<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
At the Board meeting of February 14, 2020, the Board of the Open
Source Initiative approved the Cryptographic Autonomy License, Beta
4. The Board discussed the additional emails sent after the License
Committee made its recommendation to the Board and found that they
did not raise issues not previously considered. The vote was 8 in
favor of approval, 0 opposed, 1 abstention, and 2 members not
present.<br>
<br>
Pam<br>
<br>
<div class="moz-signature">Pamela Chestek<br>
Chair, License Review committee<br>
Open Source Initiative<br>
<br>
</div>
<div class="moz-cite-prefix">On 2/9/2020 2:27 PM, Pamela Chestek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8cba2522-0173-ab6e-2ca8-5884dda22bdf@opensource.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
To the Board of the OSI and the License-Review list:<br>
<br>
Below is the recommendation of the License Committee of the Open
Source Initiative on the Cryptographic Autonomy License, Beta 4.<br>
<br>
****<br>
<br>
License: Cryptographic Autonomy License Beta 4 (Exhibit A)<br>
Submitted: <br>
Beta 2 August 22, 2019:
<a class="moz-txt-link-freetext"
href="http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html"
moz-do-not-send="true">http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html</a>
<br>
Beta 3 August 22, 2019:
<a class="moz-txt-link-freetext"
href="http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html"
moz-do-not-send="true">http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html</a>;
<br>
Beta 4 December 4, 2019:
<a class="moz-txt-link-freetext"
href="http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-December/004455.html"
moz-do-not-send="true">http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-December/004455.html</a>
<br>
<br>
Decision due no later than the first Board meeting after January
4, 2020.<br>
<br>
<u>License Review Committee Recommendation</u>: <br>
<br>
<i>Resolved that it is the opinion of the OSI that the
Cryptographic Autonomy License Beta 4 be approved for the
Uncategorized Licenses category.</i><br>
<br>
<u>Rationale Document</u><u><br>
</u><br>
<u>Notes</u>:<br>
<br>
The four versions of the license submitted were heavily reviewed,
in discussion for five months with over 350 emails submitted to
license-review. The OSI Board reached out during its affiliate
calls and on Twitter to ensure that everyone was aware that the
license was under discussion in an effort to have as many
participants as possible in the discussion. The last email
discussing the substance of the license was on January 5, 2020,
followed by a call for a straw poll on February 6, 2020. In
response there were three “yes” answers and one “more discussion
needed.”<br>
<br>
The following criticisms were raised in the review process and
there were strong views of both sides of many of them. The License
Committee considered all the arguments, occasionally asking for
additional information or clarification to ensure that the point
was discussed fully and the argument was clear. Ultimately, as
explained below, the License Committee did not view any of the
criticisms as barriers to approval.<br>
<br>
<i>The CAL allows for assertion of copyright against APIs</i>. The
license is written so that the copyleft obligation reaches to the
full extent of the licensor’s copyright rights. As a comparison,
the GPL imposes copyleft only when software is distributed, not
when it is used in other ways that might nevertheless also
implicate copyright, such as making available over a network.
