Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #53 from Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> 2011-11-03 03:34:48 EDT --- Phillip and Ian, Please spare us the self-righteousness and the propaganda. The topic of this bug is whether the CAcert root meets Fedora's licensing requirements. (In reply to comment #46) > Well actually CAcert does the same thing. If you want to rely on a StarCom or > Verisign Cert you need to enter into their separate Relying Party Agreement. If > you want to rely on a CAcert Certificate you have to enter into the CCA > http://www.cacert.org/policy/CAcertCommunityAgreement.php > > So where is the difference? Sorry, I wasn't precise enough. To rely under the CCA, one must register affirmatively with CAcert (fails the dissident test) and agree to be bound by arbitration, including potential liability up to 1000 euros; it's unclear whether a party who does not obtain any certificates from CAcert can be certain of avoiding this liability. This is not something to which Fedora should expose its users. OTOH, the VeriSign RPA can be entered anonymously and allows one to rely at one's own risk, provided that one "validates" the certificates, without accepting any obligations or liabilities aside from a standard indemnity. StartCom doesn't purport to restrict reliance, and just makes clear that it is at one's own risk. (In reply to comment #51) > If for example we had a small merchant with PeopleBank.com as a > job sharing website, and his cert was stolen and used to defrauded > PeoplesBank.com, a big financial institution, then we'd have an issue... You're saying that even if the CAcert root is distributed with "absolutely no warranty", someone may be able to use its lack of fitness for a particular purpose as the basis of a suit against a third party? I would like to think that that is not possible, but IANAL and I would want an actual lawyer's opinion. If this issue is real, it might affect free software more generally. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review