On Tue, May 04, 2004 at 11:52:39PM -0700, Russ Allbery wrote: > Florian Weimer <[EMAIL PROTECTED]> writes: > > > I've digged a bit more, and VeriSign actually has a license governing > > the *use* of their certificates (including the root and intermediate > > certificates): > > > <https://www.verisign.com/repository/rpa.html> > > > The license seems to violate DFSG ยง6. It also fails the Desert Island > > test. > > There's an interesting question. Is a public key copyrightable? In other > words, does VeriSign have any legal grounds to restrict use of their > public keys at all? >
Important correction: Verisign claims copyright on the certificates, not the public keys or other facts inside them. At least the root certificates are quite creative: All but the random public key was probably entered manually, and chances are that a whole team of lawyers and security experts debated each of the embedded other items at length, making it comparable to a poem or a poster. Regular certificates are harder, they simply state some facts + VeriSign's signed claim that they have done certain things to verify those facts. More importantly, In many jurisdictions, the copyright licenses on certificates (from VeriSign or anyone else) appear to be the only basis for many of the legal protections necessary to make digital signatures with professional keysigning (to use the gpg phrase) work. The above link and its parent directory lists many such protections: "Don't sue the keysigner if the signer is a crook", "limit liability", "revoked keys don't count", "an key with a $1 amount limit cannot sign over the deeds to someone's house", etc. IANAL, TINLA, IANADD Jakob -- This message is hastily written, please ignore any unpleasant wordings, do not consider it a binding commitment, even if its phrasing may indicate so. Its contents may be deliberately or accidentally untrue. Trademarks and other things belong to their owners, if any.