While the reach of the copyleft in this license is very far, it is
not conceptually any further than some other approved network
copyleft licenses. The reach of the copyleft is also dependent on
the interpretation of the rights of copyright under each
countries’ laws, so the copyleft effect will be limited by how
each country interprets copyright rights. <br>
<br>
<i>The CAL applies to data, not just software</i>. The data aspect
of the license is narrowly written to only apply where the absence
of data will prevent the reimplementation of the software by
another, as seen in the definition of “User Data”: “any data that
is an input to or an output from the Work, where the presence of
the data is necessary for substantially identical use of the Work
in an equivalent context chosen by the Recipient, and where the
Recipient has an existing ownership interest, an existing right to
possess, or where the data has been generated by, for, or has been
assigned to the Recipient.” Section 4.2. This requirement is
consistent with the anti-Tivoization principle in the family of
GNU Public LIcenses version 3.<br>
<br>
<i>A private user of the software still has a burden, to provide
User Data</i>. This is incorrect, the duty to provide User Data
is only if the software is used to provide services to a
Recipient. Section 4.2.1.<br>
<br>
<i>The terms "fully use an independent copy" and "substantially
identical use of the work" are ambiguous</i>. It is not possible
to anticipate and then dictate the outcome for every potential
factual situation. Written legal documents commonly use words that
allow for the construction of a more exact scope when the context
is known.<br>
<br>
<i>The CAL allows the licensor to prevent competitive
implementations through the use of patents, and the license
steward’s client would be motivated to do so to avoid
sequestration of data by another</i>. Patents can be used to
prevent a competitive implementation no matter what the open
source license is, and different licensors may have different
interests they wish to protect, using their patents to do so. The
CAL is no different from other open source licenses in this
respect.<br>
<br>
<i>A recipient of the source code and User Data may not know
whether they are complying with Section 4.2</i>. Section 4.2.1
requires the disclosure of User Data only where the software user
is providing services to a Recipient and only to the extent that
the User Data is available to them. This is not an unduly onerous
requirement.<br>
<br>
<i>Providing User Data is too burdensome, particularly for less
sophisticated users</i>. All open source licenses have a
compliance burden, some significant. This burden was not seen as
overly burdensome given the goal of the license to avoid
sequestration of User Data.<br>
<br>
<i>The CAL can be exploited in a dual-licensing scheme</i>.
Copyleft licenses have been exploited in dual licensing schemes
for over a decade. This license is unlikely to increase the
behavior and the risk is tolerable given the potential benefit to
software freedom this license offers.<br>
<br>
There were also objections raised about the OSI’s review process
itself, which are not pertinent to the substance of the license.<br>
<br>
<u>Exhibit A</u><br>
<br>
#Cryptographic Autonomy License version 1.0<br>
<br>
*This Cryptographic Autonomy License (the “License”) applies to
any Work whose owner has marked it with any of the following
notices:*<br>
<br>
*“Licensed under the Cryptographic Autonomy License version 1.0,”
or<br>
“SPDX-License-Identifier: CAL-1.0,” or*<br>
<br>
*“Licensed under the Cryptographic Autonomy License version 1.0,
with Combined Work Exception,” or*<br>
<br>
*“SPDX-License-Identifier: CAL-1.0-With-Exception”.*<br>
_________________________________________________________________<br>
<br>
<br>
## 1. Purpose<br>
This License gives You unlimited permission to use and modify the
software to which it applies (the “Work”), either as-is or in
modified form, for Your private purposes, while protecting the
owners and contributors to the software from liability. <br>
<br>
This License also strives to protect the freedom and autonomy of
third parties who receive the Work from you. If any
non-affiliated third party receives any part, aspect, or element
of the Work from You, this License requires that You provide that
third party all the permissions and materials needed to
independently use and modify the Work without that third party
having a loss of data or capability due to your actions.<br>
<br>
The full permissions, conditions, and other terms are laid out
below.<br>
<br>
## 2. Receiving a License<br>
In order to receive this License, You must agree to its rules. The
rules of this License are both obligations of Your agreement with
the Licensor and conditions to your License. You must not do
anything with the Work that triggers a rule You cannot or will not
follow. <br>
<br>
### 2.1. Application<br>
The terms of this License apply to the Work as you receive it from
Licensor, as well as to any modifications, elaborations, or
implementations created by You that contain any licenseable
portion of the Work (a “Modified Work”). Unless specified, any
reference to the Work also applies to a Modified Work.<br>
<br>
### 2.2. Offer and Acceptance<br>
This License is automatically offered to every person and
organization. You show that you accept this License and agree to
its conditions by taking any action with the Work that, absent
this License, would infringe any intellectual property right held
by Licensor. <br>
### 2.3. Compliance and Remedies<br>
Any failure to act according to the terms and conditions of this
License places Your use of the Work outside the scope of the
License and infringes the intellectual property rights of the
Licensor. In the event of infringement, the terms and conditions
of this License may be enforced by Licensor under the intellectual
property laws of any jurisdiction to which You are subject. You
also agree that either the Licensor or a Recipient (as an intended
third-party beneficiary) may enforce the terms and conditions of
this License against You via specific performance.<br>
<br>
## 3. Permissions and Conditions<br>
### 3.1. Permissions Granted<br>
Conditioned on compliance with section 4, and subject to the
limitations of section 3.2, Licensor grants You the world-wide,
royalty-free, non-exclusive permission to:<br>
> a) Take any action with the Work that would infringe the
non-patent intellectual property laws of any jurisdiction to which
You are subject; and<br>
<br>
> b) Take any action with the Work that would infringe any
patent claims that Licensor can license or becomes able to
license, to the extent that those claims are embodied in the Work
as distributed by Licensor.<br>
<br>
### 3.2. Limitations on Permissions Granted<br>
The following limitations apply to the permissions granted in
section 3.1: <br>
> a) Licensor does not grant any patent license for claims
that are only infringed due to modification of the Work as
provided by Licensor, or the combination of the Work as provided
by Licensor, directly or indirectly, with any other component,
including other software or hardware.<br>
<br>
> b) Licensor does not grant any license to the trademarks,
service marks, or logos of Licensor, except to the extent
necessary to comply with the attribution conditions in section 4.1
of this License.<br>
<br>
## 4. Conditions<br>
If You exercise any permission granted by this License, such that
the Work, or any part, aspect, or element of the Work, is
distributed, communicated, made available, or made perceptible to
a non-Affiliate third party (a “Recipient”), either via physical
delivery or via a network connection to the Recipient, You must
comply with the following conditions: <br>
<br>
### 4.1. Provide Access to Source Code<br>
Subject to the exception in section 4.4, You must provide to each
Recipient a copy of, or no-charge unrestricted network access to,
the Source Code corresponding to the Work.<br>
<br>
The “Source Code” of the Work means the form of the Work preferred
for making modifications, including any comments, configuration
information, documentation, help materials, installation
instructions, cryptographic seeds or keys, and any information
reasonably necessary for the Recipient to independently compile
and use the Source Code and to have full access to the
functionality contained in the Work.<br>
<br>
#### 4.1.1. Providing Network Access to the Source Code<br>
Network access to the Notices and Source Code may be provided by
You or by a third party, such as a public software repository, and
must persist during the same period in which You exercise any of
the permissions granted to You under this License and for at least
one year thereafter.<br>
<br>
#### 4.1.2. Source Code for a Modified Work<br>
Subject to the exception in section 4.5, You must provide to each
Recipient of a Modified Work Access to Source Code corresponding
to those portions of the Work remaining in the Modified Work as
well as the modifications used by You to create the Modified Work.
