[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#687693: ca-certificates: Cacert License is missing

On 11/03/2012 08:15 PM, Steve Langasek wrote:
> On Sat, Nov 03, 2012 at 03:28:08PM -0500, Michael Shuler wrote:
>> After reading the -legal thread, comments above, the CAcert mailing list
>> thread, the Fedora explanation, and carefully reading the licensing
>> myself, the cautious side of me says the right thing to do is remove the
>> CAcert certificates from the package. This change will be committed to
>> the collab-maint git repo shortly.
>> I appreciate the bug report, mejiko, and for others taking the time to
>> consider this issue. I will consider a ca-certificates-cacert ITP for
>> inclusion in non-free.
> Which debian-legal thread were you reading?  Because the two comments I see
> cc:ed to this bug report from debian-legal, from Francesco Poli and Florian
> Weimer, both point out that *certificates are not copyrightable*.  An SSL
> certificate is a unique representation of a mathematical fact; since it
> contains no creative element, copyright law does not provide for any
> monopoly rights prohibiting distribution.

There was one other short reply on debian-legal that was not sent to the
bug report. (Sorry if I broke the threading, I am not subscribed to

I understand that SSL certificates, themselves, are math, and I
understand the conclusion that they are not copyrightable.  However, I
am not fully convinced that, due to this conclusion, the CAcert license
has no effect (or whatever the proper legal terminology would be).

Among other suggestions, Francesco Poli recommended including a verbatim
copy of this license.

> The CAcert license is therefore something we should entirely ignore, because
> it has no legal force.

Is this really the case?  Should Debian ignore CAcert's license on their
root certificates?

Here is my reasoning, distilled as best I can:

CAcert has explicitly licensed their root certificates.

Even if SSL certificates are not copyrightable, the RDL contains the

"In the event that any provision of this license is held to be invalid
or unenforceable, the remaining provisions of this license remain in
full force and effect."

This statement, along with the use restriction, in my reading, means
that the remainder of the CAcert RDL license is still applicable, as
they have intended, regardless of the copyright question.  It seems
clear from Fedora's decision, as well as Francesco's opinion and
Raphael's look (both non-legal opinions, as well as my own), that the
use restriction makes the CAcert root certificates licensed under a
non-free license.  Am I reading and interpreting this incorrectly?

If this license should be included in the ca-certificates package, then
an interpretation by ftp-master, I assumed, would result in the same

In addition, the Social Contract #1 states that all _components_ (not
just copyrightable software) are to be 100% free.  That was the kicker
that made me think this license applies, regardless of copyrightability.

> Your proposal to remove it from the package without
> specific legal guidance to the contrary is a gross overreaction.

I have spent several sessions, since this bug was reported, carefully
reading the RDL license, other licenses, mailing list posts, etc.  My
(non-lawyer) interpretation of this issue led me to believe that the
right thing to do was to remove the CAcerts from this package in main,
due to it being licensed under a non-DFSG license.  Additionally,
including this CA as a non-free package for Debian users seems a
reasonable workaround.

I'm completely open to additional legal guidance with this, and I hope
you can see my logic wasn't just some overreaction - perhaps misguided
by trying to do the right thing following policy, I'll admit.  Heck, I
had no idea an SSL cert could be licensed, but it is clear to me that
CAcert has intentionally done just that.

Kind regards,
Michael Shuler

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: