* Case Number: a20110310.1
  * Status: running
  * Claimants: [[Mario Lipinski]] (for CAcert Inc.)
  * Respondents: UlrichSchroeter (as Arbitrator of case [[Arbitrations/a20100212.2|a20100212.2]])
  * Initial Case Manager: UlrichSchroeter
  * Initial Case Manager 2: AlexRobertson
  * Case Manager: PhilippDunkel (supervising arbitrator)
  * Arbitrator: AlexRobertson (in training / under supervision)
  * Date of arbitration start: 2012-10-28
  * Date of ruling: 2013-03-03
  * Case closed: 2013-11-05  
  * Complaint: Appeal on case [[Arbitrations/a20100212.2|a20100212.2]]

  * Relief: TBD

Before: Arbitrator AlexRobertson (A), Respondent: UlrichSchroeter (R), Claimant: [[Mario Lipinski]] (C), Claimant: CAcert Inc. (C2), Case: a20110310.1


== History Log ==
 . 2011-03-10 (issue.c.o) case [s20110310.77]
 . 2011-03-12 (iCM): added to wiki, request for CM / A
 . 2012-10-25 (iCM2): Note from (C) added
 . 2012-10-28 (A) AlexRobertson takes case as (A) appoints PhilippDunkel as (CM)
 . 2012-11-01 (A) Emails from Werner Dworak and Ian Grigg added
 . 2012-11-01 (A) Part of email from (R) added
 . 2012-11-01 (A) Email from Ian Grigg and (R) added
 . 2012-11-01 (A) Intermediate Ruling 1,2,3
 . 2012-11-01 (A) Execution 3 added
 . 2012-11-02 (A) Objection to IR3 from (R), Response to objection from (A)
 . 2012-11-02 (A) Observations regarding IR3 from Ian Grigg, Response to observations from (A)
 . 2012-11-03 (A) More Observations regarding IR3 from Ian Grigg, Response to observations from (A)
 . 2012-11-06 (A) Email from (R), Response to objection from (A)
 . 2012-11-07 (A) Email from Ian Grigg, Response from (A)
 . 2012-11-10 (A) Email from Werner Dworak
 . 2012-11-10 (A) Email from Ian Grigg, Observation from (A)
 . 2012-11-12 (A) Email from Ian Grigg to cacert-board list (filed as Discovery 4A)
 . 2012-11-12 (A) Intermediate Ruling 4
 . 2013-03-03 (A) Final Ruling

== Original Dispute, Discovery (Private Part) ==

 * Link to Arbitration case [[Arbitrations/priv/a20110310.1|a20110310.1 (Private Part)]]

<<Include(Arbitrations/priv/a20110310.1)>>  

==== EOT Private Part ====

== Discovery 1 ==
 . (A) 2012-11-01 From Werner Dworak (CACert Board Member)(email RE: Arbitration case a20110310.1 - Appeal on case a20100212.2 dated 2012-10-29 06:01) 
 {{{
Hello Alex Robertson,

> This was an appeal filed by Mario on behalf of CACert Inc regards
> R/L/O of deceased members per board motion 
> https://community.cacert.org/board/motions.php?motion=m20101212.2

Then we should reconsider the working practice of arbitration. On the
one side, private information of involved persons should be protected,
no doubt. On the other side, everything that is not really private,
should be in the public part of an arbitration, so everyone can see what
it is about and what is going on.

At present, way too much is concealed in the private part, so you see
nearly no relevant information. This not only applies to the general
public but as well to concerned people that should know more.

Alternatively, Board, Support and other parties with a justified concern
should have partial or full access to the private part of an arbitration.

Kind regards, Werner
CAcert Board Member and Support
}}}
== Intermediate Ruling 1 (confirmed by Supervising-Arbitrator) ==
 . (A) 2012-11-01
 . There are no privacy issues apparent in this appeal although there are some in the original case. In accordance with the principle that CACert operates openly, I am moving the elements of this case previously in the private area into the public area. 

== Original Dispute ==
 {{{
---- Forwarded message from Mario Lipinski <mario@cacert.org> ---

From: Mario Lipinski <mario@cacert.org>
To: support@cacert.org
Cc: cacert-board-private@lists.cacert.org
Subject: Appeal on case a20100212.2
Date: 2011-03-10 20:50:57

> Dear Support,
>
> we, CAcert Inc., hereby file a Dispute against the ruling of arbitration
> case a20100212.2 [1] as decided by [2].
>
> CAcert Inc. is convinved, that taking over all R/L/O of a member is
> inappropriate as it might e.g. not be involved in contracts between the
> deceases member and other community members and has no influence on
> this. Probably most of the R/L/O can be voided.
>
> However, CAcert Inc. accepts that this special case might introduce new
> R/L/O at its disadvantage. This is a risk CAcert Inc. has to carry for
> operating a CA, but whether this requires it to be help liable for this
> should be decided on a case by case basis.
>
> A wildcard delegation of R/L/O might introduce R/L/O for CAcert Inc.
> which are out of its control and so inappropriate.
>
> Another issue is that CAcert Inc. was not represented in the dispute.
>
> As the appeal will have to be handled by the board this introduces a
> COI. To maintain the spirit of independence and transparancy of CAcerts
> arbitration system, CAcert Inc. directs its powers resulting from § 3.4
> DRP for case a20100212.2 to the arbitrator re-opening the case [3].
>
> CAcert Inc. accepts to be bound to the DRP and CCA for this case.
>
> [1] http://wiki.cacert.org/Arbitrations/a20100212.2
> [2] https://community.cacert.org/board/motions.php?motion=m20101212.2
> [3] https://community.cacert.org/board/motions.php?motion=m20101212.1
>
> --
> Mit freundlichen Grüßen / Best regards
>
> Mario Lipinski
> Board member,                       E-Mail: mario@cacert.org
> Arbitrator/Case manager,            Internet: http://www.cacert.org
> Organisation Assurer (Germany),
> Infrastructure team leader, Wiki/Issue admin
> CAcert
>
> Support CAcert: http://www.cacert.org/index.php?id=13
>                 http://wiki.cacert.org/wiki/HelpingCAcert
>
>
>
---- End forwarded message ---

No further infos from within OTRS
}}}

== Discovery 2 ==
 . (iCM2) 2012-10-25 - Following received from Mario (C) - Real claimant should probably be secretary@cacert.org as the case was raised on behalf of CAcert inc.
 {{{
--
Kind Regards
Alex Robertson
Case Manager
---- Forwarded message from Mario Lipinski <mario@cacert.org> ---

From: Mario Lipinski <mario@cacert.org>
To: support@cacert.org
Subject: Regarding a20110310.1
Date: 2012-07-02 03:00:35

> Hello,
> 
> regarding a20110310.1: please remove myself as claiment. I am no 
> longer a representative.
> 
> --
> Mit freundlichen Grüßen / Best regards
> 
> Mario Lipinski
> Infrastructure Team Leader,         E-Mail: mario@cacert.org
> Organisation Assurer (Germany),     Internet: http://www.cacert.org
> Arbitrator / Case Manager
> CAcert
> 
> Support CAcert: http://www.cacert.org/index.php?id=13
>                 http://wiki.cacert.org/wiki/HelpingCAcert
> 
> 
> 
---- End forwarded message ---
}}}

== Intermediate Ruling 2 (confirmed by Supervising-Arbitrator) ==
 . (A) 2012-11-01
 . Mario should never have been named as claimant in this case - at all times it has been clearly filed as "on behalf of CAcert Inc." which organisation is both a legal entity and a member of the CAcert community in its own right and therefore entitled to present this appeal. I therefore release Mario from the role of Claimant (C) and formally join CACert Inc. to the case as claimant and (C2). I invite CACert Inc. to formally nominate a representative, but until such time as a representative is appointed, I will send all communications to board-private-list@

== Discovery 3 ==

 . (A) 2012-11-01 Received from Ian Grigg (Board member CAcert Inc.)
 {{{
As per my post of the other day, I think appeals are no longer business of the board.  Does this address the issue or am I off-track?

