On May 1, 2004, at 3:09 PM, AIDA Shinra wrote:
I submitted a new package "ca-roots" at the Tracker before. The problem is what license is appropreate.
The CA certificates came from mod_ssl distribution, which is Apache licensed. But modssl.org originally got them from Netscape Communicator/Navigator. I filled "BSD" in "License" field, but I might be wrong. Any ideas?
Hmm. The root certificates are IMHO, facts. There's only one set of root certificates-- or at least there should be, else the whole system of trust chains would fall apart. I.e Debian gets a certificate from a organization which certifies that the holders of the Debian private key is Debian, and that certifying organization gets a certificate from someone else who is in turn certifed by another, until the root is found. Theoretically, someone could publish an additional root certificate, and if a user were naive enough to trust that root certificate, malicious individuals could pass themselves off as various entities deserving as trust. So, copyrighting and licensing a set of "root certificates" would seem to be counterproductive.
Nevertheless, these particular ssl certificates are distributed along with copyrightable, and thus licensable source code. If fink were to distribute this additional code, it would be bound by the BSD license, as that's what I believe modssl uses. On the other hand, if fink were to distribute a the ca-roots-*deb only, it could distribute it without being bound by a license. But if fink did distribute such a binary package, without mentioning mod_ssl, then users would not have any particular reason to trust the integrity of those root certificates.
Jeremy
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Fink-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/fink-devel
