Policy-Discussion

[Michael Tänzer <michael.taenzer AT cacert.org>]

Hi,

On 31.10.2011 23:03, Lambert Hofstra wrote:
> Well, it's a difficult concept... It's "free" as in "free beer" (you
> don't have to pay for it) but not "free" as in "no obligations" (you
> have to accept the CCA).
> 
> The whole concept is to protect the community, so that it can stay
> "free" (no cost involved) and still be of a certain value for the users.
> 
> Imagine we provide the certificates for free, without any assurance. 
> Then you can distribute the root under GPL or whatever, because there is
> no claim whatsoever. However, it would be of no value of the user.

Well, even the GPL has a "no warranty whatsoever" clause. So if
something goes wrong because of GPL software you can't sue the author
(unless you have an additional agreement e.g. a support contract "you
may at your option offer warranty protection in exchange for a fee"). As
far as I understand from my amateur view the "you may not rely" part is
similar to this no warranty clause and the CCA poses this additional
agreement that introduces reliance.
Also the certificate may be distributed even in modified form under
certain conditions and these conditions might be where it gets
complicated: They require the ones embedding the cert in their software
to take "reasonable steps" to inform the user of the no warranty clause.
This may be seen somewhat equivalent to the advertising clause in the
BSD 4-clause license (like the license OpenSSL uses) and therefore may
not be compliant with the GPL. However even the GPL contains the clause:
"c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)"
So it might not be that strong of a case.

Apart from that still the question holds whether putting a certificate
in a trust store makes it a part of each application that uses that
trust store. I would strongly argue against that, because the
application and the certificate don't become intermingled in some way as
would be the case when linking a library or using a plug-in. But if the
certificate and the application don't become one whole, the applications
license is not affected by the license of the certificate and the other
way around.


Cheers,
-- 
Michael Tänzer
CAcert Support Team Leader

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature