Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #44 from Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> 2011-11-02 04:45:14 EDT --- (In reply to comment #41) > However > we cannot disclaim the liability of a member to a user for communications that > take place between the member and the user directly. What would be an example of a suit against a member that you would want to prevent? > The only recourse is that we state "If you are not bound by the CCA you may not > rely (as defined) upon anything CAcert says with its certificates" Because this > then eliminates any reliance in statements made via CAcert certificates between > the member and the user. And as long as you insist on doing this, the root is non-free. > So is this a "use restriction"? Absolutely. You may not use CAcert certificates > as a base for your decision making. But that is precisely what availability of the root in Fedora would invite users to do. This is the kind of legal trap that Red Hat has rightly stood firm against. > Because of the specific environment CAcert operates in and the specific needs > of an open community in this space, our policies and licenses have to diverge > from the standard OSS licenses, since they are tailored to different needs. So > long as this is ignored no progress on this issue will be reachable. Yep. I don't see why Fedora should be any more willing to make an exception for CAcert than for other projects that do not meet its licensing requirements due to competing interests. (In reply to comment #42) > Imagine we get sued for > some bank class action fraud… You have disclaimed liability. What is the problem? > As you see in the CAcert RDL, we use the statement "you may not RELY" in order > to make sure that you, as a non-member of CAcert, don't actually assume you can > sue us if something goes wrong. Non-members would be wrong to make that assumption anyway, because you have disclaimed liability. > However, what you do have as a visitor to some cert at a user level is a > permission to USE. This is really what is desired and is useful, because in > the practical world of Internet and communications, we don't typically sue each > other. No, you are conflating relying with suing. In the practical world, I choose to rely (= make decisions based on certificates) all the time via the tool of my browser, even though I know I cannot sue. (In reply to comment #43) > All CAs typically do not give > permission to rely, unless you enter into a Relying Party Agreement. (Google > knows...) Wrong. StartCom allows unrelated parties to rely at their own risk (http://www.startssl.com/policy.pdf, "Legal and Limitations"). VeriSign allows unrelated parties the same provided that they "validate" the certificates, whatever that means (http://www.verisign.com/repository/rpa.html). > In summary, in order to say that CAcert's licence is bad (non-free is the term > used above) we have to also say that all the other licences of all the other > CAs are better (freer?). Has that been done? I hereby say it. It's likely that some of the other root certificate licenses strictly speaking do not meet Fedora's requirements, but CAcert's use restriction is by far the most blatant. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review