Re: Bug#687693: ca-certificates: Cacert License is missing

[Michael Shuler]

Control: tags -1 wontfix

On 11/04/2012 03:23 PM, Steve Langasek wrote:
> I hereby grant you a non-exclusive, worldwide, royalty-free license to eat
> cheese with salami, subject to the following conditions:
> 
>  - You do not use the name of debian-legal while talking with food in your
>mouth.
>  - You do not eat cheese with wine.
>  - Neither the name of the University of California nor the name of the
>Tillamook County Creamery Association may be used to endorse or promote
>products derived from your consumption of cheese and salami without
>specific prior written permission.
> 
> In the event that any provision of this license is held to be invalid or
> unenforceable, the remaining provisions of this license remain in full force
> and effect.
> 
> Hope that helps,

Indeed!  A realistic example helps me step back from tying to think like
an attorney, and a good laugh helps, too.

I really appreciate your insight, Steve.

-- 
Warm regards,
Michael Shuler




signature.asc
Description: OpenPGP digital signature

Re: Bug#687693: ca-certificates: Cacert License is missing

[Steve Langasek]

On Sun, Nov 04, 2012 at 02:56:27PM -0600, Michael Shuler wrote:
> Among other suggestions, Francesco Poli recommended including a verbatim
> copy of this license.

You should not.  If the license has no legal force, you should not propagate
it and give people the impression that it does.

> > The CAcert license is therefore something we should entirely ignore, because
> > it has no legal force.

> Is this really the case?  Should Debian ignore CAcert's license on their
> root certificates?

> Here is my reasoning, distilled as best I can:

> CAcert has explicitly licensed their root certificates.

This is an inaccurate statement.  What CAcert have done is unilaterally
assert that you *need* a license for their root certificates.

If you don't need a license, then what they have done is not "licensing":
it's an attempt to assert control not granted to them under law.

> Even if SSL certificates are not copyrightable, the RDL contains the
> language:

> "In the event that any provision of this license is held to be invalid
> or unenforceable, the remaining provisions of this license remain in
> full force and effect."

Which is irrelevant, because *we don't need a license in the first place*.

I hereby grant you a non-exclusive, worldwide, royalty-free license to eat
cheese with salami, subject to the following conditions:

 - You do not use the name of debian-legal while talking with food in your
   mouth.
 - You do not eat cheese with wine.
 - Neither the name of the University of California nor the name of the
   Tillamook County Creamery Association may be used to endorse or promote
   products derived from your consumption of cheese and salami without
   specific prior written permission.

In the event that any provision of this license is held to be invalid or
unenforceable, the remaining provisions of this license remain in full force
and effect.

Hope that helps,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Re: Bug#687693: ca-certificates: Cacert License is missing

[Michael Shuler]

On 11/03/2012 08:15 PM, Steve Langasek wrote:
> On Sat, Nov 03, 2012 at 03:28:08PM -0500, Michael Shuler wrote:
>> After reading the -legal thread, comments above, the CAcert mailing list
>> thread, the Fedora explanation, and carefully reading the licensing
>> myself, the cautious side of me says the right thing to do is remove the
>> CAcert certificates from the package. This change will be committed to
>> the collab-maint git repo shortly.
> 
>> I appreciate the bug report, mejiko, and for others taking the time to
>> consider this issue. I will consider a ca-certificates-cacert ITP for
>> inclusion in non-free.
> 
> Which debian-legal thread were you reading?  Because the two comments I see
> cc:ed to this bug report from debian-legal, from Francesco Poli and Florian
> Weimer, both point out that *certificates are not copyrightable*.  An SSL
> certificate is a unique representation of a mathematical fact; since it
> contains no creative element, copyright law does not provide for any
> monopoly rights prohibiting distribution.

There was one other short reply on debian-legal that was not sent to the
bug report. (Sorry if I broke the threading, I am not subscribed to
debian-legal)

I understand that SSL certificates, themselves, are math, and I
understand the conclusion that they are not copyrightable.  However, I
am not fully convinced that, due to this conclusion, the CAcert license
has no effect (or whatever the proper legal terminology would be).

Among other suggestions, Francesco Poli recommended including a verbatim
copy of this license.

> The CAcert license is therefore something we should entirely ignore, because
> it has no legal force.

Is this really the case?  Should Debian ignore CAcert's license on their
root certificates?

Here is my reasoning, distilled as best I can:

CAcert has explicitly licensed their root certificates.