New text with Philipp's proposal incorporated and policy decision as below.

https://wiki.cacert.org/PolicyDecisions#p20110108
https://svn.cacert.org/CAcert/Policies/DisputeResolutionPolicy.html#s3.4


3.4 Review for Appeal 
In the event of clear injustices, egregious behaviour or unconscionable Rulings, a review may be requested by filing a dispute. The new Arbitrator reviews the new dispute, re-examines and reviews the entire case, then rules on whether the case may be re-opened or not. 
If the Review Arbitrator rules the case be re-opened, then the Review Arbitrator refers the case to an Appeal Panel of 3. The Appeal Panel is led by a Senior Arbitrator, and is formed according to procedures established by the DRO from time to time. The Appeal Panel hears the case and delivers a final and binding Ruling.
}}}
 . 2012-11-01 From (R) - part of an email "RE: Arbitration case a20110310.1  init mailing" dated 2012-10-31 15:45
 {{{
>> As the appeal will have to be handled by the board this introduces a
>> COI. To maintain the spirit of independence and transparancy of CAcerts
>> arbitration system, CAcert Inc. directs its powers resulting from § 3.4
>> DRP for case a20100212.2 to the arbitrator re-opening the case [3].

The appeal procedure has been updated in policy voted by policy group
https://wiki.cacert.org/PolicyDecisions#p20110108
DRP #3.4 Appeal handled by Arbitrators
and is no longer an issue.
So current DRP #3.4 supersedes last directs of power given
in above order in dispute filing of the appeal.
}}}
 . (A) 2012-11-01 part of email from Ian Grigg (CACert Inc. Board member)(dated 2012-11-01 01:13) 
 {{{
Let's check out PoP which rules over this issue...
4. DRAFT status 
4.1 On completion, a document moves to DRAFT status. 
4.2 A DRAFT is a policy-in-effect for the Community and is to be distributed and treated as such. 
4.3 As far as the Community is concerned, the DRAFT is policy. Challenges and concerns can be addressed to the policy group, and policy group discussions on a DRAFT may be presented in Dispute Resolution. 
4.4 Revisions of DRAFTs must be treated as decisions on the policy group.
...

So, the change to appeal method meets 4.4. in that it was a decision of the policy group.  However, all of 4 applies to the whole document, not to any individual decisions.  See 4.1.

Therefore, I think you are right (and I was wrong) ... decisions within the draft process are not sufficient to meet the intent of clause 4.3, that will only be triggered for an entire document going to DRAFT.

FWIW, we also saw this happen with the Security Policy.

So, why haven't the changes in DRP been finished off?  And the document gone to DRAFT?  I think it was mostly because I didn't have time to pursue it.  That task is open and desperate for some TLC if anyone can help.
}}}

 . (A) 2012-11-01 email from (R) dated 2012-11-01 02:16
 {{{
Hi,

mhh,


> Let's check out PoP which rules over this issue...


> 4. DRAFT status
> 4.1 On completion, a document moves to DRAFT status.
> 4.2 A DRAFT is a policy-in-effect for the Community and is to be
distributed and treated as such.
> 4.3 As far as the Community is concerned, the DRAFT is policy.
Challenges and concerns can be addressed
>     to the policy group, and policy group discussions on a DRAFT may be
presented in Dispute Resolution.
> 4.4 Revisions of DRAFTs must be treated as decisions on the policy
group.
> ...


state of DRP  =>  POLICY m20070919.3
https://www.cacert.org/policy/DisputeResolutionPolicy.php

so  https://www.cacert.org/policy/PolicyOnPolicy.php
5. POLICY status
comes in ...
ok, in special section 5.2 and 5.3

 5.2 Once POLICY, the Community may only challenge the document in Dispute
Resolution.

5.3 Policy group may propose changes to a POLICY document in order to
update it. When changes move to DRAFT status, they may be included in the
POLICY document, but must be clearly indicated within as DRAFT not POLICY.



so the next step was
https://wiki.cacert.org/PolicyDecisions#p20110108   => Resolved


so DRP 3.4 changes are incorporated in DRP as Draft
the only problem, no one takes care about to edit the document

in another later policy group vote on CPS change
https://wiki.cacert.org/PolicyDecisions#p20111113
"CPS #7.1.2 "Certificate Extensions" adjustments"
=> Resolved
have been updated in
https://www.cacert.org/policy/CertificationPracticeStatement.php
under bug #540
https://bugs.cacert.org/view.php?id=540
by Software-Assessment team upgrade procedure
into the policy repository in the critical system.

source for the policy group proposal
https://wiki.cacert.org/PolicyDrafts/CPSKeyUsageChanges
changes incorporated:
https://www.cacert.org/policy/CertificationPracticeStatement.php#p7.1


So, why changes that have been voted in by policy group 10 months
later have been incorporated into the documents and now are in effect
overwrites a clear vote by policy group not yet incorporated
into any official document 'caused by mess of an functional
update procedure for any policy document that resides
under www.cacert.org/policy  in the critical system ?!?

No one did take care, to pass the policy group vote into
the DRP document, but the decision made passed policy group
vote 22 months ago
see https://wiki.cacert.org/PolicyDecisions

Policy Officer shall take care about appropiate
document updates, but PO is currently vacant, so
references back to Board
but did know Board that his duty is to take care
about Policy document updates ?!?!?
probably not ....

so this opens up several questions:

1. why no one did update the document yet ?
2. how can policy in effect varies for one
   document counts where the other documents
   policy group vote doesn't count ?


Same problem I've had with the OAP document
under arbitration case
https://wiki.cacert.org/Arbitrations/a20120121.1
where changes voted in by Policy Group had not been
updated in the "official" directory
probably its to difficult to correct the policy
documents appropiate in the critical system

If nobody sends a request to the Critical team
to edit the document on the console or
if nobody files a new bug# to get the documents
updated, the update process of policy documents
stalls.

Back in - was it 2010 ?!? we had a project
"policy directory migration" within the Software-Assessment project team
to move the "official" policy document directory out of the
"critical area" to a place, where PO can easier update
documents w/o any critical system updates.
but the project did not move forward ....

Despite the fact we have policies in effect, the practice
has shown, that policy updates didn't work as expected.
Especialy changes aren't updated properly.

From all the policy decisions Policy Group made
since about 2008/2009 only 1 or 2 changes have been
incorporated once the main document resides under
www.cacert.org
once located in the SVN
https://svn.cacert.org/CAcert/Policies/
the documents have been updated ....
'cause its simple to update the documents
in the SVN, but its to complicate, to get
changes passed into the directory
under the critical system ....



> iang


--
mit freundlichen Gruessen / best regards
Ulrich Schroeter - CAcert Assurance Team Leader, CAcert Case Manager,
CAcert Arbitrator

CAcert.org - Free Certificates
E-Mail: ulrich@cacert.org
}}}
 

== Intermediate Ruling 3 (altered and confirmed by Supervising Arbitrator) ==
 . (A) 2012-11-01
 . There are some serious problems with the issue of "which version" of the DRP here. The changes to policy above were occasioned by this case, but, as far as I can determine, the only places that this update has actually been implemented are in the in the board and policy committee minutes and the SVN repository and, nearly two years later, the changes have still not been carried through into the "official" master policy document at [[http://www.cacert.org/policy/DisputeResolutionPolicy.php]] - which is also the document referenced in the CCA. 

 . The svn repository clearly states that:
 {{{
WARNING:
 The proper policy document is located
 on the CAcert website .
 This document is a work-in-progress to include future revisions only,
 and is currently only relevant for the [policy] group.}}}
 . and links back to the document referenced above. 

 . Why this has happened is a matter outside the immediate scope of this appeal but needs urgent addressing by the relevant groups. Certainly the changes to DRP should by now have been included in the master document flagged as Draft and I intend to raise this as a separate dispute. 

--( . Since this appeal (like any dispute) ultimately depends on the CCA, and the commitment members of the community take on under the terms of that agreement, I am, without the intention of setting any precedent, going to to treat this appeal as being under the effects of the version of the DRP as referenced in the CCA and as being at [[http://www.cacert.org/policy/DisputeResolutionPolicy.php]] (the alleged official master copy!) as at the date of this appeal starting into arbitration (2012-10-28) )--

--( . and as modified by the board in the Original Dispute. )--

--( . I believe that this approach is actually to the benefit of all concerned in that it avoids the need to find three arbitrators not previously involved with the case ''(Do we have that many active arbitrators?)'' but since it means that I can potentially render a "final and binding ruling" on this case, I require that any objections by any party to this intermediate ruling be filed with myself as arbitrator by 22:00 UTC 2012-11-15.
)--

. Should this appeal go forward the decision on which version to use will have to be decided, yet since the appeals process is identical up to the point where a case is actually reopened this decision can be deferred until that decision is reached. (added by Supervising Arbitrator)

== Execution 3 ==

 . (A) 2012-11-01 (A)
 . I have raised the separate arbitration case [[https://wiki.cacert.org/Arbitrations/a20121101.1|a20121101.1]] (Discrepancies between policy group agreed drafts and published documents) as per Intermediate Ruling 3.

== Discovery 4 ==
 . 2012-11-02 (A) Formal objection from (R) (2012-11-02 00:17)
 {{{
I hereby officialy object to the intermediate ruling #3 given
as it completely ignores the role of
the status of https://wiki.cacert.org/PolicyDecisions
list that has been implemented back in 2010
to track current state of policies.

"According to Policy on Policy, Policy Group can make decisions
concerning policies. This list tracks formal (voted) decisions
made in most-recent-first order. See also Policy and DecisionNumbers."

This "policydecisions" page can be seen as the "practicle" answer
to the problem, that policy changes did not get updated
and implemented into the "official" documents in a timely
fashion manner

Samples:
Subpolicies that have been voted by policy group to state DRAFT

p20100119 PoJAM to DRAFT
https://wiki.cacert.org/PolicyDecisions#p20100119
that is DRAFT and binding
https://blog.cacert.org/2010/02/457.html
"PoJAM - PolicyOnJuniorAssurersMembers moves to DRAFT"

p20100913 TTP Assisted Assurance Subpolicy
https://wiki.cacert.org/PolicyDecisions#p20100913
that is DRAFT and binding
https://blog.cacert.org/2010/09/487.html
"New TTP-Assisted-Assurance to Draft - one more milestone in Policy!"

p20100710 License root under Root Distribution License
https://wiki.cacert.org/PolicyDecisions#p20100710
that is DRAFT and binding and replaces previous NDPDaL
Non-related Parties - Disclaimer and Licence 
https://blog.cacert.org/2010/07/478.html
root certificates under free license, RDL

There is one with the latter document,
that CCA still lists NRPDaL instead of RDL
that is caused by Policy Group work back in 2010
not to only replace NRPDaL with RDL in the CCA
p20101009 Changes to CCA for RDL
https://wiki.cacert.org/PolicyDecisions#p20101009
but to update CCA with addtl. changes.
RootDistributionLicense.php replaced the NRPDaL
document in the critical system directory, but
the reference in CCA had not been updated yet
as it was expected to get further changes of
CCA passed so also the RDL change
(read policy group discussion around
July 2010)
 
So the most valuable document we have currently
is the https://wiki.cacert.org/PolicyDecisions
wiki page, that tracks all the "current" state
of any policy document.


-- 
mit freundlichen Gruessen / best regards
Ulrich Schroeter - CAcert Assurance Team Leader, CAcert Case Manager,
CAcert Arbitrator
}}}
 . 2012-11-02 (A) Response from (A) (2012-11-02 08:02)
 {{{
I note the objection.

However I also note that all the sample decisions you use were also
disseminated to the membership at large via the blog as well as the decision
page in the Wiki.

This does NOT appear to have been the case with the DRP 3.4 change.

There is no linkage that I can find between CCA and the Wiki Policy
Decisions page and even the Policy on Policies fails to reference it
directly as a formal repository of changes.

I note that authority of the Arbitration system derives from the CCA and it
is this document that represents the "Contractual Agreement" under which
disputes are resolved. This document specifically references the DRP as
discussed in Interim Ruling 3. The CCA (and the linked documents such as
DRP) do not mention anywhere that they may be modified by decisions recorded
elsewhere. 

I draw the parallel of such as a Credit Card agreement, in which there is an
obligation on the card provider to notify the cardholder of a change of
contractual terms and conditions which is normally done by letter to the
cardholder (since it cannot be assumed that any individual will monitor the
provider for changes) as well as publication in appropriate media. 

The current situation with regard to CAcert publishing decisions that affect
the membership is poor; it is arguable that the blog represents "publishing"
the changes to the membership, but I am not convinced that the unreferenced
(sic) wiki page on policy decisions is sufficient on its own to "vary the
contract" between members and CAcert that is set up by the acceptance of
CCA.

It also highlights the issue that procedures (such as there may be) do not
appear to have been followed regarding this particular decision and it is
arguable that Policy Group have been seriously negligent in ensuring that
the master policy documents have been properly updated to reflect the
current status - particularly in view of the 22 months since the decision
was made.

I reserve making a final decision on this matter until 15th November to
allow other objections to be considered.

Alex Robertson 
CACert Arbitrator
}}}

 . 2012-11-02 (A) Observations from Ian Grigg (CACert Inc. Board Member) (2012-11-02 02:32)
 {{{
Hi Alex,
Hi Ulrich,

An interesting debate, one in which we need to tread carefully because of the issues involved.

We are now at a point where all three "heads of power" within CAcert are involved in a jurisdictional issue, so this is right at the very crux of our governance arrangement.

On 1/11/12 04:32 AM, Alex Robertson wrote:
> [snip]
>> So current DRP #3.4 supersedes last directs of power given in above 
>> order in dispute filing of the appeal.
> Which DRP - the current official DRP still has the old rules.
>
>   I know of the board ruling but the published and "official" DRP is 
> still at the old version.... and this is what people have agreed to!

I'm not sure there is support for the word "official".  The PoP rules in this area and goes to quite considerable extent to allow policies to be live and improving.  It understands that policy work is hard, and it takes a lot of effort to get the final document done.

Within PoP, any "official" monika is defined by the words POLICY and DRAFT, and not by the location of the documents.  Customarily we move the documents across to website but that is more to create a line of convenience, so it is simpler to read for newcomers.

In the alternate, if for example the website were to be seen as "official" or some other status, then this would become difficult. It is rather hard to get those documents put on there.  As it stands, this would then mean that the system administration teams and the software development teams would now have an effective veto on policy - because we can't get the documents on there without their say-so.  (Yes, we've been trying to get independence for some time, but all this requires work.  We basically need our own Apache setup or somesuch.)

OTOH, obviously this is a confusing area.  For this, Policy also leans heavily on Arbitration in that process - to make some judgement calls on whether the emerging changes agreed by the policy group reduce the rights of members in any particular case due to notification or acceptance issues.  So an Arbitrator is within rights to question the particular state of any policy.  Indeed, Arbitrators can interpret and even knock down Policies where they are found to have unfortunate consequences.

I suppose the ultimate test is if a particular ruling were to be tested in courts of another jurisdiction.  I guess that might be an issue for the present case.  So in that case, I would suspect a court would look at the options involved and ask whether the due process was reasonable, transparent, fair, etc (one would need to look at the Arbitration Act of each jurisdiction to find the list of tests).

Anyways, very interesting debate :)



> (NB the new version is in the svn repository but note well the heading 
> of https://svn.cacert.org/CAcert/Policies/DisputeResolutionPolicy.html 
> which clearly and explicitly states "WARNING: The proper policy 
> document is located on the CAcert website . This document is a 
> work-in-progress to include future revisions only, and is currently 
> only relevant for the [policy] group." and provides a link to 
> http://www.cacert.org/policy/DisputeResolutionPolicy.php for the 
> "proper policy document" which has NOT been updated. [See attached 
> image for current info from the link to the "proper document"]


Right, yes it says that.  That's more a warning for the WIP changes.  As it stands, that document does however include some completed DRAFT additions in dark blue.  So the top-warning is literally incorrect.  But I'd still leave it in place because we want cherry-picking limited to the Arbitrators not the parties ;-)

> I'm not convinced that the new version can apply until the "official"
> version of the policy is updated... (This should really have been done 
> long since and not hidden in the svn version as a "new colour"

Yes, it should have been.


> If it's handled under the "new" rules, it might be difficult to 
> finally resolve!

That is a separate issue - sure, but one of "implementation" not Policy.

I will note from a Policy perspective that this is what the combined voices of consensus from Arbitration, Policy Group and Board wanted - to reduce the Board's potential for CoIs in any case.  This has been unanimously agreed by all, I don't think anyone ever argued in recent times that the Board-as-Appeal was a good idea.

So if there is a finding that the Arbitration group can't mount an effective Appeal, I suspect the Policy Group will shrug :)  Your problem, guys!


> Option 1 -  I can rule that it be reopened in which case we will then 
> need to find three arbitrators not previously connected with either 
> the original case or the first stage of the appeal - which immediately 
> takes out you and AlexanderPrinsier, myself and Philipp and who is 
> left?? Ted? Is anyone else actually active?
> Option 2 - I rule it inadmissible to re-open which means that the 
> issues above won't get resolved.
>
> If the currently published rules apply, the waiver of DRP 3.4 applies 
> and it can (possibly!) be disposed of by myself.

I don't follow that.  If the old DRP 3.4 applies, review Arbitrator decides to re-open the case, in which case it is then referred to the Board.



iang

-----
}}}

 . 2012-11-02 (A) Response from (A) (2012-11-02 10:25)
 {{{
I ask the question "Would CACert exist without its members??"

Assuming that the answer is that CACert needs its members, we then need to determine how those members and the community interact - our answer is the CCA!

The CCA is the contract between members and the community at large and is effectively the "root" of all of CAcert's policies; for the contract to be "fair" all its terms and conditions should be readily available to the person entering into it and the current version needs to be accessible to existing contractees.

So how does the "man in the street" find and read CCA (and DRP etc) (in other words how does he find what he is agreeing to if he chooses to join)?

1) Starting at the front page of cacert.org there is a link to the CCA.
2) The CCA has a link to DRP (old version) (and some other policies) and a mention of PoP. (NB all these documents are flagged as either "policy" or "draft" so (according to your reasoning) they must be "official")
3) There is no mention in any of these documents of alternate places where the CCA/Policy changes are recorded.
4) These specific documents form the basis of the contact between a member and the community.
5) Variation of the contract originally entered into needs to be "properly notified" to the membership (it could be argued that the "blog" post does
this) and the relevant pages need to be updated as soon as possible after the change has been agreed. As an alternative to updating pages, a repository of changes (such as the existing wiki pages on agreed policy
changes) would need to be included within the basic agreement - ie the CCA - to cover both the CCA itself and linked documents such as DRP. 

I appreciate that implementing changes to "controlled documents" may be difficult , but this arbitrator (to quote IanG) "shrugs :) and says "Your problem, guys"!" 


[snip]
> have an effective veto on policy - because we can't get the documents 
> on
there
> without their say-so.  (Yes, we've been trying to get independence for
some
> time, but all this requires work.  We basically need our own Apache 
> setup
or
> some such.) [/snip]

There are many content and/or document management systems out there - both payware and freeware/open-source. Perhaps some of the Policy Group need to be looking at these....

[snip]
> I don't follow that.  If the old DRP 3.4 applies, review Arbitrator 
> decides to re- open the case, in which case it is then referred to the
Board.[/snip]

The Board specifically for this appeal directed its powers under DRP3.4 to "the arbitrator re-opening the case".



I reserve making a final decision on this matter until 15th November to allow other objections to be considered.

Alex Robertson
CACert Arbitrator
}}}
 . 2012-11-03 (A) Further observations from Ian Grigg (2012-11-03 04:39)
 {{{
Hi Alex, Hi Ulrich

More observations!

> On 2/11/12 21:27 PM, Alex Robertson wrote:
> I ask the question "Would CACert exist without its members??"

> Assuming that the answer is that CACert needs its members, we then need to
> determine how those members and the community interact - our answer is the
> CCA!

> The CCA is the contract between members and the community at large and is
> effectively the "root" of all of CAcert's policies; for the contract to be
> "fair" all its terms and conditions should be readily available to the
> person entering into it and the current version needs to be accessible to
> existing contractees.

