Some CAs claim copyright (or trademark rights, or whatever) on their *root* certificates, and license them in rather obnoxious ways (for example, require certain user behavior which has privacy implications). I believe that this is a significant problem, even if the license terms turn out to be unenforceable in most jurisdictions.
First, thanks for your comments. Now, my response:
What you describe may be a problem in theory, but are there cases where it's proved to be a problem in practice? Certainly from the point of view of the Mozilla Foundation I find it very hard to imagine that any CA would seek to limit distribution of their root CA certs due to copyright or trademark issues; on the contrary, they're the ones asking us to include the certs.
As for problems caused to typical Mozilla end users by CA legal agreements, again, what if any problems have actually occurred in practice?
After reading such a CA "license", the next question pops up: Are CAs which explicitly disclaim responsibility for the certificates they issue acceptable for inclusion?
I presume you're talking about CAs whose relying party agreements, subscriber agreements, certificate policy, etc., extremely limit the CA's liability, or cast that liability in such a form that a typical Mozilla end user (typically playing the role of the relying party) in practice would not be able to satisfy the requirements of the relying party agreement, etc.
I see your question as analogous to the question "Is code from software developers who explicitly disclaim responsibility for the software they distribute acceptable for inclusion in Mozilla?" This is of course the standard situation for open source code contributed to the Mozilla project.
I believe that the whole legal framework around PKI is for the most part irrelevant as far as typical Mozilla users are concerned, in the sense that I believe that in practice it's unlikely any CA would ever suffer significant legal harm based on their practices vis-a-vis typical Mozilla users. As for harm to Mozilla end users, I think the more likely scenario is harm to users' actual security in the here and now as opposed to harm resulting from users being forced to comply with CA legal agreements.
Hence in accordance with my previously-expressed opinions (see 4 of the metapolicy, "The policy should focus on security risks associated with CA certificate selection, not on legal risks."), I'm inclined to not worry about this issue in version 1.0 of the CA certificate policy, until/unless someone presents compelling arguments to the contrary.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
