Wired Article on the GPL - Signed Licenses?

[Dennis E. Hamilton]

Although we are getting far afield from the structure of open-source
licenses, there seem to be some procedural and technical steps someone could
take to ensure that a license is perpetuated, especially for
digitally-conveyed works and licenses to those works.

There are moves afoot to establish the legal acceptability of digital
signatures and their non-repudiation qualities.  I don't want to substitute
technology for common sense, but this does seem to promise a way to be clear
what (1) the licensed work is, and (2) the authenticity of the license (or
even notice).  It might even provide a mechanism for "affixing" a license to
a copy of the work even though the elements are physically separated.

A. USING DIGITAL SIGNATURES TO CONVEY LICENSES

It is interesting that employing digital signatures to establish the
authenticity of open-source distributions is already on the rise.

Here is what I noticed:

1.  If I provide a license statement in digital form, which is digitally
signed, a recipient can confirm whether the license has indeed been signed
according to an accompanying certificate, and whether the document is
unaltered.  That establishes signature and that the license is a true copy
of the signed material.  Then the "usual"  mechanisms come into play with
regard to determining whether (a) the signature is authentic and can be
trusted and is indeed non-repudiatable and (b) whether I have the right to
convey such a license, signed or not.  [That is, we are in the same place
that we are with conventional written instruments.]

2.  I can, as part of the signed license document, provide certificate
information that is usable to confirm signatures on the digital copies of
the covered works themselves.  These can be incorporated in the signed
material of (1), and be an intrinsic part of the signed material.  I see
some weaknesses in this step, but no more so than with the EULA I have in
front of me pertaining to a massive amount of software that I just installed
on my development computer.

3.  Various secure repository (certificate authority) mechanisms are used to
establish the provenance of a digital certificate of particular quality.
Along with this, there can be deposit mechanisms for licenses (just as there
is or at least was a way to record copyright assignments for registered
copyrights).  It would be valuable to have a repository where licenses could
be recorded/deposited so that someone researching the status of a copyright
and its assignments/licenses could find them.  I don't know that the U.S.
Copyright Office would be particularly happy to provide that, but who knows.
It would certainly depend on having registered the copyright, though.

4.  Digital signature techniques are being used to provide more confidence
in the authenticity and provenance of digital material, permitting trust
against substitution of altered or counterfeit works that may be dangerous
to users of the work.  They also provide a level of commitment by an
authentic signer that the work (including the license) is not repudiatable.
None of these provisions prevent someone from forging a work or making
fraudulent exclusive transfers.  It is just harder to do it without
incriminating oneself.  It also depends on due diligence on the part of
recipients of such materials.

B. EARTH TO DENNIS, EARTH TO DENNIS ...

I notice that the EULA I am looking at right now is not "signed" although I
have every reason to believe that it is authentic.  The box within which the
software was packed even had an affixed "certificate of authenticity," and I
guess I should retain that with my EULA, the CD-ROMS, the CD-ROM "key," and
the proof-of-purchase.  I purchased the software over the Internet.  I have
registered myself as the purchaser using the on-line mechanism provided as
part of the software installation process.

I suspect that's quite enough for me and the software vendor, either one, to
establish the likelihood that I have purchased their software and that I am
a party to the accompanying EULA, which I also recall "clicking-through" as
part of the software installation process. I can't imagine what either of us
might do that would have this be in dispute.  I will hold onto the materials
anyhow.

I also notice that there are a number of digital certificates included in
the software collection.  Although a number of them have expired (that is a
problem with these things), I have strong reason to believe that they are
authentic.

-- Dennis

------------------
Dennis E. Hamilton
InfoNuovo
mailto:infonuovo at email.com
tel. +1-206-779-9430 (gsm)
fax. +1-425-793-0283
http://www.infonuovo.com

-----Original Message-----
From: W. Yip [mailto:weng at yours.com]
Sent: Thursday, March 30, 2000 04:43
To: license-discuss at opensource.org
Subject: Re: Wired Article on the GPL

[ ... ]

>-------------------
>USC 17 205 E
>(e) Priority Between Conflicting Transfer of Ownership and Nonexclusive
>License. - A nonexclusive license, whether recorded or not, prevails over a
>conflicting transfer of copyright ownership if the license is evidenced by
a
>written instrument signed by the owner of the rights licensed or such
owner's
>duly authorized agent, and if -
>(1) the license was taken before execution of the transfer; or
>(2) the license was taken in good faith before recordation of the transfer
>and without notice of it.
>-------------------
>That *could* mean that if there is a signed contract, then the GPL takes
>priority--and conversely, if there wasn't a signed contract, then Mattel's
>ownership takes priority.

The above makes sense. *Imagine* Microsoft being bought by XXX company
tomorrow. You do not want to have your license to Windows being revoked
would you (really) ?

I would presume Mattel, being a big corp, will have the sense to get a
signature when they buy something.

[ ... ]

>  Also,
>if you interpret the law that way, you come up with the absurd conclusion
that
>the initial copyright owner might be unable to revoke the license, but if
he
>transfers the license to someone else that other party can do what he
can't.

This might not be absurb because the initial copyright owner would be the
one who voluntarily chose this particular course of action (GPL), and so we
can argue he ought not be allowed to renege from it. OTOH, a purchaser,
particularly a bona fide one, may not know anything about the licenses
attached to a copyright which he is purchasing, and thus deserves
protection from copyright holders who may be dishonest.