Even if SSL certificates are not copyrightable, the RDL contains the
language:

"In the event that any provision of this license is held to be invalid
or unenforceable, the remaining provisions of this license remain in
full force and effect."

This statement, along with the use restriction, in my reading, means
that the remainder of the CAcert RDL license is still applicable, as
they have intended, regardless of the copyright question.  It seems
clear from Fedora's decision, as well as Francesco's opinion and
Raphael's look (both non-legal opinions, as well as my own), that the
use restriction makes the CAcert root certificates licensed under a
non-free license.  Am I reading and interpreting this incorrectly?

If this license should be included in the ca-certificates package, then
an interpretation by ftp-master, I assumed, would result in the same
opinion.

In addition, the Social Contract #1 states that all _components_ (not
just copyrightable software) are to be 100% free.  That was the kicker
that made me think this license applies, regardless of copyrightability.

> Your proposal to remove it from the package without
> specific legal guidance to the contrary is a gross overreaction.

I have spent several sessions, since this bug was reported, carefully
reading the RDL license, other licenses, mailing list posts, etc.  My
(non-lawyer) interpretation of this issue led me to believe that the
right thing to do was to remove the CAcerts from this package in main,
due to it being licensed under a non-DFSG license.  Additionally,
including this CA as a non-free package for Debian users seems a
reasonable workaround.

I'm completely open to additional legal guidance with this, and I hope
you can see my logic wasn't just some overreaction - perhaps misguided
by trying to do the right thing following policy, I'll admit.  Heck, I
had no idea an SSL cert could be licensed, but it is clear to me that
CAcert has intentionally done just that.

-- 
Kind regards,
Michael Shuler



signature.asc
Description: OpenPGP digital signature

Re: Bug#687693: ca-certificates: Cacert License is missing

[Steve Langasek]

On Sat, Nov 03, 2012 at 03:28:08PM -0500, Michael Shuler wrote:
> Control: severity -1 serious
> Control: tags -1 pending

> (Setting to serious, due to policy violation)

> After reading the -legal thread, comments above, the CAcert mailing list
> thread, the Fedora explanation, and carefully reading the licensing
> myself, the cautious side of me says the right thing to do is remove the
> CAcert certificates from the package. This change will be committed to
> the collab-maint git repo shortly.

> I appreciate the bug report, mejiko, and for others taking the time to
> consider this issue. I will consider a ca-certificates-cacert ITP for
> inclusion in non-free.

Which debian-legal thread were you reading?  Because the two comments I see
cc:ed to this bug report from debian-legal, from Francesco Poli and Florian
Weimer, both point out that *certificates are not copyrightable*.  An SSL
certificate is a unique representation of a mathematical fact; since it
contains no creative element, copyright law does not provide for any
monopoly rights prohibiting distribution.

The CAcert license is therefore something we should entirely ignore, because
it has no legal force.  Your proposal to remove it from the package without
specific legal guidance to the contrary is a gross overreaction.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


-- 
To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121104011525.gb6...@virgil.dodds.net

Re: Bug#687693: ca-certificates: Cacert License is missing

[Michael Shuler]

Control: severity -1 serious
Control: tags -1 pending

(Setting to serious, due to policy violation)

After reading the -legal thread, comments above, the CAcert mailing list
thread, the Fedora explanation, and carefully reading the licensing
myself, the cautious side of me says the right thing to do is remove the
CAcert certificates from the package. This change will be committed to
the collab-maint git repo shortly.

I appreciate the bug report, mejiko, and for others taking the time to
consider this issue. I will consider a ca-certificates-cacert ITP for
inclusion in non-free.

-- 
Kind regards,
Michael



signature.asc
Description: OpenPGP digital signature

Re: Bug#687693: ca-certificates: Cacert License is missing

[Charles Plessy]

Le Sat, Sep 15, 2012 at 12:35:09PM -0500, Raphael Geissert a écrit :
> Hi everyone,
> 
> mejiko: thanks for pointing it out, I'm forwarding your report to our 
> debian-legal mailing list to seek their opinion.
> 
> On Saturday 15 September 2012 03:15:10 mejiko wrote:
> [...]
> > ca-certificates packeages included Cacert Root certificates.
> > This certificates licensed under Cacert Root Distribution License (RDL).
> [...]
> > http://www.cacert.org/policy/RootDistributionLicense.php
> > https://lists.cacert.org/wws/arc/cacert-policy/2012-02/msg00031.html
> > https://fedoraproject.org/wiki/Licensing/CACert_Root_Distribution_License
> 
> TL;RD; RDL looks non-free, Philipp Dunkel from CAcert says Debian is fine (to 
> distribute) because of the disclaimer re the certificates included in ca-
> certificates, Fedora says it is non-free.
> 
> What do the others think about it?
> 
> To me, it doesn't just seem to be a (re-)distribution issue. Rather, the 
> need for an additional agreement with CAcert. 