The Source Code corresponding to the modifications in the Modified
Work must be provided to the Recipient either a) under this
License, or b) under a Compatible Open Source License.<br>
<br>
A “Compatible Open Source License” means a license accepted by the
Open Source Initiative that allows object code created using both
Source Code provided under this License and Source Code provided
under the other open source license to be distributed together as
a single work.<br>
<br>
#### 4.1.3. Coordinated Disclosure of Security Vulnerabilities<br>
You may delay providing the Source Code corresponding to a
particular modification of the Work for up to ninety (90) days
(the “Embargo Period”) if:<br>
<br>
> a) the modification is intended to address a
newly-identified vulnerability or a security flaw in the Work, <br>
<br>
> b) disclosure of the vulnerability or security flaw before
the end of the Embargo Period would put the data, identity, or
autonomy of one or more Recipients of the Work at significant
risk,<br>
<br>
> c) You are participating in a coordinated disclosure of the
vulnerability or security flaw with one or more additional
Licensees, and <br>
<br>
> d) Access to the Source Code pertaining to the modification
is provided to all Recipients at the end of the Embargo Period.<br>
<br>
### 4.2. Maintain User Autonomy<br>
In addition to providing each Recipient the opportunity to have
Access to the Source Code, You cannot use the permissions given
under this License to interfere with a Recipient’s ability to
fully use an independent copy of the Work generated from the
Source Code You provide with the Recipient’s own User Data.<br>
<br>
“User Data” means any data that is an input to or an output from
the Work, where the presence of the data is necessary for
substantially identical use of the Work in an equivalent context
chosen by the Recipient, and where the Recipient has an existing
ownership interest, an existing right to possess, or where the
data has been generated by, for, or has been assigned to the
Recipient.<br>
<br>
#### 4.2.1. No Withholding User Data<br>
Throughout any period in which You exercise any of the permissions
granted to You under this License, You must also provide to any
Recipient to whom you provide services via the Work, a no-charge
copy, provided in a commonly used electronic form, of the
Recipient’s User Data in your possession, to the extent that such
User Data is available to You for use in conjunction with the
Work. <br>
<br>
#### 4.2.2. No Technical Measures that Limit Access<br>
You may not, by means of the use cryptographic methods applied to
anything provided to the Recipient, by possession or control of
cryptographic keys, seeds, hashes, by any other technological
protection measures, or by any other method, limit a Recipient’s
ability to access any functionality present in Recipient's
independent copy of the Work, or to deny a Recipient full control
of the Recipient’s User Data.<br>
<br>
#### 4.2.3. No Legal or Contractual Measures that Limit Access<br>
You may not contractually restrict a Recipient's ability to
independently exercise the permissions granted under this License.
You waive any legal power to forbid circumvention of technical
protection measures that include use of the Work, and You waive
any claim that the capabilities of the Work were limited or
modified as a means of enforcing the legal rights of third parties
against Recipients.<br>
<br>
### 4.3. Provide Notices and Attribution<br>
You must retain all licensing, authorship, or attribution notices
contained in the Source Code (the “Notices”), and provide all such
Notices to each Recipient, together with a statement acknowledging
the use of the Work. Notices may be provided directly to a
Recipient or via an easy-to-find hyperlink to an Internet location
also providing Access to Source Code.<br>
<br>
### 4.4. Scope of Conditions in this License<br>
You are required to uphold the conditions of this License only
relative to those who are Recipients of the Work from You. Other
than providing Recipients with the applicable Notices, Access to
Source Code, and a copy of and full control of their User Data,
nothing in this License requires You to provide processing
services to or engage in network interactions with anyone.<br>
<br>
### 4.5. Combined Work Exception<br>
As an exception to condition that You provide Recipients Access to
Source Code, any Source Code files marked by the Licensor as
having the “Combined Work Exception,” or any object code
exclusively resulting from Source Code files so marked, may be
combined with other Software into a “Larger Work.” So long as you
comply with the requirements to provide Recipients the applicable
Notices and Access to the Source Code provided to You by Licensor,
and you provide Recipients access to their User Data and do not
limit Recipient’s ability to independently work with their User
Data, any other Software in the Larger Work as well as the Larger
Work as a whole may be licensed under the terms of your choice.<br>
<br>
## 5. Term and Termination<br>
The term of this License begins when You receive the Work, and
continues until terminated for any of the reasons described
herein, or until all Licensor’s intellectual property rights in
the Software expire, whichever comes first (“Term”). This License
cannot be revoked, only terminated for the reasons listed below.<br>
<br>
### 5.1. Effect of Termination<br>
If this License is terminated for any reason, all permissions
granted to You under Section 3 by any Licensor automatically
terminate. You will immediately cease exercising any permissions
granted in this License relative to the Work, including as part of
any Modified Work.<br>
<br>
