
Draft Let's Encrypt Subscriber Agreement - riqbal
https://letsencrypt.org/2015/05/21/draft-le-sa.html
======
fapjacks
Perhaps it's time to supplement this legalese with an equivalent amount of
explanatory language in layman's terms what your _intent_ for these clauses
is. You're starting to spook people because of what can be read into the
legalese, and though your comments here seem to justify the clauses, that does
not help other people that aren't reading this thread. Sort of like an app
publisher explaining why they need such-and-such permission. I won't install
some apps unless I have a pretty good explanation of why it needs certain
permissions.

------
chc
Maybe it's just the effect legalese sometimes has of making your head spin,
but that looks like kind of a lot of "ifs" for something that's being touted
as so universal it can justify killing HTTP.

A few requirements:

\- You have not participated in the seizure of a domain name that had ongoing
lawful uses

\- all information in Your Certificate regarding You or Your domain name is
accurate, current, reliable, complete, and not misleading

\- all information You have provided to ISRG is accurate, current, complete,
reliable, complete, and not misleading

\- You have taken all appropriate, reasonable, and necessary steps to secure
and keep your Private Key secret

They can send you away even if you do everything they ask:

\- ISRG may, in its sole discretion, refuse to grant Your request for a Let’s
Encrypt Certificate, including for reasons not stated in this Agreement

\- ISRG may also, without advanced notice, revoke Your Certificate if it
determines, in its sole discretion, that … Your Certificate has become
unreliable

\- ISRG may also, without advanced notice, revoke Your Certificate if it
determines, in its sole discretion, that … information in your registration
with ISRG or request for an Let’s Encrypt Certificate has changed

~~~
Bedon292
Those seem like fairly reasonable 'ifs' to have. They have to cover themselves
and prevent abuse, or else no one will trust the certificates they issue.

~~~
mikeash
Why? It seems to me like it should be really simple: I prove I control domain
X, they issue me a certificate for domain X. End of story. Does there need to
be more?

~~~
UnoriginalGuy
What if someone hijacks a domain? Should they issue one then?

I'll say this, I don't want to see "Let's Encrypt" go on some moral crusade
deciding not to grant a certificate to a website because that website contains
offensive content, but their job is to verify at least somewhat the identity
of the requester to try and stem impersonation.

~~~
the8472
> What if someone hijacks a domain?

But that's a registrar problem, not a "proof that this connection comes from
someone who controls that domain" problem. These aren't EV certificates.

~~~
_cpancake
Part of HTTPS is making sure that the person you're talking to is the person
you think you're talking to.

~~~
the8472
That's what EV certificates are for.

Otherwise https only gurantees that you're actually talking to the domain you
see in the URL, not who that domain belongs to.

------
comex
> You Warrant to ISRG and the public-at-large that You have not participated
> in the seizure of a domain name that had ongoing lawful uses.

Is this meant to refer to the domain you're requesting, or does it literally
mean that any person or organization that has ever participated in the seizure
of any domain name that had ongoing lawful uses is banned? (For example, this
would ban Microsoft, as well as arguably the entire U.S. government, from
legally requesting certificates. The cases in question were a bit
reprehensible, but it seems like an oddly specific requirement.)

...While this is of course standard for contracts, I also like the use of all
caps and bold in the warranty disclaimer, which makes it extremely difficult
to read, despite the U.C.C. clause that semi-not-really requires it being
intended to ensure that signatories were aware of such terms! Let's Encrypt is
a forward thinking organization; even if it's not terribly important, can't
you take a stand against such absurdity and satisfy the conspicuousness
requirement in a way that actually makes sense?

~~~
dragonwriter
> For example, this would ban Microsoft, as well as arguably the entire U.S.
> government, from legally requesting certificates.

It would also prohibit many current and former employees of Microsoft and the
U.S. government, and domain name registrars (both themselves, and current and
former employees) whose participation was necessary to effect such seizures,
even though they had no discretion in them, and law firms (both themselves,
and current and former employees) involved in seizure, from getting
certificates.

I also think the entire idea is unsound; the mere fact that a domain name had
some ongoing lawful use shouldn't make seizing it a bad thing; I mean, if the
primary use of it was for users exchanging, say, child pornography, but it
also had a minor and incidental, but certainly ongoing, use for the same users
to exchange perfectly lawful messages, is being involved -- even as a direct
and primary actor -- in seizing the domain something which should result in an
actor being punished by having a higher cost to participate in the emerging
TLS-only internet community the way the Let's Encrypt policy suggests?

~~~
mynameisvlad
I don't see how the company's actions would affect the employees. If they
directly participated in the seizure? Sure. But a random software developer at
Microsoft, or a random CSR at the registrar shouldn't be affected by that
clause.

~~~
dragonwriter
> If they directly participated in the seizure?

The exclusion language in the agreement does not specify direct participation,
merely participation.

But even the most direct participation is going to involve a large number of
employees performing job functions as directed, and include firms (and
employees at those firms) participating under a direct, non-discretionary
legal mandate.

~~~
mynameisvlad
Sure, but you're not participating if your company participates, that's my
point. An individual is separate from the company they work for. Microsoft as
an entity can't request a certificate, sure. An employee that was involved in
the seizure can't, sure, same deal. But an employee that had absolutely no
involvement in the seizure but happens to work for the company? Nothing in
that language says that they'd be banned.

I also highly doubt the scale you're talking about. I doubt that "many"
employees are involved in a seizure. It's a sensitive matter, in the best
interests of everyone to keep it as contained as possible.

------
ptx

      > ISRG may modify this Agreement from time to time. Each modified
      > version of this Agreement shall be posted to ISRG’s Let’s Encrypt
      > website (letsencrypt.org) and shall be effective on the date
      > specified on such website.
    

So what's in the agreement doesn't actually matter since it can be modified
unilaterally at any time with a notice period of 0 milliseconds?

~~~
joshmoz
The idea here is that we need to be able to modify terms quickly if need be
(e.g. if a critical issue is identified), but hopefully that will never be the
case. Under normal circumstances we will post the updated agreement quite a
while before it takes effect. Current thinking is that we'll try for 45-90
days.

Thanks for your feedback.

~~~
Sir_Substance
The problem with this approach is you're inflicting your legal liability on
me.

A more appropriate way to deal with this would be to state that there will be
a 30 day consultation period for every change, and if you do identify a
"critical issue", to revoke every certificate and have everyone re-agree to
it.

Now, I know you don't want to do that because if you do find a critical issue,
solving it that way makes everyone mad at you, but here's the thing: that's
how it works in every other business.

Withdrawing cars or software or nail polish or recommended finance strategies
from use takes time, and if you make a critical fuckup then the methods for
speeding up the withdrawal time are either non-existant or _really_ piss
people off.

It's a quirk of the legal system that you can "patch" these issues instantly,
but you still have to unilaterally fuck people (at least in potentia) to do
it.

The correct way to do it would be to take responsibility for the quality of
your work and guarantee you won't change the agreement on people.

At the very least, you could state any changes will be binding for one week,
and anyone who hasn't explicitly opted in to the new version after a week gets
cut off until they do, but is released from that version.

------
pdpi
Minor quibble, but I think the "Key Pair" heading of the Definitions section
mixes up i.e. (id est, 'that is') and e.g. (exempli gratia, 'for example').

Digital signatures are one example of things you can do with a key pair, and
it is specifically the public key that can't be used to recover the private
key.

------
diafygi
Man, there's a lot of references to the ACME client.

 _" The contents of Your Certificates will be based on the information You or
Your ACME Client Software sends to ISRG."_

 _" Your Key Pair (Public and Private Keys) will be generated by You or Your
ACME Client Software on Your systems."_

 _" Your ACME Client Software may perform this task for You."_

 _" You may make a revocation request to ISRG using ACME Client Software."_

 _" If you wish, You may configure Your ACME Client Software to notify You of
such changes."_

To be clear, ACME is a protocol. You don't need the ACME client to get a free
ssl cert. You will be able to perform the steps needed with just openssl and
curl. I hope this agreement doesn't get interpreted such that you must use the
official ACME client to generate the ssl key and make the http requests.

~~~
rgj
"1\. Definitions and Terms “ACME Client Software” — a software application
that uses the ACME protocol to request, accept, use or manage Let’s Encrypt
Certificates."

------
hackuser
My limited understanding is that Let's Encrypt's mission is to make encrypted
web traffic available to as wide a population as possible. A six page legal
agreement seems like an obstacle to that, especially if they want to serve
that portion of the population who might not be accustomed to such things.

Keeping it short and simple would seem like a high priority; though perhaps
this is as short and simple as it can reasonably get.

~~~
schoen
I encourage people to propose ways that it might be made shorter.

The CA/B Forum requires CAs to have legally-binding subscriber agreements
covering the issuance of certificates. For example, check out section 9.6.1 of
Baseline Requirements 1.3.0 ("CA Representations and Warranties").

[https://cabforum.org/wp-content/uploads/CAB-Forum-
BR-1.3.0.p...](https://cabforum.org/wp-content/uploads/CAB-Forum-BR-1.3.0.pdf)

~~~
tedunangst
Is it necessary for lets encrypt to be a part of the cab forum? One might
argue that the cab forum is part of the problem.

~~~
UnoriginalGuy
They're definitely part of the problem, but they're a powerful kingmaker in
the industry. Without their approval several vendors won't include the Let's
Encrypt CA at all.

So it ultimately boils down to: Dance with the devil and become relevant, or
maintain the moral high ground and accomplish nothing.

~~~
bifurcation
You've got things a little confused here. Let's Encrypt doesn't need to be
part of the CABF in order to be included in the browsers, but they do need to
demonstrate that they abide by the rules that CABF defines (the Baseline
Requirements). They only need to join CABF if they want to be able to vote on
those rules.

------
MatthewWilkes
"This Agreement is effective once You request, accept, or use a Let’s Encrypt
Certificate."

"Use" needs to be defined, otherwise it catches end-users who visit the
website.

------
pimlottc
Argh, that is an awkward title. "Draft Subscriber Agreement for Let's Encrypt"
would be clearer. Or even just adding quotes around "Let's Encrypt" would
help.

------
andy_ppp
There is probably a multi million dollar market in a well thought through tool
for editing, commenting upon and finalising legal agreements... In fact I'd
say online law tools for managing a whole firm in general could be an
excellent business.

------
sdalfakj
Could you post it on github or something like that so it's easier to suggest
edits and fixes? Thanks.

------
nodata
Why is a subscribe agreement necessary?

~~~
bifurcation
The CA/Browser Forum Baseline Requirements require that the CA have you sign
one:

"Prior to the issuance of a Certificate, the CA SHALL obtain ... either: 1.
The Applicant’s agreement to the Subscriber Agreement with the CA, or 2. The
Applicant’s agreement to the Terms of Use agreement."

[https://cabforum.org/wp-content/uploads/CAB-Forum-
BR-1.3.0.p...](https://cabforum.org/wp-content/uploads/CAB-Forum-BR-1.3.0.pdf)

~~~
nfoz
Then I can't exactly support the "Let's Encrypt" effort. Any child should be
able to make a website without having to sign a bunch of legalese. That's more
important to me than encrypted traffic, frankly.

------
rhino369
Did you have a lawyer who does this sort of work read this? I am not going to
give you advice here since I'm not your lawyer, but you need to have one look
at this. There are issues in this draft that need to be addressed.

Someone might even be willing to do it pro-bono.

