Personal tools

SSL certificate key disclosure

From GPLv3 Wiki

Party A designs a web application which is primarily designed to run the site, but has some features which could be of more general interest. It is based on a more general web-application framework developed and released by Party B.

In order to get the site working, Party A generated a public/private key pair, and sent the public key to Certificate Authority C, along with proof of identity and payment details, and received a signed certificate for corresponding to the key pair.

Party A is aware that (s)he does not have to distribute the the web application source, because (s)he does not distribute the object code. However, as a symbol of gratitude to the community in return for the web-application framework, Party A decides to distribute binaries and the source to the modified web-application framework. However, Party A chooses not to distribute the private key corresponding to the certificate, because it could allow an adversary D, who receives the private key from party 's source download, to perform a man-in-the-middle attack against Party A's customers.

Before distributing the binaries, Party A asks Lawyer E for legal advice. Lawyer E tells Party A that (s)he needs to distribute the complete corresponding source code, which includes the private key:

Complete Corresponding Source Code also includes any encryption or authorization codes necessary to install and/or execute the source code of the work, perhaps modified by you, in the recommended or principal context of use, such that its functioning in all circumstances is identical to that of the work, except as altered by your modifications.

Lawyer E argues that the the principal context of use is running, and without the private key for certificate, users will get a security warning from their Internet browser, unlike on the original work.

Obviously, this is not the intent of the license, but is a potential consequence.

Wouldn't users get the security warning anyway ? the certificate is inteded only for the original site, and is of no use for anyone else. Furthermore the certificate is not needed to install nor to execute the site and the warning would disapear if the site provided a valid certificate, which can be obtained at no cost.