[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CA certificates

On Tue, May 04, 2004 at 11:52:39PM -0700, Russ Allbery wrote:
> Florian Weimer <fw@deneb.enyo.de> writes:
> > I've digged a bit more, and VeriSign actually has a license governing
> > the *use* of their certificates (including the root and intermediate
> > certificates):
> >   <https://www.verisign.com/repository/rpa.html>
> > The license seems to violate DFSG §6.  It also fails the Desert Island
> > test.
> There's an interesting question.  Is a public key copyrightable?  In other
> words, does VeriSign have any legal grounds to restrict use of their
> public keys at all?

Important correction:  Verisign claims copyright on the
certificates, not the public keys or other facts inside them.

At least the root certificates are quite creative: All but the
random public key was probably entered manually, and chances are
that a whole team of lawyers and security experts debated each
of the embedded other items at length, making it comparable to a
poem or a poster.  Regular certificates are harder, they simply
state some facts + VeriSign's signed claim that they have done
certain things to verify those facts.

More importantly, In many jurisdictions, the copyright licenses
on certificates (from VeriSign or anyone else) appear to be the
only basis for many of the legal protections necessary to make
digital signatures with professional keysigning (to use the gpg
phrase) work.  The above link and its parent directory lists
many such protections: "Don't sue the keysigner if the signer is
a crook", "limit liability", "revoked keys don't count", "an key
with a $1 amount limit cannot sign over the deeds to someone's
house", etc.



This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.

Reply to: