[cabfpub] CPs, CPSes and copyright

Rick Andrews Rick_Andrews at symantec.com
Tue May 26 19:05:13 UTC 2015 

Gerv,

I ran this by my legal team, and here's the feedback I received:

- Intellectual property rights, like copyright rights, may only be granted
in writing. Therefore an "implied license" would not apply to a document
like a CA's CPS.

- There is a legal doctrine known as "fair use" that we feel adequately
covers the public comment process that Mozilla wishes to preserve. "Fair
use" allows for someone to excerpt parts of the document in order to draw
attention to it.

- We are concerned about derivative works. Many CAs spend a lot of time and
effort to craft these documents, and would not want a new CA to simply copy
the documents and claim them as their own. While that might further
strengthen the CA system, I feel that it's more likely that a new CA will
copy the documents without understanding what they mean, and without
adopting the practices described in them.

-Rick

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Thursday, May 14, 2015 5:18 AM
To: CABFPub
Subject: [cabfpub] CPs, CPSes and copyright

Hi everyone,

Mozilla is pondering the copyright status of CPs, CPSes and certificates. It
has come to our attention that some CPs/CPSes contain language that says the
document may not be redistributed, in part or in full, by third parties
without prior express written agreement.

Mozilla takes copies of CP and CPS documentation for review, and sometimes
excerpts it or manipulates it in other ways. It's possible that a CA's
application for inclusion gives us an implied license to do this (given that
the CA is aware of our processes), but that would not extend to other
parties who were reviewing the documents to make their own trust decisions.

Our current inclusion policy[0] mandates only that such documentation must
be "publicly disclosed" and "available from the CA's official website"
(section 17).

In regard to publicly-disclosed intermediate certificates, our policy also
states: "All disclosure MUST be made freely available and without additional
requirements, including, but not limited to, registration, legal agreements,
or restrictions on redistribution of the certificates in whole or in part."
(section 10)

As well as considering our own requirements, Mozilla believes that the
health of and trust in the CA ecosystem is best promoted and preserved when
documents used to make trust decisions are freely available, distributable,
analysable, and commentable-upon. We want to allow people, other than us,
the convenience and freedom necessary to make their own determinations.

Therefore, we are pondering adding an additional requirement regarding the
copyright status of certificates and policy documents, to put them in the
same category as intermediate certificates are now. At the moment, our
proposal is that we leverage the existing work of Creative Commons, who
write good licenses, and say that CPs, CPSes and certificates must be
available under one of two licenses:

CC-BY
-- This means anyone can copy, redistribute or modify the document, as long
as attribution is given to the original author (the CA). Clearly, only the
copy on the CA's website would be regarded as authoritative.
http://creativecommons.org/licenses/by/4.0/

CC-BY-ND
-- As above, but with the restriction that people may not make derivative
works of the document. We think that allowing derivative works is
preferable, and would help to further strengthen the CA system as best
practice is shared, but we suspect some CAs may be uncomfortable with that
possibility, so we offer this compromise.
http://creativecommons.org/licenses/by-nd/4.0/

CAs would also be free, of course, to offer alternative terms in addition,
for other purposes, as they saw fit.

We would appreciate comments and thoughts regarding this proposal.

Gerv

[0]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
/policy/inclusion/
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150526/46f4aaf7/attachment-0001.p7s>

More information about the Public mailing list