<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
To the Board of the OSI and the License-Review list:<br>
<br>
Below is the recommendation of the License Committee of the Open
Source Initiative on the Cryptographic Autonomy License, Beta 4.<br>
<br>
****<br>
<br>
License: Cryptographic Autonomy License Beta 4 (Exhibit A)<br>
Submitted: <br>
Beta 2 August 22, 2019:
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html">http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html</a>
<br>
Beta 3 August 22, 2019:
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html">http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html</a>;
<br>
Beta 4 December 4, 2019:
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-December/004455.html">http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-December/004455.html</a>
<br>
<br>
Decision due no later than the first Board meeting after January 4,
2020.<br>
<br>
<u>License Review Committee Recommendation</u>: <br>
<br>
<i>Resolved that it is the opinion of the OSI that the Cryptographic
Autonomy License Beta 4 be approved for the Uncategorized Licenses
category.</i><br>
<br>
<u>Rationale Document</u><u><br>
</u><br>
<u>Notes</u>:<br>
<br>
The four versions of the license submitted were heavily reviewed, in
discussion for five months with over 350 emails submitted to
license-review. The OSI Board reached out during its affiliate calls
and on Twitter to ensure that everyone was aware that the license
was under discussion in an effort to have as many participants as
possible in the discussion. The last email discussing the substance
of the license was on January 5, 2020, followed by a call for a
straw poll on February 6, 2020. In response there were three “yes”
answers and one “more discussion needed.”<br>
<br>
The following criticisms were raised in the review process and there
were strong views of both sides of many of them. The License
Committee considered all the arguments, occasionally asking for
additional information or clarification to ensure that the point was
discussed fully and the argument was clear. Ultimately, as explained
below, the License Committee did not view any of the criticisms as
barriers to approval.<br>
<br>
<i>The CAL allows for assertion of copyright against APIs</i>. The
license is written so that the copyleft obligation reaches to the
full extent of the licensor’s copyright rights. As a comparison, the
GPL imposes copyleft only when software is distributed, not when it
is used in other ways that might nevertheless also implicate
copyright, such as making available over a network. While the reach
of the copyleft in this license is very far, it is not conceptually
any further than some other approved network copyleft licenses. The
reach of the copyleft is also dependent on the interpretation of the
rights of copyright under each countries’ laws, so the copyleft
effect will be limited by how each country interprets copyright
rights. <br>
<br>
<i>The CAL applies to data, not just software</i>. The data aspect
of the license is narrowly written to only apply where the absence
of data will prevent the reimplementation of the software by
another, as seen in the definition of “User Data”: “any data that is
an input to or an output from the Work, where the presence of the
data is necessary for substantially identical use of the Work in an
equivalent context chosen by the Recipient, and where the Recipient
has an existing ownership interest, an existing right to possess, or
where the data has been generated by, for, or has been assigned to
the Recipient.” Section 4.2. This requirement is consistent with the
anti-Tivoization principle in the family of GNU Public LIcenses
version 3.<br>
<br>
<i>A private user of the software still has a burden, to provide
User Data</i>. This is incorrect, the duty to provide User Data is
only if the software is used to provide services to a Recipient.
Section 4.2.1.<br>
<br>
<i>The terms "fully use an independent copy" and "substantially
identical use of the work" are ambiguous</i>. It is not possible
to anticipate and then dictate the outcome for every potential
factual situation. Written legal documents commonly use words that
allow for the construction of a more exact scope when the context is
known.<br>
<br>
<i>The CAL allows the licensor to prevent competitive
implementations through the use of patents, and the license
steward’s client would be motivated to do so to avoid
sequestration of data by another</i>. Patents can be used to
prevent a competitive implementation no matter what the open source
license is, and different licensors may have different interests
they wish to protect, using their patents to do so. The CAL is no
different from other open source licenses in this respect.<br>
<br>
<i>A recipient of the source code and User Data may not know whether
they are complying with Section 4.2</i>. Section 4.2.1 requires
the disclosure of User Data only where the software user is
