> I want to do a commercial client application capable > to handle https (that is the only purpose to include > openssl) and I was wondering if it is legal to > distribute the file that contains the certificates > that were bundled with Netscape.
I am not a lawyer.
Not only am I also not a lawyer, I also don't play one on TV. In fact, I can pretty much do without TV entirely.
> Actyally, can a company X generate their own > certificates to be used with openssl instead of those? > I noticed there are some utilities in openssl to > generate certificates.
Netscape and others have compiled a list of root CA's that they trust. If you can get your users to add you to their root CA list, you can be a CA. This can work for a closed application.
But I certainly would not add your certificate to my browser root certificate list. Doing so would let you impersonate anyone - my bank, broker, etc.
You're going to have a good deal of trouble getting anyone to take your own root/trusted certificates seriously in any sort of production application. Anyone who appreciates what this can open you up to won't do it. But that leaves the other "five (or seven, or nine) nines" of the population, unfortunately...
I'll pass on the spoofing opportunities here, as that can depends on a bazillion of other factors. That is, unless you can compromise the client in almost any fashion, then it can be done in about a bazillion ways... :-)
As far as the (re)distribution question has goes, what you "probably" cannot do without permission is to redistribute the actual *package* of certificates that Netscape has put together for the purpose of embedding in their browser. Since the overwhelming majority (if not 100%) of those certificates individually are not the property of Netscape, if you reassembled them into your own package, that might legally be sufficient. After all, the issuers of these certs (and a number of other wannabes, I suspect) want them distributed as widely as possible for any reasonable purpose.
Alternatively, you could either manually publish a procedure on how to export the certs out of Netscape and import them into your application, or suck them out yourself with a program. I believe that Netscape has a toolkit and APIs to deal with their certificate stores.
I'm not sure what you're up to, but you could always ask Netscape if you can redistribute their bundle. But corporate lawyers are loathe to allow anything for anyone outside the company unless you're to be taken very seriously. If Mozilla's are good enough, you're likely to have more success with them, I'd suspect. But that hurdle might only be 15' high instead of 18'...
Of course, you could always read the license to see what's allowed....
Nah....
:-) -e
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
