[cabfpub] CPs, CPSes and copyright

[Ben Wilson]

A Creative Commons license with the right to create derivative works sounds
reasonable enough.  That reminds me, I think you mentioned that we needed to
go back and edit a current version of one of the guidelines to make the
copyright policy consistent with what we said in one of the other guideline
documents.  Right?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Thursday, May 14, 2015 6:18 AM
To: CABFPub
Subject: [cabfpub] CPs, CPSes and copyright

Hi everyone,

Mozilla is pondering the copyright status of CPs, CPSes and certificates. It
has come to our attention that some CPs/CPSes contain language that says the
document may not be redistributed, in part or in full, by third parties
without prior express written agreement.

Mozilla takes copies of CP and CPS documentation for review, and sometimes
excerpts it or manipulates it in other ways. It's possible that a CA's
application for inclusion gives us an implied license to do this (given that
the CA is aware of our processes), but that would not extend to other
parties who were reviewing the documents to make their own trust decisions.

Our current inclusion policy[0] mandates only that such documentation must
be "publicly disclosed" and "available from the CA's official website"
(section 17).

In regard to publicly-disclosed intermediate certificates, our policy also
states: "All disclosure MUST be made freely available and without additional
requirements, including, but not limited to, registration, legal agreements,
or restrictions on redistribution of the certificates in whole or in part."
(section 10)

As well as considering our own requirements, Mozilla believes that the
health of and trust in the CA ecosystem is best promoted and preserved when
documents used to make trust decisions are freely available, distributable,
analysable, and commentable-upon. We want to allow people, other than us,
the convenience and freedom necessary to make their own determinations.

Therefore, we are pondering adding an additional requirement regarding the
copyright status of certificates and policy documents, to put them in the
same category as intermediate certificates are now. At the moment, our
proposal is that we leverage the existing work of Creative Commons, who
write good licenses, and say that CPs, CPSes and certificates must be
available under one of two licenses:

CC-BY
-- This means anyone can copy, redistribute or modify the document, as long
as attribution is given to the original author (the CA). Clearly, only the
copy on the CA's website would be regarded as authoritative.
http://creativecommons.org/licenses/by/4.0/

CC-BY-ND
-- As above, but with the restriction that people may not make derivative
works of the document. We think that allowing derivative works is
preferable, and would help to further strengthen the CA system as best
practice is shared, but we suspect some CAs may be uncomfortable with that
possibility, so we offer this compromise.
http://creativecommons.org/licenses/by-nd/4.0/

CAs would also be free, of course, to offer alternative terms in addition,
for other purposes, as they saw fit.

We would appreciate comments and thoughts regarding this proposal.

Gerv

[0]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
/policy/inclusion/
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150514/5f938353/attachment-0001.p7s>