-1. TO BE FIXED

D R A F T

This is DRAFT-V0.02.


0. Preliminaries

0.1 Background

Being that,

And that,

And that, in offering the USE of certificates to the end-user,

And that,

We both, CA and Vendor, agree that,

0.2 Parties

With the above understanding, the following Licence and Disclaimer is offered by CA to Vendor.

0.3 Terms

Terms used in this agreement are as defined in the CAcert Community Agreement.

1. Agreement and Licence

1.1 Agreement

You and CAcert both agree to the terms and conditions in this agreement. The relationship between the CA and the Vendor is based on this agreement. Your agreement is given by your distribution of the root within your distribution of your root list.

1.2 Other Agreements

The relationship between the Vendor and the end-user is based on Vendor's own agreement ("end-user licence agreement" or EULA). Generally, the Vendor offers the EULA to the end-user in the act of distributing the software and roots.

The relationship between the CA and the end-user is based on CA's Non-Related Persons -- Disclaimer and Licence ("NRP-DaL"). This Licence follows the style of popular open source licences, in that it is offered to an unknown audience, without a necessary expectation for explicit agreement by the end-user, because of the methods and restrictions of delivery.

1.3 Licence to Distribute

CA offers this licence to permit Vendor to distribute CA's roots within Vendor's root list to Vendor's end-users.

1.4 Agreement in Spirit

Vendor agrees to make EULA compatible and aligned with the CA's NRP-DaL. Specifically, the EULA must:

all with respect to the root list (including root keys, certificates, and related cryptographic and security software).

1.5 Agreement in Practice

Where agreement is explicitly sought from the end-user they will be offered and agree to:

Vendors are encouraged to ship the NRP-DaL with their software, and make available means for the end-user to further examine the NRP-DaL.
Note, document this elsewhere in FAQ.

1.6 Fair and Non-Discriminatory

Vendor agrees to make available CA's root key in a fair and non-discriminatory way to Vendor's end-users.
Note, document this elsewhere in FAQ.

2. Disclaimer

2.1 All Liability

Vendor's relationship with end-users creates risks, liabilities and obligations due to the end-user's permitted USE of the certificates, and potentially through other activities such as inappropriate and unpermitted RELIANCE.

We in general DISCLAIM ALL LIABILITY to each other and to the end-user.

2.2 Monetary Limits on Liability

Notwithstanding the general disclaimer on liability above, we agree that, to the extent that CAcert is reasonably represented to the Vendor's end-user by the software as being the Certificate Authority, at the events and circumstances of question, liability of CAcert is strictly limited to be 1000 euros. This is the same limit of liability that applies to each member of the CAcert Community.

To the extent that the CA is not reasonably represented to the end-user, we agree that any liability is limited to the lowest of agreed liabilities of all CAs for all roots shipped by the Vendor, and 1000 euros.

3. Legal Matters

3.1 Law

The Choice of Law is that of NSW, Australia.

3.2 Dispute Resolution

We agree that all disputes arising out of or in connection to this agreement and the root key of the CA shall be referred to and finally resolved by Arbitration under the Dispute Resolution Policy of the CA (DRP => COD7). The ruling of the Arbitrator is binding and final on CA and Vendor alike.

We further agree, as a single exception to DRP, that the single Arbitrator may be chosen from outside the CAcert Community.

3.3 CAcert Community Agreement

The CA also offers a CAcert Community Agreement (CCA). The CCA replaces the NRP-DaL and this present agreement for those parties that accept it.

If a Community member is also an end-user, then the provisions of the CCA will replace all elements of the CA's NRP-DaL, and will dominate this present agreement.

Acceptance alone of this present agreement by the Vendor does not imply that Vendor is a Community User/Member.


The following parts are not part of the above licence, but may shed light.

Z. FAQ

Z.1 Notes on Liability

Liability agreement between CA and Vendor suggests that the end-user be presented with the name of the CA. This is useful for identifying the particular characteristics of the CA, and accepts that all CAs are different. Each CA has its ways of checking, its relevent laws, and its particular view as to the interests of the end-user.

The Vendor should present the name of the CA so as to inform the end-user of what can be known. In the event that the Vendor does not present the CA, the CA is taking on all the risk and liability that the CA is equivalent to others, which can only be rationally measured as the lowest-common-denominator, that is, the lowest of the liabilities that is accepted across all CAs that are shipped by the CA. This would generally be zero.

If the CA has been presented to the end-user, the end-user is able to discriminate. In this case, it is reasonable for the CA to offer to share the liability, and to accept some limit to that liability.

Always remembering that this is strictly within the relationship with the Vendor. As there are millions and one day, billions of users, and as the software and the certificates are free, the liability to the end-user must be disclaimed totally. In other words, set to zero.

Z.2 Reasonably Shown

To reasonably show the name of the CA is undefined, as security user interfaces currently are not representative of reasonable descriptions, and the area is an open research topic (sometimes known as "usable security").

A reasonable man test is known in law, and selects someone who would be the reasonable person who would use the software. This might hypothetically examine whether a majority of random users would have "got it" when presented with the same information, however this is not quite how it is tested in law; instead, it is more of a gut-feeling.