providing services to a Recipient and only to the extent that the
User Data is available to them. This is not an unduly onerous
requirement.<br>
<br>
<i>Providing User Data is too burdensome, particularly for less
sophisticated users</i>. All open source licenses have a
compliance burden, some significant. This burden was not seen as
overly burdensome given the goal of the license to avoid
sequestration of User Data.<br>
<br>
<i>The CAL can be exploited in a dual-licensing scheme</i>. Copyleft
licenses have been exploited in dual licensing schemes for over a
decade. This license is unlikely to increase the behavior and the
risk is tolerable given the potential benefit to software freedom
this license offers.<br>
<br>
There were also objections raised about the OSI’s review process
itself, which are not pertinent to the substance of the license.<br>
<br>
<u>Exhibit A</u><br>
<br>
#Cryptographic Autonomy License version 1.0<br>
<br>
*This Cryptographic Autonomy License (the “License”) applies to any
Work whose owner has marked it with any of the following notices:*<br>
<br>
*“Licensed under the Cryptographic Autonomy License version 1.0,” or<br>
“SPDX-License-Identifier: CAL-1.0,” or*<br>
<br>
*“Licensed under the Cryptographic Autonomy License version 1.0,
with Combined Work Exception,” or*<br>
<br>
*“SPDX-License-Identifier: CAL-1.0-With-Exception”.*<br>
_________________________________________________________________<br>
<br>
<br>
## 1. Purpose<br>
This License gives You unlimited permission to use and modify the
software to which it applies (the “Work”), either as-is or in
modified form, for Your private purposes, while protecting the
owners and contributors to the software from liability. <br>
<br>
This License also strives to protect the freedom and autonomy of
third parties who receive the Work from you. If any non-affiliated
third party receives any part, aspect, or element of the Work from
You, this License requires that You provide that third party all the
permissions and materials needed to independently use and modify the
Work without that third party having a loss of data or capability
due to your actions.<br>
<br>
The full permissions, conditions, and other terms are laid out
below.<br>
<br>
## 2. Receiving a License<br>
In order to receive this License, You must agree to its rules. The
rules of this License are both obligations of Your agreement with
the Licensor and conditions to your License. You must not do
anything with the Work that triggers a rule You cannot or will not
follow. <br>
<br>
### 2.1. Application<br>
The terms of this License apply to the Work as you receive it from
Licensor, as well as to any modifications, elaborations, or
implementations created by You that contain any licenseable portion
of the Work (a “Modified Work”). Unless specified, any reference to
the Work also applies to a Modified Work.<br>
<br>
### 2.2. Offer and Acceptance<br>
This License is automatically offered to every person and
organization. You show that you accept this License and agree to its
conditions by taking any action with the Work that, absent this
License, would infringe any intellectual property right held by
Licensor. <br>
### 2.3. Compliance and Remedies<br>
Any failure to act according to the terms and conditions of this
License places Your use of the Work outside the scope of the License
and infringes the intellectual property rights of the Licensor. In
the event of infringement, the terms and conditions of this License
may be enforced by Licensor under the intellectual property laws of
any jurisdiction to which You are subject. You also agree that
either the Licensor or a Recipient (as an intended third-party
beneficiary) may enforce the terms and conditions of this License
against You via specific performance.<br>
<br>
## 3. Permissions and Conditions<br>
### 3.1. Permissions Granted<br>
Conditioned on compliance with section 4, and subject to the
limitations of section 3.2, Licensor grants You the world-wide,
royalty-free, non-exclusive permission to:<br>
> a) Take any action with the Work that would infringe the
non-patent intellectual property laws of any jurisdiction to which
You are subject; and<br>
<br>
> b) Take any action with the Work that would infringe any
patent claims that Licensor can license or becomes able to license,
to the extent that those claims are embodied in the Work as
distributed by Licensor.<br>
<br>
### 3.2. Limitations on Permissions Granted<br>
The following limitations apply to the permissions granted in
section 3.1: <br>
> a) Licensor does not grant any patent license for claims that
are only infringed due to modification of the Work as provided by
Licensor, or the combination of the Work as provided by Licensor,
directly or indirectly, with any other component, including other
software or hardware.<br>
<br>
> b) Licensor does not grant any license to the trademarks,
service marks, or logos of Licensor, except to the extent necessary
