Florian Weimer wrote:
Some CAs claim copyright (or trademark rights, or whatever) on their *root* certificates, and license them in rather obnoxious ways (for example, require certain user behavior which has privacy implications). I believe that this is a significant problem, even if the license terms turn out to be unenforceable in most jurisdictions.
What you describe may be a problem in theory, but are there cases where it's proved to be a problem in practice? Certainly from the point of view of the Mozilla Foundation I find it very hard to imagine that any CA would seek to limit distribution of their root CA certs due to copyright or trademark issues; on the contrary, they're the ones asking us to include the certs.
Here's a bit of history on that subject. A certain well-known CA had some root CA certs that expired on the eve of Y2K. As I recall, they claimed copyright (as Florian described above) and, IIRC, they had a policy of not allowing their certs to be distributed except inside releases of software that relied on their certs. They had new CA certs, but they wouldn't allow those certs to be downloaded individually (apart from other software) by end users, as I recall.
In effect, this forced new releases of another company's software
products just prior to Y2K in order to distribute the new certs. That last-minute release made for some unhappy software users/customers who
vented on the software company, not on the CA.
To avoid a repetition of that scenario, it might be advisable for MF's CA policy to require that CAs permit MF to distribute CA certs via means of MF's own choosing as a condition of inclusion in MF's root CA list. At the very least, MF should know in advance which CAs will similarly not permit distribution of replacement root CA certs apart from software distributions. It would also be advisable for MF to keep track of upcoming root CA expirations and plan releases for them.
In my opinion, of course.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
