- Case Number: a20100207.2
- Status: closed
Claimants: Martijn V, Nikolas P, DominikGeorge
- Respondents: CAcert
Case Manager: AlexanderPrinsier
Arbitrator: UlrichSchroeter
- Date of arbitration start: 2010-02-25
- Date of ruling: 2010-08-18
- Case closed: 2010-08-22
- Complaint: removal of name part not shown in ID doc
- Relief: removal of title in suffix
Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: Martijn V (C) Nikolas P (C2) DominikGeorge (C3), Case: a20100207.2
History Log
2010-02-08 (UlrichSchroeter): added to wiki, request for CM / A
- 2010-02-08 (A): I'll take care about this case
- 2010-02-08 (C): accepted CCA / DRP under this arbitration in his dispute filing
- 2010-02-25 (A): init mailing sent to (C) (acceptance of CCA / DRP still exists)
- 2010-02-25 (CM): I'll take care about this case
- 2010-02-25 (A): forwarding all mails to (CM)
- 2010-02-25 (A): request from Support: a) Name splitted in field b) list of Assurances rcvd from (C)
- 2010-02-25 (A): rcvd requested infos from (Support)
- 2010-06-10 (CM): ask A to continue with case
2010-06-25 (A): merged case a20100209.2 to this case, as both cases are disputes about the same issue, about the same account
log from case a20100209.2
- 2010-02-09 (issus.c.o) case [s20100209.82] (Martijn)
2010-02-09 (UlrichSchroeter): added to wiki, request for CM / A
- 2010-02-09 (C): accepts CCA / DRP under this arbitration in his initial dispute filing
- 2010-02-13 (issue.c.o) case [s20100213.110] (Nikolas P)
2010-02-14 (UlrichSchroeter): added 2nd dispute to this case
- 2010-02-14 (C) [s20100213.108] Do I need to do anything to get this dispute resolved? As far as I'm aware there has been no activity?
2010-02-14 (UlrichSchroeter): answer mail to (C), (C2), cacert-disputes list
- 2010-05-28 (issus.c.o) case [s20100528.221] Dominik George as (C3)
2010-06-07 (Support): Any progress in case Arbitrations/a20100209.2 ? The user is presumably still waiting for an answer.
2010-06-07 (UlrichSchroeter): answer mail to (C), (C2), cacert-disputes list, Support, DRO: no changes in answer since mail dated 2010-02-14
- 2010-06-08 (C): followup
Re: Arbitration case a20100209.2 - [s20100208.88] [s20100213.108] Dispute due to difference in the name on the CAP form and the system Hi all, Thanks for the reminder on this. While I appreciate this is all run by volunteers... If this is the average response time for an arbitration case, even one as simple as this, CACert is quickly becoming obsolete. I'm effectively being prevented from using my certificate & my right to be assured and to assure others by a fault in the CACert.org system & rules. I was assured at FOSDEM 2010 by most people and it was there that this problem in the CACert rules & online system came to light. Please don't take this the wrong way, but if a simple arbitration like this can't be settled in a year... then CACert is totally useless for me. If this relatively simple arbitration request has not been solved before FOSDEM 2011, I will have to conclude that CACert is a nice idea... but nothing more than that. At that time (march 1st, 2011), you can drop this arbitration request as I will be removing my keys and account at that time. Yours sincerely, Martijn
2010-06-15 (UlrichSchroeter): added [s20100528.221] Dominik George as (C3) to this case
EOT log from case a20100209.2
- 2010-06-24 (A): request name infos from Assurers (AS1), (AS2), (AS3)
- 2010-06-25 (A): request name infos from Assurers (AS4), (AS5), (AS6), (AS7), (AS8)
Assurer
Assurers Name
Suffix on CAP?
Change Req acceptable?
AS1
Hendrik L
{-}
{+}
AS2
Marco C
{-}
{+}
AS3
Bert P
{-}
{+}
AS4
Jos G
{-}
{+}
AS5
Bart E
{-}
{+}
AS6
Hans W
AS7
Martin S
AS8
Petrus H
{-}
{+}
- 2010-06-25 (AS3): name states on CAP w/o suffix
- 2010-06-25 (AS2): name states on CAP w/o suffix
- 2010-06-25 (AS5): name states on CAP w/o suffix
- 2010-06-27 (AS1): name states on CAP w/o suffix
- 2010-06-29 (AS1): question(s) regarding infos request from (A) to (AS1) dated 2010-06-24
- 2010-06-29 (A): answering (AS1) questions
- 2010-07-08 (A): send reminders to (AS4), (AS6), (AS7), (AS8)
- 2010-07-08 (AS4): I am currently on vacation until 9 Jul. I'll respond to your email when i am back.
- 2010-07-14 (AS8): I am currently on holiday. Will do so as soon as i'm home. Agree?
- 2010-07-15 (A): agreed to delayed answer of (AS8)
- 2010-07-28 (A): irc chat with (AS1): asking current max points
- 2010-07-28 (A): send reminders to (AS4), (AS6), (AS8)
- 2010-08-04 (AS8): name states on CAP w/o suffix
- 2010-08-04 (A): send reminders to (AS4), (AS6)
- 2010-08-04 (AS4): name states on CAP w/o suffix
- 2010-08-10 (A): questions about client certs to (C)
- 2010-08-10 (C): response (see below)
Discovery
possible blocking factor (AS7) open cases blocking running arbitrations (arbitration case a20100207.2) relates to a20100307.1 (Account removal (Martin S) )
- there was no malfeasance of an type alleged or found
- the rules regarding names have been in flux and cannot be known in detail if someone enters his account into the online system
rules regarding names should be known to the assurers as PracticeOnNames includes a lot of samples
- 6 of 8 Assurers have verified the requested name in the account and that no suffix was written in any ID doxs
- all assurers have made less then 15 assurances except one, so can be named unexperienced assurers
- at least these assurances would bring the Account up above 50 points according to AP
- Certificates issued after 2009-11-08 (date when CPS became draft) that include the suffix have to be revoked.
- The certs problem on Name changes
The CPS comes to draft at Status: DRAFT p20091108
- If the user has created client certificates, with the not yet corrected name in the account, the certs are probably built up with the wrong suffix from online account.
CPS 3.1.1. Types of names - Client Certificates. The Subscriber Naming consists of:
- CN= The common name takes its value from one of:
- For individual Members, a Name of the Subscriber, as Assured under AP.
- CN= The common name takes its value from one of:
- The certs problem on Name changes
case a20090618.12 precedents ruling does not fit to this case
- (C)'s response email dated 2010-08-10
> Q1: do you have created client certificates **after** the 8th November 2009 ? 1. Yes. > Q2: Do you have included the suffix part from the online account into the name part of the client certificate ? 2. I believe so. I'd have to check at home though, I do not use the client certificate on this machine. However, since this only concerns client certificates (as far as I know at least) and I only use the client certificate to login to cacert.org and another locally installed system, I have no problem with revoking the current client certificate and creating a new one without the BSc suffix. Wouldn't that be faster/acceptable? Besides the above, I have a *request* for the ruling of this case... I'd like the ruling to include a decision to change both the "My Details" screen as well as the "New Client Certificate" screen on the CACert.org website to include a clearly visible notice that the suffix should only be used when present on your official ID. This should prevent similar arbitration cases from appearing in the future.
- Current (2010-08-10) Website Join Form: lists the following 4 fields:
- Name Fields listed in the Join Form
- First Name:
- Middle Name(s) (optional)
- Last Name:
- Suffix (optional)
- below the suffix field a remark is added: Please only write "Name Suffixes" into this field.
"Name Suffixes" is a link to the wiki page: http://en.wikipedia.org/wiki/Suffix_%28name%29 that lists under the subject:
- "Academic: ... These include the bachelor's degree (A.B, B.A., B.F.A., B.Sc., etc.)"
- No addtl. note, to add only name parts that can be read in an ID doc
- The header of the form contains only notes about how to create your password
A bonafide member, not fully aware of the current practice about names, who read CCA, but did not read AP and PracticeOnNames, cannot know about the practice to only enter names that can be read in an ID doc into these fields
- The check is outsourced to the Assurers
- Corrections on Names can be made until there are no points issued to the account
- Name Fields listed in the Join Form
Ruling
The minor name change request to remove the suffix, that cannot be verified by at least one ID doc has been confirmed by 6 unexperienced Assurers and Support should execute this as requested (removal of the suffix in the name) to be AP 2.1 conform (A General Rule: don't assure names or name parts you cannot find in at least ID doc)
- Client Certificates, that are issued by (C) after 2009-11-08 and that includes the suffix should be revoked
- The Assurance in the Face-2-Face meeting wasn't a problem. All 6 Assurers states the main name part to be in the ID docs
- But all 6 Assurers didn't take care about the addtl. Suffix in the Online Account, that doesn't match to the presented ID docs and CAP forms and that cannot be confirmed in the Online Account
- The Assurers should get an advise on "Assurer Name Errors" and to advice to attend to the next ATE in their area
- There are subsequent Arbitration cases with Suffixes in Online Accounts that cannot be confirmed in at least one ID doc / CAP form
- This problem araises, as the online Join form doesn't guide a bonafide member, to only add names into the fields, that can be verified by at least one ID doc
- The outsourced check to the Assurers often fails by unexperienced Assurers
- The problem has been iddentified by experienced Assurers and filed into Disputes
- So a solution has to be twofolded
- Training of Assurers
- In the Assurer Training Events (ATEs) starting 2009 Assurers gets trained with a simple Rule, this should be continued:
- "don't assure names or name parts you cannot find in at least one ID doc"
- From psychological viewpoint, Not is impossible to remember, so transitioned to:
- "Assure only those names and name parts (incl. suffixes) you can read in at least one ID doc"
There is no simple rule (exepts AP 2.1) written, what not has to be accepted by an Assurer, but with all the exceptions written in AH this simple rule fades out of mind
So Assurance Officer should rethink to add this simple rule and rephrase the simple rule to every chapter that handles name rules and exceptions into Assurance Handbook and PracticeOnNames or by adding a "simplification" section with simple rules, that can be easily remembered and easily followed
- In the Assurer Training Events (ATEs) starting 2009 Assurers gets trained with a simple Rule, this should be continued:
- Guidance in the online Join Form
- To prevent such problems with Suffixes in the future, Software Developers should update the online Join Form to reflect this simple rule:
- Possible variations can be:
- Add a header section like Password guidance onto the Online Form to guide the bonafide members in filling the several name parts into the form fields and to prevent suffixes that cannot be read in at least ID doc to be entered into the form
- Sample: Entering names: Only add names and name parts (also suffixes) that can be read in at least one ID doc
- Expand the description text below the Suffix field to
- Sample: Suffix (optional) / Please only write Name Suffixes into this field that can be verified by at least one ID doc
- Add a header section like Password guidance onto the Online Form to guide the bonafide members in filling the several name parts into the form fields and to prevent suffixes that cannot be read in at least ID doc to be entered into the form
- Possible variations can be:
- To prevent such problems with Suffixes in the future, Software Developers should update the online Join Form to reflect this simple rule:
- Training of Assurers
- Removal of Assurances by not answering the Arbitrators request
- As this is a minor name change dispute filing, the time to wait for an answer can be limited, so not all Assurers needs to answer
- So no further actions should happen over the Assurer(s) who didn't answered yet, except sending an Assurers advice
One Assurer, who requested a "delete my account" (a20100307.1) that dispute filing is currently an open case (I assume, that he will not answer the request until his own Arbitration case will be handled), needs reviewed within this "delete account request" arbitration case. On request for the CAP forms, the Arbitrator of this case should check, if he got the CAP form to this Assurance. If he didn't received the CAP forms from the Assurer in question, he should order, that the Assurance over (C) in this arbitration case has to be revoked.
A note should be added to the Arbitration case a20100307.1: to review the CAP forms if received relating to Arbitration case a20100207.2 or revoke the Assurance over (C) of case a20100207.2 if CAP forms aren't received from Assurer in question.
- This case can be used as precedent for further cases.
- for faster arbitration ruling, (C) can assist this process by searching for 2 experienced Assurers who can confirm the name change request thru two seperate additional Assurances
- (C) should note the primary email adresses of the Assurers, to name them in the dispute filing or
- One of the Assurers should note the primary email adress of the 2nd Assurer and should give a note to the Arbitrator that these assurances are subject to dispute filing with suffix removal request by the Assuree and the 2 Assurers
- for faster arbitration ruling, (C) can assist this process by searching for 2 experienced Assurers who can confirm the name change request thru two seperate additional Assurances
Frankfurt/Main, August 18th, 2010
Execution
- 2010-08-18 (A): sent ruling to (C), (C2), (C3), Support, Education and Arbitration mailing lists, AO, (CM)
- 2010-08-18 (A): [1] sent arbitration exec request to Support, (CM) to remove the Suffix in the account of (C)
2010-08-18 (A): [5] sending Assurer Advice about Name Errors to (AS1), (AS2), (AS3), (AS4), (AS5), (AS6), (AS8)
2010-08-18 (A): [6b] added bug#846 "Better guidance of bonafide members in Join Form about Suffixes they doesn't have in their ID doxs (a20100207.2)"
- 2010-08-18 (A): [6b] sent new bug #846 info to devel mailing list
2010-08-19 (A): note from (A) to (A) of case a20100307.1 about relation to case a20100207.2 added to the Arbitration case file of a20100307.1 and request to contact me for further infos
2010-08-19 (AO): started with review and modifications on Assurance Handbook
- 2010-08-19 (C): questions regarding ruling points #2 and #8
- 2010-08-19 (C): notification to (A) that client certs are now revoked
- 2010-08-19 (A): answered (C)'s questions
- 2010-08-20 (AO): finished modifications on AH (rev 126, 20.08.2010 15:11:10)
- 2010-08-22 (Support): [s20100818.57] request executed, Suffix is removed
- 2010-08-22 (A): notification to (C), (C2), (C3) about Support exec report and suffix is removed now.
- 2010-08-22 (A): sent close case notification to (C), (C2), (C3)
Similiar Cases
Post Arbitration Note
- 2011-02-07 (AS6): late response to (A)'s request dated 2010-06-25. Suffix not on CAP form, in compliance to req from (C)