Fairness is in the eye of the beholder, what we instead propose is not fairness which is a wishy-washy thing subject to capture by whoever can argue the most prettily, but:

       dispute resolution before our own Arbitrators.

and, as I'll outline below:

       member control and say and transparency over our own contracts.



> So how does the "man in the street" find and read CCA (and DRP etc) (in
> other words how does he find what he is agreeing to if he chooses to join)?

> 1) Starting at the front page of cacert.org there is a link to the CCA.

(User agrees to CCA on joining, on issuing cert, on Assurance, etc.)



> 2) The CCA has a link to DRP (old version) (and some other policies) and a
> mention of PoP. (NB all these documents are flagged as either "policy" or
> "draft" so (according to your reasoning) they must be "official")
> 3) There is no mention in any of these documents of alternate places where
> the CCA/Policy changes are recorded.
> 4) These specific documents form the basis of the contact between a member
> and the community.

OK so far...



> 5) Variation of the contract originally entered into needs to be "properly
> notified" to the membership (it could be argued that the "blog" post does
> this) and the relevant pages need to be updated as soon as possible after
> the change has been agreed. As an alternative to updating pages, a
> repository of changes (such as the existing wiki pages on agreed policy
> changes) would need to be included within the basic agreement - ie the CCA -
> to cover both the CCA itself and linked documents such as DRP. 

OK, so point 5 is a popular and classical claim in anglo common law.  It also happens to be a pain in the neck.  (For whatever reason.)  So the end result is a lot of legal changes being published and then ignored -- which leads to lots of gameplay.  Which really isn't fair :)

You started off by saying that the contract should be fair.  You've now proceeded to show that the classical contract isn't fair, because it requires the user to undertake compliance steps -- keeping up with notifications -- that no sane user does.  Saying that the user has to do things that we already know they won't do is a pretty poor definition of fair.

Instead CAcert takes a different approach.  Call us crazy, but this is what we do, in CCA#4.2:

     "This agreement and controlled documents above are primary,
     and may not be replaced or waived except by formal policy
     channels and by Arbitration."

We define how the documents can change (and we explicitly and deliberately don't say anything about websites or promulgation or notification).  Instead, we make our process of change "fair" or at least open and transparent:   The policy group can be joined by anyone, and it frequently is.  Anyone can propose a change, and they sometimes do.  We need strong agreement to make a change, see EggPol for comments on how strong.

The result is much better.  It's much stronger, it's proven itself.  Policy Group acts as the guardian of user interests in writing the changes.  To that end -- operating as the guardian of the user interests in policy -- policy group carves out a sort of half-way house in which *DRAFTs are binding on the community* but aren't fully finished.  And it then solves the grey area of what "fully finished" means or lacks by throwing the whole mess over to the Arbitrator.

In this case, you.  So, in this entire context, actually, you've done what was requested.  You've looked at it and demurred.  For whatever reasons.  The process of decision making -- going one way or the other -- is what we want.

We might disagree on the merits.  But even disagreeing on the reasons, that is simply more incentive to hurry up the changes so they go to POLICY.  So the system has its built in feedback (negative feedback for engineers, positive feedback for marketeers :) ).

> I appreciate that implementing changes to "controlled documents" may be
> difficult , but this arbitrator (to quote IanG) "shrugs :) and says "Your
> problem, guys"!" 

Right, so the call is made.  Policy group should finish the job.  OK.

(Note that I'm not looking at the merits of the decision, but at the meta-process.)

> [snip]
> I don't follow that.  If the old DRP 3.4 applies, review Arbitrator 
> decides to re- open the case, in which case it is then referred to the
> Board.[/snip]

> The Board specifically for this appeal directed its powers under DRP3.4 to
> "the arbitrator re-opening the case".

Hmmm... did it?  How can it do that?  The board can't or shouldn't go against policy (famous exceptions aside).  The board is just a party to the dispute, it can't rewrite policy.  Or, if it can, then anyone can :)

> I reserve making a final decision on this matter until 15th November to
> allow other objections to be considered.

Sure.  The other possibility is to talk directly to policy group.  That is - send an email to policy group outlining the issues, and ask for comment and/or action?

(We can't do that.  Reason being that it is not kosher to interfere with the process of the Arbitration.)

> Alex Robertson 
> CACert Arbitrator
}}} 

 . 2012-11-03 (A) Response from (A) (2012-11-03 16:41)
 {{{
Hi All.


>	OK, so point 5 is a popular and classical claim in anglo common law.  It also happens to be a pain in the      neck.  (For whatever reason.)  So the end result is a lot of legal changes being published and then ignored -- which leads to lots of gameplay.  Which really isn't fair :)

>	You started off by saying that the contract should be fair.  You've now proceeded to show that the classical contract isn't fair, because it requires
>	the user to undertake compliance steps -- keeping up with notifications -- that no sane user does.  Saying that the user has to do things that we
>	already know they won't do is a pretty poor definition of fair.

Agreed – which is why such as Credit Card companies spend huge amounts mailing all their users each time there is a change to their conditions. It essentially requires a “push” system rather than a “pull” one. Would they do this if they didn’t have to? So we need to be careful about this. I agree it’s a pain in the neck though.

>	Instead CAcert takes a different approach.  Call us crazy, but this is what we do, in CCA#4.2:

>	"This agreement and controlled documents above are primary,
>	and may not be replaced or waived except by formal policy
>	channels and by Arbitration."

Which is where I’m coming from – the documents are “primary”. They may be replaced by formal policy channels – which although agreed, has not been done – which leaves the “in place” documents as binding [NB nitpicking! Should probably read “except by formal policy channels OR by Arbitration."]

However as these are also “contractual documents”, I’m not convinced that the our existing system for publicising changes  made to the “primary documents” is actually robust enough to stand up in a court of law. This might warrant a revisit by Policy Committee at some point.

>	And it then solves the grey area of what "fully finished" means or lacks by throwing the whole mess over to the Arbitrator. In this case, you.  So, in
>	this entire context, actually, you've done what was requested.  You've looked at it and demurred.  For whatever
>	reasons.  The process of decision making -- going one way or the other -- is what we want.

OK – and that’s why I threw the issue open – it’s too important to get “wrong” – in either direction. My final decision on this matter will probably not please everybody whichever way I go

>	I appreciate that implementing changes to "controlled documents" may be
>	difficult , but this arbitrator (to quote IanG) "shrugs :) and says "Your
>	problem, guys"!" 

>	Right, so the call is made.  Policy group should finish the job.  OK.

Neither a call nor a ruling (yet!) but may become one in due course either here or as a result of the dispute I’ve raised separately about the issue. Perhaps “advice” is the best description at the moment.

>	(Note that I'm not looking at the merits of the decision, but at the meta-process.)

Understood.

>	The Board specifically for this appeal directed its powers under DRP3.4 to
>	"the arbitrator re-opening the case".

>	Hmmm... did it?  How can it do that?  The board can't or shouldn't go against policy (famous exceptions aside).  The board is just a party to the
>	dispute, it can't rewrite policy.  Or, if it can, then anyone can :)

The board has not rewritten policy as I see it – it has effectively appointed a sub-committee (“the arbitrator re-opening the case”) to act on its behalf in this case because of the conflict of interest here. The “old” DRP says that “the Board hears the case and delivers a final and binding ruling” but does not define how this should be done, so, as I see it, the Board may take any approach that it sees fit.