to comply with the attribution conditions in section 4.1 of this
License.<br>
<br>
## 4. Conditions<br>
If You exercise any permission granted by this License, such that
the Work, or any part, aspect, or element of the Work, is
distributed, communicated, made available, or made perceptible to a
non-Affiliate third party (a “Recipient”), either via physical
delivery or via a network connection to the Recipient, You must
comply with the following conditions: <br>
<br>
### 4.1. Provide Access to Source Code<br>
Subject to the exception in section 4.4, You must provide to each
Recipient a copy of, or no-charge unrestricted network access to,
the Source Code corresponding to the Work.<br>
<br>
The “Source Code” of the Work means the form of the Work preferred
for making modifications, including any comments, configuration
information, documentation, help materials, installation
instructions, cryptographic seeds or keys, and any information
reasonably necessary for the Recipient to independently compile and
use the Source Code and to have full access to the functionality
contained in the Work.<br>
<br>
#### 4.1.1. Providing Network Access to the Source Code<br>
Network access to the Notices and Source Code may be provided by You
or by a third party, such as a public software repository, and must
persist during the same period in which You exercise any of the
permissions granted to You under this License and for at least one
year thereafter.<br>
<br>
#### 4.1.2. Source Code for a Modified Work<br>
Subject to the exception in section 4.5, You must provide to each
Recipient of a Modified Work Access to Source Code corresponding to
those portions of the Work remaining in the Modified Work as well as
the modifications used by You to create the Modified Work. The
Source Code corresponding to the modifications in the Modified Work
must be provided to the Recipient either a) under this License, or
b) under a Compatible Open Source License.<br>
<br>
A “Compatible Open Source License” means a license accepted by the
Open Source Initiative that allows object code created using both
Source Code provided under this License and Source Code provided
under the other open source license to be distributed together as a
single work.<br>
<br>
#### 4.1.3. Coordinated Disclosure of Security Vulnerabilities<br>
You may delay providing the Source Code corresponding to a
particular modification of the Work for up to ninety (90) days (the
“Embargo Period”) if:<br>
<br>
> a) the modification is intended to address a newly-identified
vulnerability or a security flaw in the Work, <br>
<br>
> b) disclosure of the vulnerability or security flaw before
the end of the Embargo Period would put the data, identity, or
autonomy of one or more Recipients of the Work at significant risk,<br>
<br>
> c) You are participating in a coordinated disclosure of the
vulnerability or security flaw with one or more additional
Licensees, and <br>
<br>
> d) Access to the Source Code pertaining to the modification
is provided to all Recipients at the end of the Embargo Period.<br>
<br>
### 4.2. Maintain User Autonomy<br>
In addition to providing each Recipient the opportunity to have
Access to the Source Code, You cannot use the permissions given
under this License to interfere with a Recipient’s ability to fully
use an independent copy of the Work generated from the Source Code
You provide with the Recipient’s own User Data.<br>
<br>
“User Data” means any data that is an input to or an output from the
Work, where the presence of the data is necessary for substantially
identical use of the Work in an equivalent context chosen by the
Recipient, and where the Recipient has an existing ownership
interest, an existing right to possess, or where the data has been
generated by, for, or has been assigned to the Recipient.<br>
<br>
#### 4.2.1. No Withholding User Data<br>
Throughout any period in which You exercise any of the permissions
granted to You under this License, You must also provide to any
Recipient to whom you provide services via the Work, a no-charge
copy, provided in a commonly used electronic form, of the
Recipient’s User Data in your possession, to the extent that such
User Data is available to You for use in conjunction with the Work.
<br>
<br>
#### 4.2.2. No Technical Measures that Limit Access<br>
You may not, by means of the use cryptographic methods applied to
anything provided to the Recipient, by possession or control of
cryptographic keys, seeds, hashes, by any other technological
protection measures, or by any other method, limit a Recipient’s
ability to access any functionality present in Recipient's
independent copy of the Work, or to deny a Recipient full control of
the Recipient’s User Data.<br>
<br>
#### 4.2.3. No Legal or Contractual Measures that Limit Access<br>
You may not contractually restrict a Recipient's ability to
independently exercise the permissions granted under this License.
