[cabfpub] CPs, CPSes and copyright

Gervase Markham gerv at mozilla.org
Thu May 14 12:17:45 UTC 2015


Hi everyone,

Mozilla is pondering the copyright status of CPs, CPSes and
certificates. It has come to our attention that some CPs/CPSes contain
language that says the document may not be redistributed, in part or in
full, by third parties without prior express written agreement.

Mozilla takes copies of CP and CPS documentation for review, and
sometimes excerpts it or manipulates it in other ways. It's possible
that a CA's application for inclusion gives us an implied license to do
this (given that the CA is aware of our processes), but that would not
extend to other parties who were reviewing the documents to make their
own trust decisions.

Our current inclusion policy[0] mandates only that such documentation
must be "publicly disclosed" and "available from the CA's official
website" (section 17).

In regard to publicly-disclosed intermediate certificates, our policy
also states: "All disclosure MUST be made freely available and without
additional requirements, including, but not limited to, registration,
legal agreements, or restrictions on redistribution of the certificates
in whole or in part." (section 10)

As well as considering our own requirements, Mozilla believes that the
health of and trust in the CA ecosystem is best promoted and preserved
when documents used to make trust decisions are freely available,
distributable, analysable, and commentable-upon. We want to allow
people, other than us, the convenience and freedom necessary to make
their own determinations.

Therefore, we are pondering adding an additional requirement regarding
the copyright status of certificates and policy documents, to put them
in the same category as intermediate certificates are now. At the
moment, our proposal is that we leverage the existing work of Creative
Commons, who write good licenses, and say that CPs, CPSes and
certificates must be available under one of two licenses:

CC-BY
-- This means anyone can copy, redistribute or modify the document, as
long as attribution is given to the original author (the CA). Clearly,
only the copy on the CA's website would be regarded as authoritative.
http://creativecommons.org/licenses/by/4.0/

CC-BY-ND
-- As above, but with the restriction that people may not make
derivative works of the document. We think that allowing derivative
works is preferable, and would help to further strengthen the CA system
as best practice is shared, but we suspect some CAs may be uncomfortable
with that possibility, so we offer this compromise.
http://creativecommons.org/licenses/by-nd/4.0/

CAs would also be free, of course, to offer alternative terms in
addition, for other purposes, as they saw fit.

We would appreciate comments and thoughts regarding this proposal.

Gerv

[0]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/



More information about the Public mailing list