>	The other possibility is to talk directly to policy group.  That is - send an email to policy group outlining the issues, and ask for comment and/or
>	action?

>	(We can't do that.  Reason being that it is not kosher to interfere with the process of the Arbitration.)

Actually, Policy Group could raise an objection here – I used the words “any objections by any party” quite deliberately! 

Equally I could approach them if I believed they had anything material to offer, or if I wanted their advice or opinion as part of the process of Arbitration. However there is no issue that Policy Group agreed the change or that it has not been implemented in the relevant primary document. Why this has happened (or should that be “not happened”!) is not really relevant to this arbitration – merely the fact that it has happened. It needs addressing – but that’s probably for a matter for another arbitration.

>	I reserve making a final decision on this matter until 15th November to
>	allow other objections to be considered.

And continue to do so….

Alex Robertson 
CACert Arbitrator
}}}
 . (A) 2012-11-06 Email from (R)
 {{{
Dear Alex,

Some historical facts on meta policy work in the past and today:

The main policies have been written in Ian's Vienna time period
back around 2007 (probably starting 2005?!?), 2008
At Top Pirmasens around 2007-09-19
the basis of rule sets have been voted in (at ths time no policy group was
working)
Only a small group of policy writers, probably Ian and Philipp as the main
authors
prepared those.
Top Pirmasens can be seen as the Policy install party, where all the main
policies
have been voted in by CAcert Inc board, later this year confirmed at
CAcert Inc AGM

The basis has forseen some update procedures for policies, but this all
was written
at the green table. Same examples have been played around at Pirmasens
Top,
so Assurances following Assurance Policy have been introduced. The first
two disputes
have been filed and ruled to see that DRP is working in general
https://wiki.cacert.org/Arbitrations/a20070921.1
https://wiki.cacert.org/Arbitrations/a20070921.2

Then, about 1 1/2 year all these policies were in place not much did
happen
in the Community to move forward with the Audit (Audit - especialy DRP
required the policies to be installed), so an auditor can check something
what was written, and what has been followed or not.

By end of 2008 - the New Roots ceremony has been passed following SP.
with one followup dispute:
https://wiki.cacert.org/Arbitrations/a20090301.1
  "CAcert disk destruction procedure has changed compared to the CAcert
Board decision"
  (this is one of the essential samples in an ABC interview, to signal to
the new
   candidate, that he can break policy rules under special conditions)

Despite the fact it was tried to roll out the Assurance Policy
it has not been followed in full. The sea-shift in this area
did happen with a couple of arbitration cases
https://wiki.cacert.org/Arbitrations/a20090303.1
  "Assurance made on an unproper form"
https://wiki.cacert.org/Arbitrations/a20090306.1
  "CAP form on the official website doesn't conform the Assurance Policy"
So this was also the time, the AP has been pushed to the Community
by the ATE series and also by arbitrations and board motions
(the result can be also seen in the count of arbitration cases
 4 in 2007, 4 in 2008 and the explosion in 2009 with 108 (!!)
read arbitration stats:
https://wiki.cacert.org/OverviewProjectsBoard/Arbitration
so in Q2/2009 (April-June) we've received the overall peak of 38 cases

Despite the fact, the Policies have been in effect since around 2007,
practicle work started in 2009. This was also the time Audit stopped (June
2009)
https://blog.cacert.org/2009/06/393.html
One topic here was: Community wasn't ready by this time

"Ian’s work was a primary element in the audit project, which started in
the beginning of 2008. The one and a half years project is almost at the
point of the second of the three mile stones. Because of the long time it
takes for getting policies accepted in the far-flung CAcert Community and
CAcert Board, a board run in the spare time of its members, the end date
of the project has shifted greatly. The true amount of work was
underestimated."

So in 2009 deployment of Policies into practice has started.
Eg with the backlog of arbitration cases that received Arbitration
the handling of cases following DRP by using Support-Engineers as CM and
selecting an arbitrator didn't realy worked as defined under DRP.
CM's no longer available, disputes not transfered, and so on.

So we discovered an Arbitration crisis, that also related to a Support
crisis.
By end of 2009, Ian stepped in as temporary Support t/l and with me as
liason
from Arbitration (as nobody other did)
Ian re-deployed a running Support team and I did the same with Arbitration
(as results, the Support training pages and the Arbitration training pages
have been deployed)

Back in Dec 2009, I've invited Assurance team and Ian as the master of
policies
to an Assurance top in Hamburg. Here we've prepared the continous work
of policy work in Assurance area -> PoJAM and TTP-assisted-assurance.
https://blog.cacert.org/2010/01/454.html

At the same time, I ruled on one case, that I've splitted into 3 cases:
https://wiki.cacert.org/Arbitrations/a20091118.1
   "Assurances while TTP program frozen"
https://wiki.cacert.org/Arbitrations/a20091118.4
   "Arbitrator slow"
https://wiki.cacert.org/Arbitrations/a20091118.5
   "Code changes regarding TTP program"
The interesting one is the .1 that states, that the push of
policies did not realy happen before around mid of 2009 (!)
So one of the intermediate rulings was the order to critical
team to add a "Warning: TTP frozen" warning onto all pages
under the critical system

So this supported Boards motion(s)
https://community.cacert.org/board/motions.php?motion=m20090912.1
https://blog.cacert.org/2009/12/448.html (related article in the blog)

Announcement to the community, did not realy happen before
so this also was a starter of the
monthly wiki community updates
https://wiki.cacert.org/Community/Update

To push out the AP subpolicies, I saw no other way, to post
it everywhere where its become practicle. This was the Blog and therefor
the
main CAcert website. Ian as the de-facto Policy officer by
this time with access to the svn policy directory
did updates on policies that did reside under the SVN directory
but couldn't make changes to the policy directory under
the critical system.

Until mid of June 2010 a couple of various policy decisions
(resolved, unresolved) passed the policy group, so probably
around or before June 2010
Ian started the policydecision wiki page
https://wiki.cacert.org/PolicyDecisions
to keep track of all
the smaller and bigger policy decisions that did happen around
this time (and there was a lot)
https://wiki.cacert.org/PolicyDecisions?action=info
(starts with revision # 170, dated 27.06.2010)
by following the arbitration numbering schema and tracking under
first under https://wiki.cacert.org/Arbitrations, then
splitted into https://wiki.cacert.org/Arbitrations (open/running cases)
and https://wiki.cacert.org/Arbitrations/ArbitrationsClosed ->
https://wiki.cacert.org/Arbitrations/ArbitrationsClosed?action=info )
(probably did happen in 2009 by the mass of new running cases, and
more and more completed cases)
wiki info starts at revision 205 / 1000-something. So the exact
date I cannot discover.
(sidenote Arbitration cases often Support tickets under OTRS ->
issue.cacert.org)

So this numbering schema follows board motions tracking
https://wiki.cacert.org/Brain/CAcertInc/Committee
section Historical Record
that moved to https://community.cacert.org/board/motions.php?motion=
database, started by Board 2009 1st half
and first Board motion
https://community.cacert.org/board/motions.php?motion=m20090609.1

Also motions from previous boards are listed under
https://svn.cacert.org/CAcert/CAcert_Inc/Board/board_review_actions_200408
20_20070525.html

To get an overview of the several numbering schemas, have a look under
https://wiki.cacert.org/DecisionNumbers
this table lists the different decision tables by many (if not all) of
the CAcert teams and groups

So also decisions by the widely unknown "Management SubCommittee"
that worked back around 2007 had their own decision tables
https://wiki.cacert.org/ManagementSubCommitteeDecisions
This is of special interest, 'cause this group prepared the Audit
framework
eg.
msc20080117.1
msc20080117.1 MoU on Funding for audit (signed final document) now on svn,
remove the older HTML discussion document because it is completely
replaced by the PDF. 


So, Decisions tracking has a long tradition within CAcert's work by the
several teams.
Some are unknown, some are better known - all to keep track on the
decisions
that have passed and to get not lost by missing implementation rules (eg
for Policy group decisions)

Despite the fact, PoP doesn't references directly to the 
https://wiki.cacert.org/PolicyDecisions
document, one has to read policy mailing list about resolved decisions,
the wiki page https://wiki.cacert.org/PolicyDecisions assists members
to get an overview what has happened with a proposed policy change
and if it is in effect.
As said, policy and practice may differ, especialy if policies
are still under development (eg CCA is such one that is under development
to implement the changes passed by other policies (eg RDL) and to reflect
current
practice Termination 3.3, exact contract partner naming: CAcert Inc vs.
CAcert Community)
This work has started back in 2010 but didn't get finished
(why did Auditor resign ?-) -> one of the causes: slow working policy
group )

One more topic comes to my mind:
as written above, communication was and is in a mess ...
one only reads mailing lists, another only reads blog posts, the next one
receives wiki update notes by using the .* schema, and the 4th uses
rss feeds

This problem is not new, we've faced in pushing the ATE series out
to the community, so I've by the time, in role of Events officer
filed a dispute to get the scripted mailing process installed
into the strictly secured critical system
http://wiki.cacert.org/Arbitrations/a20090525.1
"Event officer request recurrent notification to assurers near the
 location of the following ATEs - Precedent Case"

this script derived from the scripted mailing source
also to use for the scripted rollout of CCA (see below)
first tested by end of last year mailing to _all_ members
with the Tverify points to expire
https://blog.cacert.org/2011/11/536.html
A quarterly newsletter mailing has been discussed within
the Software-Assessment project team
https://wiki.cacert.org/Software/Assessment around and before
Nov 2011, but hadn't picked up by the PR team yet :-P

One Audit requirement is to push the CCA acceptance out to the Community
http://wiki.cacert.org/AuditToDo - Outstanding Tasks - Notifications
  outstanding since  20070830  (!)
  notify all Members of CCA. See RolloutCommunityAgreement
  http://wiki.cacert.org/RolloutCommunityAgreement
and
http://wiki.cacert.org/AuditToDo - Outstanding Tasks - Software Changes to
Website
  outstanding since  200806xx  (!)
  b. add checkboxes "I agree to CCA." to cert creation;
  c. drop wrong/out-of-date contract text; See  RolloutCommunityAgreement

So all we can assume is, that member who have been assured after February
2009
have agreed to the CCA. All members who issue certificates or have created
their
account after around April 2009, have agreed to the CCA.
We currently have probably around 10.000 active members, so the CCA
agreement
covers about 5% of all potential members base (database has about 200.000
accounts)

One topic that I've discussed with Ian outside this arbitration case some
months ago
was about the CCA rollout and the requirement about.

What do we want to achive ? That if something becomes active and interacts
with our system either way, he has to be bound to arbitration.
So, as long the member accepted arbitration, CAcert is on the save side
As inactive members probably doesn't relate to any disputes, the
requirement
to bind them to Arbitration cannot be totaly ignored (at least by the time
of termination this comes back to topic), but has not that high priority
as long the active and working community has agreed to the CCA.
So here there are 3 essential topics (by Audit requirement), so the
Assurers
in assurance have to disclose to new members - this is the R/L/O topic.
Once an old member tries to create a new certificate, has has to accept
CCA
by clicking the checkbox. Accepting CCA in the assurance process is a bit
tricky.
By default Events officer was requested to have a CCA printout at hand at
every
event. But consider assurance practice: only one time we had one guy
sitting
down at Cebit 2009, reading the full 4 pages of the CCA before accepting
it.
This is very unusual in practice, as the guy reads it 45 min's ... and
most
assurees do not have that much time, to get an assurance at a big event
or assurance party. So here comes the Assurers duty, to disclose (at
least)
the 3 essential topics -> R/L/O beside of all the rest that is written
in the CCA

PoJAM and TTP-assisted-assurance are probably the first practice droven
subpolicies, as they've first checked against practice in WIP state
(PoJAM)
or for TTP we had the old TTP assurance process, but that missed a policy
so was frozen back in 2009 ... here we collected the long time
experience into the policy 

With PoP we hadn't such experience, as those documents was written
from scatch. This you can see also in the principles as referenced
by CCA -> http://svn.cacert.org/CAcert/principles.html, also
Privacy Policy -> http://www.cacert.org/policy/PrivacyPolicy.html
these documents were written before all other documents, so therefor
may lack some details check

For active policy group work, one has to push actively into the
policy group, that changes gets prepared and later on
voting takes place. So for PoP no one noticed, that some practicle
work didn't work in full as first written back around 2007, 2008
as changes didn't made it into policies in an appropiate time period
into the documents, so a workaround has been installed back in 2010
but didn't pushed it into policies (remember: the strict audit work
has been stopped back in mid 2009 - since then, also Policies are
still under development and review ... but all this still works
very slow ....). So before next audit starts, all Policy documents
requires to get in sync with the policy decisions made


Ok, one more topic ...
as shown ... communication is in a mess, so back in 2010
we've introduced the Community/Updates, but the last written ones
are back in Oct 2010  :-P
other publication takes place, often (but not in every case)
in the blog, in the wiki, by scripted mailing, in the wiki
or elsewhere ...

ok, take the Policy decisions as under
https://wiki.cacert.org/PolicyDecisions

starting early 2010

p20100113 Stop issuing class3 certificates   - Not carried, NO consensus.
 ->  no blog post

p20100119 PoJAM to DRAFT                     - decision is carried
 ->  blog post: https://blog.cacert.org/2010/02/457.html
 =>  includes link to policydecision page
 
https://wiki.cacert.org/PolicyDecisions#p20100119_PoJAM_to_DRAFT

p20100120 Assurance Policy: require government ID  - Not carried
 ->  no blog post

p20100306 Policy Officer makes minor adjustments - Option 3 is carried 
 -> blog post: within community update
               https://blog.cacert.org/2010/03/471.html
 => includes link to policydecision page
                http://wiki.cacert.org/PolicyDecisions#p20100306

p20100326 Security Policy to remain in DRAFT -  Carried
  -> no blog post


once a blog post has been published about any policy decision,
also the link to the policydecision page is included to reference
the decision. Minor changes or not carried decisions tends to be
not published, where assurance area related decisions have been
published in full (this also relates to arbitration rulings
especialy cases with precedent - eg read hyphen's to handle optional
ruling)

Why had DRP 3.4 change not been published - well, by the time
the DRP change have been pushed to the policy group, all active people
in the mailing list also voted about this policy change proposal.
DRP 3.4 change has not that much influence in the assurance or work
under SP, so therefor was a beside change that other documents undergo too
until all policy documents have been brought in sync with current practice
and work

was it 2010 ?!?  where I've asked in policy group to pickup the topic
that CM wasn't any longer from the Support team, but from the
Arbitration team, but nobody responded or nobody did take care about
so still open issue ... 

