Gervase Markham wrote, On 2008-02-09 02:35: > Eddy Nigg (StartCom Ltd.) wrote: >> Since sometimes there are some licensing concerns with the certdata.txt >> file, I wanted to know exactly what one is allowed to do. If for example >> by merely extracting the CA certificates with a tool like >> http://curl.haxx.se/lxr/source/lib/mk-ca-bundle.pl still requires the >> resulting CA bundle to be bound to the tri-license of Mozilla? Or can I >> simply extract all CA certificates from the browser by exporting them? > > I think the correct position is that the certdata.txt file is data used > by Mozilla, rather than part of the browser itself.
That file is used during the process of compiling and building the browser. Its contents are transformed into "c" code that becomes part of a file that is compiled into the browser. That file is certdata.c in the same directory as certdata.txt. > The copyright in the certificates technically rests with the CAs, but it > would be a very strange CA which forbade you from shipping their > certificate in your product. I'm not sure what the legal position would > be there. As I recall, at one time, at least one of the CAs whose root CA certificates are now found in certdata.txt had a policy that their root CA certificates were to be published ONLY as part of products to which they had explicitly given permission to distribute them. That CA did not make its root CA certificates available for direct download from any of its web sites or FTP servers, and it forbade others to distribute its root CA certificates in that way, on pain of prosecution for copyright infringement. When NSS was finally able to be open-sourced late in the year 2000, that CA was required to agree to allow its certificates to be distributed in various other fashions, in accordance with the MPL, in order for those certs to be eligible to become part of the NSS open source. I suppose there are records of that agreement somewhere, but I don't know where, or even who were the parties that executed the agreement. But nonetheless, I believe that the appearance of any CA's root certs in NSS's root cert list is evidence that, at one time in the past, the NSS developers believed they had explicit permission from that CA to include its certs in a file distributed under MPL terms. And so I believe the MPL terms still fully apply today. /Nelson _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