### 5.2. Termination for Non-Compliance; Reinstatement<br>
This License terminates automatically if You fail to comply with
any of the conditions in section 4. As a special exception to
termination for non-compliance, Your permissions for the Work
under this License will automatically be reinstated if You come
into compliance with all the conditions in section 2 within sixty
(60) days of being notified by Licensor or an intended third party
beneficiary of Your noncompliance. You are eligible for
reinstatement of permissions for the Work one time only, and only
for the sixty days immediately after becoming aware of
noncompliance. Loss of permissions granted for the Work under this
License due to either a) sustained noncompliance lasting more than
sixty days or b) subsequent termination for noncompliance after
reinstatement, is permanent, unless rights are specifically
restored by Licensor in writing.<br>
<br>
### 5.3. Termination Due to Litigation<br>
If You initiate litigation against Licensor, or any Recipient of
the Work, either direct or indirect, asserting that the Work
directly or indirectly infringes any patent, then all permissions
granted to You by this License shall terminate. In the event of
termination due to litigation, all permissions validly granted by
You under this License, directly or indirectly, shall survive
termination. Administrative review procedures, declaratory
judgment actions, counterclaims in response to patent litigation,
and enforcement actions against former Licensees terminated under
this section do not cause termination due to litigation.<br>
<br>
## 6. Disclaimer of Warranty and Limit on Liability<br>
As far as the law allows, the Work comes AS-IS, without any
warranty of any kind, and no Licensor or contributor will be
liable to anyone for any damages related to this software or this
license, under any kind of legal claim, or for any type of
damages, including indirect, special, incidental, or consequential
damages of any type arising as a result of this License or the use
of the Work including, without limitation, damages for loss of
goodwill, work stoppage, computer failure or malfunction, loss of
profits, revenue, or any and all other commercial damages or
losses.<br>
<br>
## 7. Other Provisions<br>
### 7.1. Affiliates<br>
An “Affiliate” means any other entity that, directly or indirectly
through one or more intermediaries, controls, is controlled by, or
is under common control with, the Licensee. Employees of a
Licensee and natural persons acting as contractors exclusively
providing services to Licensee are also Affiliates.<br>
<br>
### 7.2. Choice of Jurisdiction and Governing Law<br>
A Licensor may require that any action or suit by a Licensee
relating to a Work provided by Licensor under this License may be
brought only in the courts of a particular jurisdiction and under
the laws of a particular jurisdiction (excluding its
conflict-of-law provisions), if Licensor provides conspicuous
notice of the particular jurisdiction to all Licensees.<br>
<br>
### 7.3. No Sublicensing<br>
This License is not sublicensable. Each time You provide the Work
or a Modified Work to a Recipient, the Recipient automatically
receives a license under the terms described in this License. You
may not impose any further reservations, conditions, or other
provisions on any Recipients’ exercise of the permissions granted
herein.<br>
<br>
### 7.4. Attorneys' Fees <br>
In any action to enforce the terms of this License, or seeking
damages relating thereto, including by an intended third party
beneficiary, the prevailing party shall be entitled to recover its
costs and expenses, including, without limitation, reasonable
attorneys' fees and costs incurred in connection with such action,
including any appeal of such action. A “prevailing party” is the
party that achieves, or avoids, compliance with this License,
including through settlement. This section shall survive the
termination of this License.<br>
<br>
### 7.5. No Waiver <br>
Any failure by Licensor to enforce any provision of this License
will not constitute a present or future waiver of such provision
nor limit Licensor’s ability to enforce such provision at a later
time.<br>
<br>
### 7.6. Severability <br>
If any provision of this License is held to be unenforceable, such
provision shall be reformed only to the extent necessary to make
it enforceable. Any invalid or unenforceable portion will be
interpreted to the effect and intent of the original portion. If
such a construction is not possible, the invalid or unenforceable
portion will be severed from this License but the rest of this
License will remain in full force and effect.<br>
<br>
### 7.7. License for the Text of this License<br>
The text of this license is released under the Creative Commons
Attribution-ShareAlike 4.0 International License, with the caveat
that any modifications of this license may not use the name
“Cryptographic Autonomy License” or any name confusingly similar
thereto to describe any derived work of this License.<br>
<br>
<br>
<br>
<div class="moz-signature">Pamela Chestek<br>
Chair, License Review Committee<br>
Open Source Initiative</div>
<br>
On 12/4/2019 3:29 PM, VanL wrote:<br>
<blockquote type="cite"
cite="mid:CAFQvZENh-iZjN-FZ1UROZy94XuUYzSwVrgxSwKve5X1Hjxx6bQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="ltr">
<div> Based upon ongoing discussions with the license review
committee, I am withdrawing Beta 3 and substituting Beta 4
(here attached).</div>
<div><br>
</div>
<div>The primary change between Beta 3 and Beta 4 is the
definition of "User Data."<br>
</div>
<div><br>
</div>
<div>My understanding of OSI's position is that data
requirements, such as are addressed by the CAL, are within
scope of what an open source license can reasonably address.
