Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #54 from Iang <iang@xxxxxxxx> 2011-11-03 07:28:06 EDT --- Matt, comment #53 > (In reply to comment #51) > > If for example we had a small merchant with PeopleBank.com as a > > job sharing website, and his cert was stolen and used to defrauded > > PeoplesBank.com, a big financial institution, then we'd have an issue... > > You're saying that even if the CAcert root is distributed with "absolutely no > warranty", someone may be able to use its lack of fitness for a particular > purpose as the basis of a suit against a third party? Yes, that's what I'm saying, more or less. Obviously, there are many different methods of legal attacking any CA's contract, and it's beyond the scope of this forum to examine what they would be. And this applies to all CAs, not just CAcert. > I would like to think > that that is not possible, but IANAL and I would want an actual lawyer's > opinion. Steve Schultze and Steve Roosa for example recently published a paper on this, but the tradition is long standing. https://freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model Quote, for others skimming through: "Given the absence of notice to the end-user and assent by the end-user, it would appear that many CAs would have a difficult time holding an end-user to the terms of the relying party agreements or certification practice statements. To date, the CA Trust Model's legal architecture has apparently not been the subject of any published court decision and remains untested. The bottom line is that the CA Trust Model's legal architecture inures to the benefit of no one. Neither website operators, certificate authorities, nor end-users can be sure of their rights or exposure. The Model's legal structure may therefore be just as troubling as its security vulnerabilities." End quote. Within the legal field, it is normal for law profs to look at the general CA contracts and declare them unfit, and assert that the contracts would likely have a lot of trouble standing up in court. > If this issue is real, it might affect free software more generally. No, you may rest easy :) (Free) software is not effected by this because it isn't a business that ordinarily involves claims and liabilities and claims of fitness. CAs and certificates do, a certificate is a claim that it is fit for some purpose or other. So, CAs have to go to a great deal more extent to refine their legal posture, and protect themselves and their stakeholders. E.g., our legal project is 100 pages of contract & policy, and 3 years in the making. In contrast, a pure play open source operation just copies one of the standard licences. And it's done. It's safe, it can even change midstream by issuing under dual licences without any problems. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review