Hello Raphael,

could it be a very strangely phrased disclaimer of warranty ?  That
"A lets B rely on A", is similar to "A warrants to B".

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan


-- 
To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120917002736.gc6...@falafel.plessy.net

Re: Bug#687693: ca-certificates: Cacert License is missing

[Florian Weimer]

* Raphael Geissert:

> TL;RD; RDL looks non-free, Philipp Dunkel from CAcert says Debian is fine (to 
> distribute) because of the disclaimer re the certificates included in ca-
> certificates, Fedora says it is non-free.
>
> What do the others think about it?

If we take CA certificate license statements seriously, we have a
problem because they often contain unacceptable requirements:
prohibition of redistribution, mandatory updates to the software we
ship, constraints on how our programs behave, indemnification,
agremeent to arbitration, etc.

It's probably best if we treat certificates as factual information not
subject to copyright.  But the trademark side is even more messy
because CA certificates sometimes embed trademarks which have nothing
to do whatsoever with the private key owner du jour.


-- 
To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87haqyjmzw@mid.deneb.enyo.de

Re: Bug#687693: ca-certificates: Cacert License is missing

[Francesco Poli]

On Sat, 15 Sep 2012 12:35:09 -0500 Raphael Geissert wrote:

> Hi everyone,

Hello Raphael,

> 
> mejiko: thanks for pointing it out, I'm forwarding your report to our 
> debian-legal mailing list to seek their opinion.

Thanks for asking.

Please note that you may receive multiple and possibly different
opinions from debian-legal regulars. I am one of them, but what follows
is just my own personal opinion.

> 
> On Saturday 15 September 2012 03:15:10 mejiko wrote:
> [...]
> > ca-certificates packeages included Cacert Root certificates.
> > This certificates licensed under Cacert Root Distribution License (RDL).
> [...]
> > http://www.cacert.org/policy/RootDistributionLicense.php

For future reference, here's a full quote of the license text, obtained
with 

$ w3m -cols 72 -dump
http://www.cacert.org/policy/RootDistributionLicense.php

Name: RDL COD14
Status: DRAFT p20100710  RDL Status - DRAFT
Editor: Mark Lipscombe



┌─┐
│Root Distribution License│
│ │
│1. Terms │
│ │
│"CAcert Inc" means CAcert Incorporated, a non-profit association │
│incorporated in New South Wales, Australia.  │
│"CAcert Community Agreement" means the agreement entered into by each│
│person wishing to RELY.  │
│"Member" means a natural or legal person who has agreed to the CAcert│
│Community Agreement. │
│"Certificate" means any certificate or like device to which CAcert   │
│Inc's digital signature has been affixed.│
│"CAcert Root Certificates" means any certificate issued by CAcert Inc│
│to itself for the purposes of signing further CAcert Roots or for│
│signing certificates of Members. │
│"RELY" means the human act in taking on a risk or liability on the   │
│basis of the claim(s) bound within a certificate issued by CAcert.   │
│"Embedded" means a certificate that is contained within a software   │
│application or hardware system, when and only when, that software│
│application or system is distributed in binary form only.│
│ │
│2. Copyright │
│ │
│CAcert Root Certificates are Copyright CAcert Incorporated. All  │
│rights reserved. │
│ │
│3. License   │
│ │
│You may copy and distribute CAcert Root Certificates only in │
│accordance with this license.│
│ │
│CAcert Inc grants you a free, non-exclusive license to copy and  │
│distribute CAcert Root Certificates in any medium, with or without   │
│modification, provided that the following conditions are met:│
│ │
│  • Redistributions of Embedded CAcert Root Certificates must take   │
│reasonable steps to inform the recipient of the disclaimer in│
│section 4 or reproduce this license and copyright notice in full │
│in the documentation provided with the distribution. │
│  • Redistributions in all other forms must reproduce this license   │
│and copyright notice in full.│
│ │
│4. Disclaimer│
│ │
│THE CACERT ROOT CERTIFICATES ARE PROVIDED "AS IS" AND ANY EXPRESS OR │
│IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED   │
│WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   │
│ARE DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY LAW. IN NO EVENT   │
│SHALL CACERT INC, ITS MEMBERS, AGENTS, SUBSIDIARIES OR RELATED   │
│PARTIES BE LIABLE TO THE LICENSEE OR ANY THIRD PARTY FOR ANY DIRECT, │
│INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES   │
│(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR   │
│SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)   │
│HOWEVER C