However, there was a request by the committee to more
tightly define the definition of "User Data" so that it was
more closely tied to function and experience of using the
software by a user who chooses to self-host.</div>
<div><br>
</div>
<div>In consultation with my client, we have proposed and
received positive feedback on the following modified
definition of User Data (most significant change bolded):<br>
</div>
<div><br>
</div>
<div> “User Data” means any data that is an input to or an
output from the Work, <b>where the presence of the data is
necessary for substantially identical use of the Work in
an equivalent context chosen by the Recipient</b>, and
where the Recipient has an existing ownership interest, an
existing right to possess, or where the data has been
generated by, for, or has been assigned to the Recipient.</div>
<div><br>
</div>
<div>There are also a few cleanups and the following minor but
substantive changes:</div>
<div>- Section 7.4, There is a definition of "prevailing
party" for attorney fee awards (" A “prevailing party” is
the party that achieves, or avoids, compliance with this
License, including through settlement.")<br>
- Section 5.3, Enforcing against a terminated licensee does
not cause termination for the license-enforcing party
("Administrative review procedures, declaratory judgment
actions, counterclaims in response to patent litigation, and
enforcement actions against former Licensees terminated
under this section do not cause termination due to
litigation.")</div>
<div><br>
</div>
<div>All other discussion regarding CAL Betas 2 and 3 should
apply. <br>
</div>
<div><br>
</div>
<div>From the original submission:</div>
<div><br>
</div>
<div>
<div><em>Rationale:</em> The CAL is a new network copyleft
license especially applicable for distributed systems. It
is designed to be as protective as possible of downstream
recipients of the software, providing them all that they
need to create and use an independent copy of a licensed
work without losing functionality or data.<em><br>
</em></div>
<div><em><br>
</em></div>
<div><em>Distinguish:</em> The CAL is most similar to the
AGPL, and will have a similar scope of action in most
cases. However, the CAL has provisions that require that
operators provide recipients of the software with a copy
of their user data, enhancing their ability to
independently use the software. The CAL also allows the
creation of mixed "Larger Works," provides for affiliate
use, and does not specify a mechanism by which notice is
given to recipients.<br>
</div>
<div><br>
</div>
<div><i>Legal Analysis</i>: The CAL was drafted by legal
counsel. Previous discussions have outlined many aspects
of the legal analysis.</div>
<div><br>
</div>
<div>A copy the the license in Markdown format is attached.
For those who would prefer it, a Google Docs version of
the license is viewable here: <a
href="https://docs.google.com/document/d/1-eD9EH6i3wdSXgG4XJbF-a0cSSknOERjYzlVonOwAQ0/edit?usp=sharing"
moz-do-not-send="true">https://docs.google.com/document/d/1-eD9EH6i3wdSXgG4XJbF-a0cSSknOERjYzlVonOwAQ0/edit?usp=sharing</a>
<br>
</div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
License-review mailing list
<a class="moz-txt-link-abbreviated" href="mailto:License-review@lists.opensource.org" moz-do-not-send="true">License-review@lists.opensource.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org" moz-do-not-send="true">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>