Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 --- Comment #58 from Iang <iang@xxxxxxxx> 2011-11-04 10:10:59 EDT --- Matt, > [2 CAs] let me do this anonymously at my own risk if I validate > the certificate; :) so, there is one of the industry's dirty little secrets: validate. You are not allowed to rely *unless you validate the certificate*. What does that mean? Well, to cut short a long debate, I'll assert it: the requirement to validate is complete. You must validate the other party/certificate to the extent that you do not need to rely on the certificate. At all! The description doesn't say it, but you will find out in court that this is what it means. In court, if you relied on my name being Iang from a certificate, you will have to show you also checked it another way. In short, you will have to show that reliance was ignored or ignorable. And because you took it at your own risk, and because you did your own diligence, and you got it wrong, then the CA isn't at fault. Now, let's look at a legal definition of Reliance (just the 1st I found): http://legal-dictionary.thefreedictionary.com/reliance reliance n. acting upon another's statement of alleged fact, claim, or promise. In contracts, if someone takes some steps ("changes his position" is the usual legal language) in reliance on the other's statement, claim or promise then the person upon whom the actor relied is entitled to contend there is a contract he/she can enforce. However, the reliance must be reasonable. (See: reasonable reliance) Do you see what has happened? The CAs have re-defined reliance to be not reliance: at own risk, must do own validation, disclaimer of liabilities, no clause you can enforce, etc etc. This is the Fort Knox definition of reliance: we have a lot of gold, but in order to get it, you'll be committing harakiri. For those CAs, reliance is an empty term. They could call it pink bananas and it would have the same effect: here is a list of things that *you have to do* in order to use the certificate. Legally, they don't offer you anything in that you couldn't get other ways, and in legal assertion in the contract, you must get those things other ways. Now, CAcert declines to do that. We decline to stand up before the judge and say "your honour, we offer reliance, but our contract strips it of meaning!" That's why we call the normal usage of certificates USE. (Earlier, we discussed whether the RPAs are valid, and whether they are potentially risky contracts. We can now see an avenue of attack: anything to do with the use of the term "reliance" is a target for being written out by the judge, because it redefines itself out of well-understood legal tradition. A risk... and that is yet another reason why CAcert does not join the rest of the industry.) -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review