Bug#687693: marked as forwarded (ca-certificates: Cacert License is missing)

[Debian Bug Tracking System]

Your message dated Sat, 15 Sep 2012 12:35:09 -0500
with message-id <201209151235.10044.geiss...@debian.org>
has caused the   report #687693,
regarding ca-certificates: Cacert License is missing
to be marked as having been forwarded to the upstream software
author(s) debian-legal@lists.debian.org

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
687693: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687693
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Hi everyone,

mejiko: thanks for pointing it out, I'm forwarding your report to our 
debian-legal mailing list to seek their opinion.

On Saturday 15 September 2012 03:15:10 mejiko wrote:
[...]
> ca-certificates packeages included Cacert Root certificates.
> This certificates licensed under Cacert Root Distribution License (RDL).
[...]
> http://www.cacert.org/policy/RootDistributionLicense.php
> https://lists.cacert.org/wws/arc/cacert-policy/2012-02/msg00031.html
> https://fedoraproject.org/wiki/Licensing/CACert_Root_Distribution_License

TL;RD; RDL looks non-free, Philipp Dunkel from CAcert says Debian is fine (to 
distribute) because of the disclaimer re the certificates included in ca-
certificates, Fedora says it is non-free.

What do the others think about it?

To me, it doesn't just seem to be a (re-)distribution issue. Rather, the 
need for an additional agreement with CAcert. 

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net--- End Message ---

Re: Bug#687693: ca-certificates: Cacert License is missing

[Raphael Geissert]

Hi everyone,

mejiko: thanks for pointing it out, I'm forwarding your report to our 
debian-legal mailing list to seek their opinion.

On Saturday 15 September 2012 03:15:10 mejiko wrote:
[...]
> ca-certificates packeages included Cacert Root certificates.
> This certificates licensed under Cacert Root Distribution License (RDL).
[...]
> http://www.cacert.org/policy/RootDistributionLicense.php
> https://lists.cacert.org/wws/arc/cacert-policy/2012-02/msg00031.html
> https://fedoraproject.org/wiki/Licensing/CACert_Root_Distribution_License

TL;RD; RDL looks non-free, Philipp Dunkel from CAcert says Debian is fine (to 
distribute) because of the disclaimer re the certificates included in ca-
certificates, Fedora says it is non-free.

What do the others think about it?

To me, it doesn't just seem to be a (re-)distribution issue. Rather, the 
need for an additional agreement with CAcert. 

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


-- 
To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201209151235.10044.geiss...@debian.org

Re: databases not copyrightable in the USA (was: CA certificates)

[Nathanael Nerode]

Humberto Massa wrote:

> Branden, in Brasil, the copyrights law (9610/98) makes databases
> copyrighted, IF and only if "their selection, organization, or the
> disposition of their content" is a novel intellectual creation. The CDDB,
> for example, would not be covered by this definition (its selection,
> organization and disposition content are automatically-generated). CA
> certificates (the original topic) aren't covered either because they are
> not novel intellectual creations (they also are automatically-generated).
> 
> In another topic, I prefer the term "copyrighted". "Copyrightable" is an
> ugly, ugly term... and everything that is copyrightable is copyrighted by
> default...

Well, except for those works for which copyright has expired or for which it
has been renounced?

This wasn't always the case, anyway; it used to be that you had to *do*
something to claim copyright on a published work.  That was a better
system.  :-/

-- 
There are none so blind as those who will not see.

Re: databases not copyrightable in the USA (was: CA certificates)

[Humberto Massa]

Branden, in Brasil, the copyrights law (9610/98) makes databases
copyrighted, IF and only if "their selection, organization, or the
disposition of their content" is a novel intellectual creation. The CDDB,
for example, would not be covered by this definition (its selection,
organization and disposition content are automatically-generated). CA
certificates (the original topic) aren't covered either because they are
not novel intellectual creations (they also are automatically-generated).

