cacert/cacert-policies
9
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Incorporated some notes from discussion with STS,

Browse source 
general tidy-up, may be ready for policy group debate.


git-svn-id: http://svn.cacert.org/CAcert/Policies@1934 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
Ian Grigg 2010-06-23 05:50:17 +00:00
parent 08752082e5
commit 7a09142e48
1 changed files with 130 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

179
Agreements/3PVDisclaimerAndLicence.html
View file

@ -1,33 +1,73 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" />
<title>CAcert - 3rd Party Vendor -- Licence and Disclaimer </title>
<html> <style type="text/css"> <!-- to disappear from www.c.o/policy/ -->
<head><title>CAcert - 3rd Party Vendor -- Licence and Disclaimer </title></head> <!--
<body> body {
font-family : verdana, helvetica, arial, sans-serif;
}
th {
text-align : left;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
.strike {
color : blue;
text-decoration:line-through;
}
a:hover {
color : gray;
}
-->
</style>
</head>
<body lang="en-GB">
<h3> -1. TO BE FIXED </h3> <h3> -1. TO BE FIXED </h3>
<center> <b> w o r k -- i n -- p r o g r e s s</b> </center> <p class="q"> <big> w o r k -- i n -- p r o g r e s s</big> </p>
<a href="http://www.cacert.org/policy/PolicyOnPolicy.php"><img align="right" src="../Images/cacert-wip.png" alt="CAcert 3rd Party - Disclaimer and Licence - Status == wip" border="0"></a><p> <i> <a href="http://www.cacert.org/policy/PolicyOnPolicy.php"><img style="float: right; border-width: 0" src="../Images/cacert-wip.png" alt="CAcert 3rd Party - Disclaimer and Licence - Status == wip" border="0"></a>
This is wip-V0.05 as of 20091213. <p class="q">
</i></p> This is wip-V0.06 as of 20100623.
Comments:
</p>
<ul><li> <ul class="q"><li>
<i>add comments here...</i> Added FAQ section on <a href="#sZ.4">Persons, Parties, Numbers</a>, following confusion from STS 20100620
<!-- add more comments here... -->
</li></ul> </li></ul>
<p class="q">
Policy starts:
</p>
<hr> <hr>
<blockquote> <blockquote>
<h3> <a name="0"> 0. </a> Preamble </h3> <h3 id="s0"> 0. Preamble </h3>
<p><i> <p><i>
This section is not part of the licence but may be explanatory. This section is not part of the licence but may be explanatory.
<a href="#title">Skip to licence.</a> <a href="#title">Skip to licence.</a>
</i></p> </i></p>
<p> <p id="s0.1">0.1
Being that, Being that,
</p> </p>
@ -39,7 +79,8 @@ Being that,
for the direct benefit and RELIANCE of its Community of signed-up users for the direct benefit and RELIANCE of its Community of signed-up users
("Members"), ("Members"),
RELIANCE being defined as the Member's act in making a decision, RELIANCE being defined as the Member's act in making a decision,
including taking a risk, in whole or in part based on the certificate, that takes on a risk or liability,
in whole or in part based on the certificate,
and and
</li><li> </li><li>
where possible, of some indirect benefit and USE to other general users where possible, of some indirect benefit and USE to other general users
@ -50,7 +91,7 @@ Being that,
knowledge being required of the user; knowledge being required of the user;
</li></ul> </li></ul>
<p> <p id="s0.2">0.2
And that, And that,
</p> </p>
@ -72,12 +113,12 @@ And that,
to provide for a high degree of choice and control over certificates; to provide for a high degree of choice and control over certificates;
</li></ul> </li></ul>
<p> <p id="s0.3">0.3
And that, in offering the USE of certificates to the end-user, And that, in offering the USE of certificates to the end-user,
</p> </p>
<ul><li> <ul><li>
the CA has no direct relationship with the the end-user, the CA has no direct relationship with the end-user,
</li><li> </li><li>
it is not economic nor reasonable to expect such a it is not economic nor reasonable to expect such a
direct relationship, direct relationship,
@ -86,7 +127,7 @@ And that, in offering the USE of certificates to the end-user,
the CA offers its the CA offers its
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php"> <a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">
Non-Related Persons -- Disclaimer and Licence</a> Non-Related Persons -- Disclaimer and Licence</a>
to the end-user ("NRP"), in which to the end-user ("NRP") in which
<ul><li> <ul><li>
the CA disclaims liability to NRPs, the CA disclaims liability to NRPs,
</li><li> </li><li>
@ -99,7 +140,7 @@ And that, in offering the USE of certificates to the end-user,
and thus becoming a Member (which overrides the NRP-DaL); and thus becoming a Member (which overrides the NRP-DaL);
</li></ul> </li></ul>
<p> <p id="s0.4">0.4
And that, And that,
</p> </p>
@ -122,7 +163,7 @@ And that,
to its end-users; to its end-users;
</li></ul> </li></ul>
<p> <p id="s0.5">0.5
We both, CA and Vendor, agree that, We both, CA and Vendor, agree that,
</p> </p>
@ -155,9 +196,9 @@ the following Licence and Disclaimer is offered by CAcert to Vendor.
