The logic on "restriction" is confused on a number of fronts, and results in an upside down conclusion.
- A root key is not open source, any more than a 747 or a big brass band parade is. A root distribution licence cannot be GPL-compatible by definition; it isn't software.
- The open source business is about something that presumably has only incidental legal or liability issues. It can easily resolve its issues with a simple disclaimer, as open source software is *not warrantied as suitable for any particular purpose*. It also works within the context of sharing software and sales of software that strictly limit liabilities to be based on the price paid. Easy!
- In complete contrast, the CA business is about a certification that some one or thing is *trusted for some purpose or activity*. In the event that this is not the case, then there are damages and liabilities to consider. In contrast to software, the CA business expects and promotes the existence of damages and liabilities, otherwise we don't need the CAs.
- The CA business is then about the (mis)allocation of liabilities as a central plank of its business makeup and structure. This is observed in the documentation set for CAs: CPSs, RPAs and various other legal mechanisms are used to obfuscate the contract. The real CA contract tends to be 100 pages or more, it's just that only a few pages have the word CONTRACT over the top of them.
- Most all CAs define RELIANCE following from the PKI theory as an activity leading to the raising of liabilities, as described in the CAcert Root Distribution License (overleaf). The only difference with CAcert is that it does it up-front, in your face, so you know it. Not buried, not deep, not hidden.
- Liabilities that exist must be managed, at law (otherwise you are bankrupt). Therefore, the strategy of all CAs is to manage these liabilities, and this must be so because certificates are a liability-incurring proposition. Most all CAs ban (do not permit) reliance or use by non-parties. E.g., if you do not have an agreement with a CA, you have no permission to rely on or use the certificates. This leaves normal activity as being undefined in legal terms; so 99.9% of usage is a blackhole. This is a deliberate ploy, because without a contract, you cannot normally sue in court.
- CAcert as a member-driven organisation declines to participate in the deception. It therefore defines the contracts to match the reality, and it insists on providing a value proposition. This results in rather unexpected experiences as people wonder why it is so tough.
- In particular, members of CAcert offer you an explicit right to USE the certificates in the CAcert Community Agreement: "1.2-2 You may OFFER certificates issued to you by CAcert to NRPs for their USE, within the general principles of the Community." (Non-Related Persons or NRPs is our legalise for those without contracts with CAcert). As far as we know, no other CA extends permissions to rely or use outside contracts, there is no legal right or permission expressed in any of their documents for non-contracted parties. This is a deliberate strategy in order to limit liabilities before court - no contract, no standing.
- CAcert also in contrast to other CAs defines RELIANCE to be valuable, which is its intent in PKI theory. However because CAcert's RELIANCE is valuable, this means potential damages and liabilities exist. Therefore these must be allocated and managed, otherwise we are negligent and bankrupt.
- All audits check how the liabilities are managed. The easy way to manage this and the tactic adopted by almost all CAs is simple: set all liabilities to zero by means of legal strategy. This works in most all forms of mathematics and economics and law; Zero is easy to audit, and it scales.
- CAcert defines RELIANCE to be potentially expensive. Every member is liable for up to 1000 Euros under Arbitration which is backed by the Arbitration Act in most all countries. As this is extremely expensive, and it must be managed, the benefit of this liability is reserved only for Members of CAcert. Membership is free, but comes with liabilities of 1000 euros, the ability to RELY and take any grievances to the Arbitrator.
- In effect, the result provided to non-members (NRPs) is the same as all other CAs. CAcert just defines it properly, honestly and openly. Explicit permission is written and offered. The result provided to Members of CAcert is completely different. The only vaguely comparable situation is the European Qualified Certificate issuers, where CAs are liable under law. General purpose CAs (the vast majority) provide zero.
- The conclusion then expressed that our RDL is "non-free" is therefore backwards. It's far more generous than other CAs. The question is not "why is CAcert's offer so tough?" Instead, ask yourselves what rights are offered in writing to users by the other CAs?
- Do you even have rights to distribute the root of other CAs?
The documents and contracts in question are all managed and voted on in our open policy group, located at https://lists.cacert.org/wws/info/cacert-policy . All are welcome, we even accept some votes from non-members! Regards, Iang, on informal behalf of CAcert, the open CA.