In another topic, I prefer the term "copyrighted". "Copyrightable" is an
ugly, ugly term... and everything that is copyrightable is copyrighted by
default...

--
br,M

-- 
http://www.fastmail.fm - The way an email service should be

databases not copyrightable in the USA (was: CA certificates)

[Branden Robinson]

On Tue, May 11, 2004 at 01:23:40PM +0200, Giacomo A. Catenazzi wrote:
> In some countries (USA and Germany?) lists/databases are copyrightable,
> even is single data is not! (phone book, games scores and statistics,...)

Not in the United States.

The controlling Supreme Court precedent is _Feist Publications, Inc. v.
Rural Tel. Serv. Co., 499 U.S. 340 (1991)_.

There has been an effort in every session of Congress since then to
overturn that precedent legislatively, but so far all such efforts have
failed.  The current attempt is HR 3261, the "Database and Collections
of Information Misappropriation Act (DCIMA)".

See  for a
little more on this subject.

-- 
G. Branden Robinson|You should try building some of the
Debian GNU/Linux   |stuff in main that is
[EMAIL PROTECTED] |modern...turning on -Wall is like
http://people.debian.org/~branden/ |turning on the pain. -- James Troup


signature.asc
Description: Digital signature

Re[2]: CA certificates

[Ruslan Batdalov]

Aiya!

>> In some countries (USA and Germany?) lists/databases are copyrightable,
>> even is single data is not! (phone book, games scores and statistics,...)
 In Russia too.
 
EGE> Don't you mean protected by the Database Directive, which is not the
EGE> same thing as copyright: it has a much shorter duration, for example?
 I cannot say anything about USA and Germany, but in Russia databases
are collections and protected by exactly the same law. It is
explicitly stated. This protection is definitely copyright.

-- 
Best regards,
Ruslan Batdalov

Re: CA certificates

[Edmund GRIMLEY EVANS]

Giacomo A. Catenazzi <[EMAIL PROTECTED]>:

> In some countries (USA and Germany?) lists/databases are copyrightable,
> even is single data is not! (phone book, games scores and statistics,...)

Don't you mean protected by the Database Directive, which is not the
same thing as copyright: it has a much shorter duration, for example?

Re: CA certificates

[Giacomo A. Catenazzi]

Nathanael Nerode wrote:


Florian Weimer wrote:


I've digged a bit more, and VeriSign actually has a license governing
the *use* of their certificates (including the root and intermediate
certificates):

 

The license seems to violate DFSG §6.  It also fails the Desert Island
test.




Can we all say:
"WW!"

In this case I believe we had better hope that the certificates are not
copyrightable.  I don't think public keys are by any stretch.


In some countries (USA and Germany?) lists/databases are copyrightable,
even is single data is not! (phone book, games scores and statistics,...)

ciao
cate

Re: CA certificates (was: Re: Mass bug filing: Cryptographic protection against modification)

[Nathanael Nerode]

Florian Weimer wrote:


> I've digged a bit more, and VeriSign actually has a license governing
> the *use* of their certificates (including the root and intermediate
> certificates):
> 
>   
> 
> The license seems to violate DFSG §6.  It also fails the Desert Island
> test.
> 

Can we all say:
"WW!"

In this case I believe we had better hope that the certificates are not
copyrightable.  I don't think public keys are by any stretch.

-- 
There are none so blind as those who will not see.

Re: CA certificates

[Jakob Bohm]

On Tue, May 04, 2004 at 11:52:39PM -0700, Russ Allbery wrote:
> Florian Weimer <[EMAIL PROTECTED]> writes:
> 
> > I've digged a bit more, and VeriSign actually has a license governing
> > the *use* of their certificates (including the root and intermediate
> > certificates):
> 
> >   
> 
> > The license seems to violate DFSG §6.  It also fails the Desert Island
> > test.
> 
> There's an interesting question.  Is a public key copyrightable?  In other
> words, does VeriSign have any legal grounds to restrict use of their
> public keys at all?
> 

Important correction:  Verisign claims copyright on the
certificates, not the public keys or other facts inside them.

At least the root certificates are quite creative: All but the
random public key was probably entered manually, and chances are
that a whole team of lawyers and security experts debated each
of the embedded other items at length, making it comparable to a
poem or a poster.  Regular certificates are harder, they simply
state some facts + VeriSign's signed claim that they have done
certain things to verify those facts.