<a name="title"> 3rd Party Vendor - Licence and Disclaimer </a> <a name="title"> 3rd Party Vendor - Licence and Disclaimer </a>
</b></center> </b></center>
<h3> <a name="1"> 1. </a> Agreement and Licence </h3> <h3 id="s1"> 1. Agreement and Licence </h3>
<h4> <a name="1.1"> 1.1 </a> Agreement </h4> <h4 id="s1.1"> 1.1 Agreement </h4>
<p> <p>
We (the Vendor and the CA) We (the Vendor and the CA)
@ -167,7 +208,7 @@ Your agreement is given by your distribution of the root within your
distribution of your root list. distribution of your root list.
</p> </p>
<h4> <a name="1.1"> 1.2 </a> Other Agreements </h4> <h4 id="s1.2"> 1.2 Other Agreements </h4>
<p> <p>
The relationship between the Vendor and the end-user The relationship between the Vendor and the end-user
@ -187,14 +228,14 @@ expectation for explicit agreement by the end-user,
because of the methods and restrictions of delivery. because of the methods and restrictions of delivery.
</p> </p>
<h4> <a name="1.3"> 1.3 </a> Licence to Distribute </h4> <h4 id="s1.3"> 1.3 Licence to Distribute </h4>
<p> <p>
CA offers this licence to permit Vendor to distribute CA's roots CA offers this licence to permit Vendor to distribute CA's roots
within Vendor's root list to Vendor's end-users. within Vendor's root list to Vendor's end-users.
</p> </p>
<h4> <a name="1.4"> 1.4 </a> Vendor's Agreement with End-User </h4> <h4 id="s1.4"> 1.4 Vendor's Agreement with End-User </h4>
<p> <p>
Vendor agrees Vendor agrees
</p> </p>
@ -205,7 +246,7 @@ Vendor agrees
to advise the end-user of the NRP-DaL appropriately. to advise the end-user of the NRP-DaL appropriately.
</li></ol> </li></ol>
<h4> <a name="1.5"> 1.5 </a> Fair and Non-Discriminatory </h4> <h4 id="s1.5"> 1.5 Fair and Non-Discriminatory </h4>
<p> <p>
Vendor agrees to make available CA's root key Vendor agrees to make available CA's root key
@ -224,9 +265,9 @@ CA is the person making claims is likely to be
material in a dispute over claims. material in a dispute over claims.
</p> </p>
<h3> <a name="2"> 2. </a> Disclaimer </h3> <h3 id="s2"> 2. Disclaimer </h3>
<h4> <a name="2.1"> 2.1 </a> All Liability </h4> <h4 id="s2.1"> 2.1 All Liability </h4>
<p> <p>
Vendor's relationship with end-users creates risks, liabilities Vendor's relationship with end-users creates risks, liabilities
@ -243,7 +284,7 @@ in NRP-DaL.
</p> </p>
<h4> <a name="2.2"> 2.2 </a> Monetary Limits on Liability </h4> <h4 id="s2.2"> 2.2 Monetary Limits on Liability </h4>
<p> <p>
Notwithstanding the general disclaimer on liability above, Notwithstanding the general disclaimer on liability above,
@ -253,16 +294,16 @@ This is the same limit of liability that applies to each
member of the CAcert Community. member of the CAcert Community.
</p> </p>
<h3> <a name="3"> 3. </a> Legal Matters </h3> <h3 id="s3"> 3. Legal Matters </h3>
<h4> <a name="2.3"> 3.1 </a> Law </h4> <h4 id="s3.3"> 3.1 Law </h4>
<p> <p>
The Choice of Law is that of NSW, Australia. The Choice of Law is that of NSW, Australia.
Policies in force within CAcert are incorporated. Policies in force within CAcert are incorporated.
</p> </p>
<h4> <a name="2.4"> 3.2 </a> Dispute Resolution </h4> <h4 id="s3.4"> 3.2 Dispute Resolution </h4>
<p> <p>
We agree that all disputes arising out We agree that all disputes arising out
@ -285,37 +326,43 @@ The following parts are not part of the above licence,
but may shed light. but may shed light.
</p> </p>
<h3> <a name="faq"> Z. </a> FAQ </h3> <h3 id="sfaq"> Z. FAQ </h3>
<h4> <a name="Z.1"> Z.1 </a> Notes on Liability </h4> <h4 id="sZ.1"> Z.1 Notes on Liability </h4>
<p> <p>
Liability agreement between CA and Vendor Liability agreement between CA and Vendor
suggests that the end-user be presented with the name of the CA. suggests that the end-user be presented with the name of the CA
in any act where the certificate is USED.
This is useful for identifying the particular characteristics This is useful for identifying the particular characteristics
of the CA, and accepts that all CAs are different. of the CA, and accepts that all CAs are different.
Each CA has its ways of checking, its relevent laws, and its Each CA has its ways of checking, its relevent laws, and its
particular view as to the interests of the end-user. particular view as to the interests of the end-user,
and it is PKI practice and CPS practice that the
obligation falls on the end-user to understand this.
</p> </p>
<p> <p>
The Vendor should present the name of the CA so as to inform The Vendor should present the name of the CA so as to inform
the end-user of what can be known. the end-user of what can be known about the claim being made.
In the event that the Vendor does not present the CA, In the event that the Vendor does not present the CA's name,
the CA is taking on all the risk and liability that the the CA is taking on the risk and liability that is
CA is equivalent to others, which can only be rationally equivalent to other CAs. Such a position can be seen
measured as the <i>lowest-common-denominator</i>, that is, rationally as the <i>lowest-common-denominator</i>, that is,
the lowest of the liabilities that is accepted across all the claim is no better than the worst claim made by the
CAs that are shipped by the CA. worst of CAs.
This would generally be zero. Therefore the liability that is accepted by this CA is
the lowest that can be applied to any CA in the same position.
This liability limit would generally be zero.
Any additional liability would therefore fall to the Vendor.
</p> </p>
<p> <p>
If the CA has been presented to the end-user, the end-user If the CA has been presented to the end-user, the end-user
is able to discriminate. is able to discriminate. CAs are no longer equivalent.
In this case, it is reasonable for the CA to offer to share In this case, it is reasonable for the CA to share
the liability, and to accept some limit the liability, over and above the lowest common denominator,
to that liability. up to the limit expressed in the above licence.
</p> </p>
<p> <p>
@ -327,7 +374,7 @@ to the end-user must be disclaimed totally.
In other words, set to zero. In other words, set to zero.
</p> </p>
<h4> <a name="Z.2"> Z.2 </a> Reasonably Shown </h4> <h4 id="sZ.2"> Z.2 Reasonably Shown </h4>
<p> <p>
To reasonably show the name of the CA is undefined, To reasonably show the name of the CA is undefined,
@ -345,7 +392,7 @@ same information, however this is not quite how it is tested
in law; instead, it is more of a gut-feeling. in law; instead, it is more of a gut-feeling.
</p> </p>
<h4> <a name="Z.3"> Z.3 </a> Recursive Distribution </h4> <h4 id="sZ.3"> Z.3 Recursive Distribution </h4>
<p> <p>
This licence is not intended to limit the ability of This licence is not intended to limit the ability of
@ -357,6 +404,40 @@ to be aware of this licence and to take appropriate
steps. The primary Vendor discharges any responsibility steps. The primary Vendor discharges any responsibility
to the re-distributor by making available this licence to the re-distributor by making available this licence
on the same basis as its other licences. on the same basis as its other licences.
See <a href="#1.4">&sect;1.4-1</a>.
</p>
<h4 id="sZ.4"> Z.4 Persons, Parties, Numbers </h4>
<p>
As a convention of contract law, the participants
are typically called parties.
The CA is the first party.
The Member is the second party,
under a direct contract with CA
(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>).
</p>
<p>
The end-user however is typically not a direct party to the contract
known as
<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">NRP-DaL</a>
because she has typically not seen it nor agreed to it.
In deference to this difficult position, she is termed
the second person rather than second party,
and more formally known as a Non-Related Person to
underscore that situation.
</p>
<p>
Therefore,
in order to keep the above terms constant and less confusing,
any distributor is therefore termed the third person.
Hence this present agreement is between the first and third persons,
and the title reflects that.
(The use of the term Vendor does not imply there is a sale,
it is only industry convention to include free distributors
under this label.)
</p> </p>
</blockquote> </blockquote>