You waive any legal power to forbid circumvention of technical
protection measures that include use of the Work, and You waive any
claim that the capabilities of the Work were limited or modified as
a means of enforcing the legal rights of third parties against
Recipients.<br>
<br>
### 4.3. Provide Notices and Attribution<br>
You must retain all licensing, authorship, or attribution notices
contained in the Source Code (the “Notices”), and provide all such
Notices to each Recipient, together with a statement acknowledging
the use of the Work. Notices may be provided directly to a Recipient
or via an easy-to-find hyperlink to an Internet location also
providing Access to Source Code.<br>
<br>
### 4.4. Scope of Conditions in this License<br>
You are required to uphold the conditions of this License only
relative to those who are Recipients of the Work from You. Other
than providing Recipients with the applicable Notices, Access to
Source Code, and a copy of and full control of their User Data,
nothing in this License requires You to provide processing services
to or engage in network interactions with anyone.<br>
<br>
### 4.5. Combined Work Exception<br>
As an exception to condition that You provide Recipients Access to
Source Code, any Source Code files marked by the Licensor as having
the “Combined Work Exception,” or any object code exclusively
resulting from Source Code files so marked, may be combined with
other Software into a “Larger Work.” So long as you comply with the
requirements to provide Recipients the applicable Notices and Access
to the Source Code provided to You by Licensor, and you provide
Recipients access to their User Data and do not limit Recipient’s
ability to independently work with their User Data, any other
Software in the Larger Work as well as the Larger Work as a whole
may be licensed under the terms of your choice.<br>
<br>
## 5. Term and Termination<br>
The term of this License begins when You receive the Work, and
continues until terminated for any of the reasons described herein,
or until all Licensor’s intellectual property rights in the Software
expire, whichever comes first (“Term”). This License cannot be
revoked, only terminated for the reasons listed below.<br>
<br>
### 5.1. Effect of Termination<br>
If this License is terminated for any reason, all permissions
granted to You under Section 3 by any Licensor automatically
terminate. You will immediately cease exercising any permissions
granted in this License relative to the Work, including as part of
any Modified Work.<br>
<br>
### 5.2. Termination for Non-Compliance; Reinstatement<br>
This License terminates automatically if You fail to comply with any
of the conditions in section 4. As a special exception to
termination for non-compliance, Your permissions for the Work under
this License will automatically be reinstated if You come into
compliance with all the conditions in section 2 within sixty (60)
days of being notified by Licensor or an intended third party
beneficiary of Your noncompliance. You are eligible for
reinstatement of permissions for the Work one time only, and only
for the sixty days immediately after becoming aware of
noncompliance. Loss of permissions granted for the Work under this
License due to either a) sustained noncompliance lasting more than
sixty days or b) subsequent termination for noncompliance after
reinstatement, is permanent, unless rights are specifically restored
by Licensor in writing.<br>
<br>
### 5.3. Termination Due to Litigation<br>
If You initiate litigation against Licensor, or any Recipient of the
Work, either direct or indirect, asserting that the Work directly or
indirectly infringes any patent, then all permissions granted to You
by this License shall terminate. In the event of termination due to
litigation, all permissions validly granted by You under this
License, directly or indirectly, shall survive termination.
Administrative review procedures, declaratory judgment actions,
counterclaims in response to patent litigation, and enforcement
actions against former Licensees terminated under this section do
not cause termination due to litigation.<br>
<br>
## 6. Disclaimer of Warranty and Limit on Liability<br>
As far as the law allows, the Work comes AS-IS, without any warranty
of any kind, and no Licensor or contributor will be liable to anyone
for any damages related to this software or this license, under any
kind of legal claim, or for any type of damages, including indirect,
special, incidental, or consequential damages of any type arising as
a result of this License or the use of the Work including, without
limitation, damages for loss of goodwill, work stoppage, computer
failure or malfunction, loss of profits, revenue, or any and all
other commercial damages or losses.<br>
<br>
## 7. Other Provisions<br>
### 7.1. Affiliates<br>
An “Affiliate” means any other entity that, directly or indirectly
through one or more intermediaries, controls, is controlled by, or
is under common control with, the Licensee. Employees of a Licensee
and natural persons acting as contractors exclusively providing
services to Licensee are also Affiliates.<br>
<br>
### 7.2. Choice of Jurisdiction and Governing Law<br>
A Licensor may require that any action or suit by a Licensee
relating to a Work provided by Licensor under this License may be
brought only in the courts of a particular jurisdiction and under
the laws of a particular jurisdiction (excluding its conflict-of-law
provisions), if Licensor provides conspicuous notice of the
particular jurisdiction to all Licensees.<br>
<br>
### 7.3. No Sublicensing<br>
This License is not sublicensable. Each time You provide the Work or
a Modified Work to a Recipient, the Recipient automatically receives
a license under the terms described in this License. You may not
impose any further reservations, conditions, or other provisions on