More importantly, In many jurisdictions, the copyright licenses
on certificates (from VeriSign or anyone else) appear to be the
only basis for many of the legal protections necessary to make
digital signatures with professional keysigning (to use the gpg
phrase) work.  The above link and its parent directory lists
many such protections: "Don't sue the keysigner if the signer is
a crook", "limit liability", "revoked keys don't count", "an key
with a $1 amount limit cannot sign over the deeds to someone's
house", etc.

IANAL, TINLA, IANADD

Jakob

-- 
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.

Re: CA certificates

[Florian Weimer]

* Russ Allbery:

> Florian Weimer <[EMAIL PROTECTED]> writes:
>
>> I've digged a bit more, and VeriSign actually has a license governing
>> the *use* of their certificates (including the root and intermediate
>> certificates):
>
>>   
>
>> The license seems to violate DFSG §6.  It also fails the Desert Island
>> test.
>
> There's an interesting question.  Is a public key copyrightable?  In other
> words, does VeriSign have any legal grounds to restrict use of their
> public keys at all?

Does it matter?  Why should we ignore VeriSign's wishes?  They have
far more lawyers than we have. 8-)

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.

Re: CA certificates

[Florian Weimer]

* Niklas Vainio:

> On Tue, May 04, 2004 at 11:52:39PM -0700, Russ Allbery wrote:
>> There's an interesting question.  Is a public key copyrightable?  In other
>> words, does VeriSign have any legal grounds to restrict use of their
>> public keys at all?
>
> My understanding is that copyright laws speak about original works with some
> creativity in them.

Some European jurisdictions require that a work shows a certain amount
of creativity before it is subject to the equivalent of copyright.

At least in Germany, this rule no longer applies to computer programs,
so it's quite unclear what the limits of copyright are over here.

> Computer-generated, seemingly random string of numbers hardly is
> such a work.

Such random strings tend to have DMCA protection.  However,
certificates are not random strings, they also contain trademarks.

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.

Re: CA certificates

[Niklas Vainio]

On Tue, May 04, 2004 at 11:52:39PM -0700, Russ Allbery wrote:
> There's an interesting question.  Is a public key copyrightable?  In other
> words, does VeriSign have any legal grounds to restrict use of their
> public keys at all?

My understanding is that copyright laws speak about original works with some
creativity in them. Computer-generated, seemingly random string of numbers
hardly is such a work.

- Nikke

-- 
Niklas Vainio <[EMAIL PROTECTED]>

Re: CA certificates

[Edmund GRIMLEY EVANS]

Russ Allbery <[EMAIL PROTECTED]>:

> There's an interesting question.  Is a public key copyrightable?  In other
> words, does VeriSign have any legal grounds to restrict use of their
> public keys at all?

They might do in some jurisdictions, but I would guess that in most
they don't. The public key is a fact, like a telephone number or map
coordindates. A collection of such facts might be covered by the
European Database Directive, but a single such fact or very small
number of them ... I doubt it ... though I don't know, of course.
IANAL.

Re: CA certificates

[Russ Allbery]

Florian Weimer <[EMAIL PROTECTED]> writes:

> I've digged a bit more, and VeriSign actually has a license governing
> the *use* of their certificates (including the root and intermediate
> certificates):

>   

> The license seems to violate DFSG §6.  It also fails the Desert Island
> test.

There's an interesting question.  Is a public key copyrightable?  In other
words, does VeriSign have any legal grounds to restrict use of their
public keys at all?

-- 
Russ Allbery ([EMAIL PROTECTED]) 

CA certificates (was: Re: Mass bug filing: Cryptographic protection against modification)

[Florian Weimer]

Don Armstrong <[EMAIL PROTECTED]> writes:

> On Tue, 04 May 2004, Florian Weimer wrote:
>> A few packages contain "software" (well, everything's software these
>> days) which is cryptographically protected against modification.
>> This seems to violate DFSG §3.
>
> Uh, if you're refering to the PGP keys and certificates inclosed in
> these works, you really need to reread DFSG §3 very carefully.
>
> Presumably the licenses[1] of these works allows modified works,
> derived works, and distribution of said works. If it does, there is no
> DFSG §3 violation.

I've digged a bit more, and VeriSign actually has a license governing
the *use* of their certificates (including the root and intermediate
certificates):

  

The license seems to violate DFSG §6.  It also fails the Desert Island
test.

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr.