and the CA) @@ -167,7 +208,7 @@ Your agreement is given by your distribution of the root within your distribution of your root list.

-

1.2 Other Agreements

+

1.2 Other Agreements

The relationship between the Vendor and the end-user @@ -187,14 +228,14 @@ expectation for explicit agreement by the end-user, because of the methods and restrictions of delivery.

-

1.3 Licence to Distribute

+

1.3 Licence to Distribute

CA offers this licence to permit Vendor to distribute CA's roots within Vendor's root list to Vendor's end-users.

-

1.4 Vendor's Agreement with End-User

+

1.4 Vendor's Agreement with End-User

Vendor agrees

@@ -205,7 +246,7 @@ Vendor agrees to advise the end-user of the NRP-DaL appropriately. -

1.5 Fair and Non-Discriminatory

+

1.5 Fair and Non-Discriminatory

Vendor agrees to make available CA's root key @@ -224,9 +265,9 @@ CA is the person making claims is likely to be material in a dispute over claims.

-

2. Disclaimer

+

2. Disclaimer

-

2.1 All Liability

+

2.1 All Liability

Vendor's relationship with end-users creates risks, liabilities @@ -243,7 +284,7 @@ in NRP-DaL.

-

2.2 Monetary Limits on Liability

+

2.2 Monetary Limits on Liability

Notwithstanding the general disclaimer on liability above, @@ -253,16 +294,16 @@ This is the same limit of liability that applies to each member of the CAcert Community.

-

3. Legal Matters

+

3. Legal Matters

-

3.1 Law

+

3.1 Law

The Choice of Law is that of NSW, Australia. Policies in force within CAcert are incorporated.

-

3.2 Dispute Resolution

+

3.2 Dispute Resolution

We agree that all disputes arising out @@ -285,37 +326,43 @@ The following parts are not part of the above licence, but may shed light.

-

Z. FAQ

+

Z. FAQ

-

Z.1 Notes on Liability

+

Z.1 Notes on Liability

Liability agreement between CA and Vendor -suggests that the end-user be presented with the name of the CA. +suggests that the end-user be presented with the name of the CA +in any act where the certificate is USED. This is useful for identifying the particular characteristics of the CA, and accepts that all CAs are different. Each CA has its ways of checking, its relevent laws, and its -particular view as to the interests of the end-user. +particular view as to the interests of the end-user, +and it is PKI practice and CPS practice that the +obligation falls on the end-user to understand this.

The Vendor should present the name of the CA so as to inform -the end-user of what can be known. -In the event that the Vendor does not present the CA, -the CA is taking on all the risk and liability that the -CA is equivalent to others, which can only be rationally -measured as the lowest-common-denominator, that is, -the lowest of the liabilities that is accepted across all -CAs that are shipped by the CA. -This would generally be zero. +the end-user of what can be known about the claim being made. +In the event that the Vendor does not present the CA's name, +the CA is taking on the risk and liability that is +equivalent to other CAs. Such a position can be seen +rationally as the lowest-common-denominator, that is, +the claim is no better than the worst claim made by the +worst of CAs. +Therefore the liability that is accepted by this CA is +the lowest that can be applied to any CA in the same position. +This liability limit would generally be zero. +Any additional liability would therefore fall to the Vendor.

If the CA has been presented to the end-user, the end-user -is able to discriminate. -In this case, it is reasonable for the CA to offer to share -the liability, and to accept some limit -to that liability. +is able to discriminate. CAs are no longer equivalent. +In this case, it is reasonable for the CA to share +the liability, over and above the lowest common denominator, +up to the limit expressed in the above licence.

@@ -327,7 +374,7 @@ to the end-user must be disclaimed totally. In other words, set to zero.

-

Z.2 Reasonably Shown

+

Z.2 Reasonably Shown

To reasonably show the name of the CA is undefined, @@ -345,7 +392,7 @@ same information, however this is not quite how it is tested in law; instead, it is more of a gut-feeling.

-

Z.3 Recursive Distribution

+

Z.3 Recursive Distribution

This licence is not intended to limit the ability of @@ -357,6 +404,40 @@ to be aware of this licence and to take appropriate steps. The primary Vendor discharges any responsibility to the re-distributor by making available this licence on the same basis as its other licences. +See §1.4-1. +

+ +

Z.4 Persons, Parties, Numbers

+ +

+As a convention of contract law, the participants +are typically called parties. +The CA is the first party. +The Member is the second party, +under a direct contract with CA +(CCA). +

+ +

+The end-user however is typically not a direct party to the contract +known as +NRP-DaL +because she has typically not seen it nor agreed to it. +In deference to this difficult position, she is termed +the second person rather than second party, +and more formally known as a Non-Related Person to +underscore that situation. +

+ +

+Therefore, +in order to keep the above terms constant and less confusing, +any distributor is therefore termed the third person. +Hence this present agreement is between the first and third persons, +and the title reflects that. +(The use of the term Vendor does not imply there is a sale, +it is only industry convention to include free distributors +under this label.)