any Recipients’ exercise of the permissions granted herein.<br>
<br>
### 7.4. Attorneys' Fees <br>
In any action to enforce the terms of this License, or seeking
damages relating thereto, including by an intended third party
beneficiary, the prevailing party shall be entitled to recover its
costs and expenses, including, without limitation, reasonable
attorneys' fees and costs incurred in connection with such action,
including any appeal of such action. A “prevailing party” is the
party that achieves, or avoids, compliance with this License,
including through settlement. This section shall survive the
termination of this License.<br>
<br>
### 7.5. No Waiver <br>
Any failure by Licensor to enforce any provision of this License
will not constitute a present or future waiver of such provision nor
limit Licensor’s ability to enforce such provision at a later time.<br>
<br>
### 7.6. Severability <br>
If any provision of this License is held to be unenforceable, such
provision shall be reformed only to the extent necessary to make it
enforceable. Any invalid or unenforceable portion will be
interpreted to the effect and intent of the original portion. If
such a construction is not possible, the invalid or unenforceable
portion will be severed from this License but the rest of this
License will remain in full force and effect.<br>
<br>
### 7.7. License for the Text of this License<br>
The text of this license is released under the Creative Commons
Attribution-ShareAlike 4.0 International License, with the caveat
that any modifications of this license may not use the name
“Cryptographic Autonomy License” or any name confusingly similar
thereto to describe any derived work of this License.<br>
<br>
<br>
<br>
<div class="moz-signature">Pamela Chestek<br>
Chair, License Review Committee<br>
Open Source Initiative</div>
<br>
On 12/4/2019 3:29 PM, VanL wrote:<br>
<blockquote type="cite"
cite="mid:CAFQvZENh-iZjN-FZ1UROZy94XuUYzSwVrgxSwKve5X1Hjxx6bQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>
Based upon ongoing discussions with the license review
committee, I am withdrawing Beta 3 and substituting Beta 4
(here attached).</div>
<div><br>
</div>
<div>The primary change between Beta 3 and Beta 4 is the
definition of "User Data."<br>
</div>
<div><br>
</div>
<div>My understanding of OSI's position is that data
requirements, such as are addressed by the CAL, are within
scope of what an open source license can reasonably address.
However, there was a request by the committee to more tightly
define the definition of "User Data" so that it was more
closely tied to function and experience of using the software
by a user who chooses to self-host.</div>
<div><br>
</div>
<div>In consultation with my client, we have proposed and
received positive feedback on the following modified
definition of User Data (most significant change bolded):<br>
</div>
<div><br>
</div>
<div>
“User Data” means any data that is an input to or an output
from the Work, <b>where the presence of the data is necessary
for substantially identical use of the Work in an equivalent
context chosen by the Recipient</b>, and where the Recipient
has an existing ownership interest, an existing right to
possess, or where the data has been generated by, for, or has
been assigned to the Recipient.</div>
<div><br>
</div>
<div>There are also a few cleanups and the following minor but
substantive changes:</div>
<div>- Section 7.4, There is a definition of "prevailing party"
for attorney fee awards (" A “prevailing party” is the party
that achieves, or avoids, compliance with this License,
including through settlement.")<br>
- Section 5.3, Enforcing against a terminated licensee does
not cause termination for the license-enforcing party
("Administrative review procedures, declaratory judgment
actions, counterclaims in response to patent litigation, and
enforcement actions against former Licensees terminated under
this section do not cause termination due to litigation.")</div>
<div><br>
</div>
<div>All other discussion regarding CAL Betas 2 and 3 should
apply. <br>
</div>
<div><br>
</div>
<div>From the original submission:</div>
<div><br>
</div>
<div>
<div><em>Rationale:</em> The CAL is a new network copyleft
license especially applicable for distributed systems. It is
designed to be as protective as possible of downstream
recipients of the software, providing them all that they
need to create and use an independent copy of a licensed
work without losing functionality or data.<em><br>
</em></div>
<div><em><br>
</em></div>
<div><em>Distinguish:</em> The CAL is most similar to the
AGPL, and will have a similar scope of action in most cases.
However, the CAL has provisions that require that operators
provide recipients of the software with a copy of their user
data, enhancing their ability to independently use the
software. The CAL also allows the creation of mixed "Larger
Works," provides for affiliate use, and does not specify a
mechanism by which notice is given to recipients.<br>
</div>
<div><br>
</div>
<div><i>Legal Analysis</i>: The CAL was drafted by legal
counsel. Previous discussions have outlined many aspects of
the legal analysis.</div>
<div><br>
</div>
<div>A copy the the license in Markdown format is attached.
For those who would prefer it, a Google Docs version of the
license is viewable here: <a
href="https://docs.google.com/document/d/1-eD9EH6i3wdSXgG4XJbF-a0cSSknOERjYzlVonOwAQ0/edit?usp=sharing"
moz-do-not-send="true">https://docs.google.com/document/d/1-eD9EH6i3wdSXgG4XJbF-a0cSSknOERjYzlVonOwAQ0/edit?usp=sharing</a>
<br>
</div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
License-review mailing list
<a class="moz-txt-link-abbreviated" href="mailto:License-review@lists.opensource.org">License-review@lists.opensource.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
</pre>
</blockquote>
<br>
</body>
</html>