Regarding CCA ... I've started several runs on details changes of new
CCA revision, made some pre-voting for or against a change, so to
go through the full document, section by section, to present the
changes in full to the policy group ... so that was the cause
why the RDL to change in CCA vote didn't passed by the time the
voting has been brought to agenda, as we've in policy group expected
a finishing within a time period of 1-2 months, so the RDL change
would probably pass 1 or 2 months later, together with the big change


One interesting topic I've found while researching above stories
around policies in practice, I've stumbled over:
https://www.cacert.org/policy/CertificationPracticeStatement.php#p8.5
but this isn't the only point that opens up potential exceptions
to the standards defined by the policies itself 

regarding the policydecisions page, probably Ian started this page
(as he did take care about policy changes and to keep track of them
in a de-facto Policy officers role, but not accepted by board
of 2009 2nd half (was there a motion about?!?)
As the motions database isn't the easily searchable, its difficult
to find any reference about this topic

For OAP I had a similar problems under
http://wiki.cacert.org/Arbitrations/a20120121.1
that I've questioned and answered by doing a deep
research where I've also inspected SVN revision numbers
and dates to get this question answered
I encourage you, the arbitrator in current case to
read the research path of named case "to find the answer to the
question which OAP revision is CURRENT (either DRAFT or POLICY)
and therefor in effect".
DRP 4.4 Revisions of DRAFTs must be treated as decisions on the policy
group. 
so this apply to http://wiki.cacert.org/PolicyDecisions#p20110108
Compiling the full document
"5.3 Policy group may propose changes to a POLICY document in order to
update it. When changes move to DRAFT status, they may be included in the
POLICY document, but must be clearly indicated within as DRAFT not POLICY.
"
applies, but current version had not been compiled (caused by missing
Policy Officer?),
so have to be done by the policy reader as p20110108 is the 
    2.3 Decisions are taken by "Rough Consensus." A vote may be called to
clarify. 
In consequence of
  "1.4 The Policy Officer manages all policies and the policy group."
and PO is currently vacant and referenced to Board as the fallback, 
I have first to ask, that Board in their duty in role as PO first have
to bring the policy documents in a good working order
as PoP 1.4 states: The Policy Officer manages all policies and the policy
group.
once they want the appeal process picked up
As there is no explicite definition when policies comes into effect once
voted
the only definition in this direction is given under
"PoP 2.3 Decisions are taken by "Rough Consensus." A vote may be called to
clarify. "
so takes in effect once the decision has been carried.
One may read
"PoP 3.1 An Editor is identified. This person is responsible for drafting
the document, following the consensus of the policy group. "
as the guy whos duty is to implement the changes into the document.
Is there any procedure defined, how I, as editor can achive this?
a) How to update a document if the main document resides under
www.cacert.org/policies ?
b) How to update a document if the main document resides under
svn.cacert.org/CAcert/policies ?

probably:
a) 1. download the source package from the main cacert website under About
CAcert
   2. edit the php or html document
   3. file a bug, attach the update to the bug filed
   4. notify software-assessment team, to review, test and transfer the
patch to critical team
b) 1. request a SVN account, ask for write permissions into the policies
directory
   2. download a SVN client
   3. download the main document source
   4. implement the changes
   5. commit the changes into the svn directory
Shall either procedure a) or b) apply to all editors ?!? or only to the PO
?


The missing part either way is, that there are no
clearly defined publishing channels outside
policy group. But policy group (that is the full
mailing list archive) is defined. So any passed vote
on policy group (mailing list) is the minimum requirement
that a policy change has been carried.
Your problem as arbitrator: you have to reread all
the mails in policy group if not using a simplier
practicle solution - that is the policydecisions wiki page.

For PoJAM we have the paperwork workaround to apply the
carried draft subpolicy into practice - checkbox PoJAM happened
isn't yet implemented into the online system - but this doesn't
blocks the policy to become in effect, nor is there any definition
that this policy only comes into effect once put in the
critical system. 

The principle is, that a policy vote, once started and carried
changes a policy state (except a special vote .. policy remains draft)
and therefor also applies to the content.

The review process of policies as expected under PoP didn't get that
active
support in Policy group that Policy documents in Draft gets passed to
Policy
so therefor half of the policies still are marked with state DRAFT
one idea was, to move Policies once sitting 1 year at DRAFT passes
automaticly to POLICY (don't know if there was a voting about this
topic or just discussed)


About topic "pass appeal authority over to one arbitrator" isn't probably
that was expected by the policy writers ...
First in writing DRP, the topic appeal comes in place
there was not that much time, to have a wider discussion about this
topic, so therefor, to allow appeals in general, a quick'n dirty solution
has been written under 3.4, in short: to be handled by board - a group of
people,
familiar with the policies, rules where decisions didn't pass to only one
person.
As board of CAcert has by default 7 seats, so 7 members have to decide
over
an appeal (old version).
This has been adjusted by Policy Group by their decision p20110108
in a similar way, a group of arbitrators have to decide once accepted as
appeal
so as this motion has been carried:
      http://wiki.cacert.org/PolicyDecisions#p20110108
      Motion is CARRIED. Voting closed 20110126
the new 3.4 did overwrite the "authority transfer" clause, as Board in
role as (C)
had a CoI by the time the board motion has been accepted:
https://community.cacert.org/board/motions.php?motion=m20101212.2
(this was before 2011-01-08)
but that leads to the appeal arbitration case a20110310.1
(that comes later)
The conflict, that exist by the time of board motion solved by policy
group
decision, later passed under Arbitration a20110310.1
By default, the dispute filing a20110310.1 has to be rejected
as the 

Board motion text:
"CAcert Inc. appeals on the ruling of a20100212.2 as it is convinced that
taking over risks, liabilities and obligations of a deceased member is
incorrect because Cacert is not a party in disputes between the deceased
member and other community members."  (there is no authority transfer
clause here)

Dispute filing:
above board motion text
and
"As the appeal will have to be handled by the board this introduces a
 COI. To maintain the spirit of independence and transparancy of CAcerts
 arbitration system, CAcert Inc. directs its powers resulting from § 3.4
 DRP for case a20100212.2 to the arbitrator re-opening the case [3]."

as board isn't in the role under DRP 3.4 current version since
   Motion is CARRIED. Voting closed 20110126
to transfer any authority over to a single arbitrator. 

So this passus of dispute filing is incorrect.
However DRP 1.4 Contents  allows
  "If the filing is inadequate for lack of information or for format, the
Case Manager
   may refile with the additional information, attaching the original
messages."
the original dispute to be modified to become a valid dispute filing
so the part
"As the appeal will have to be handled by the board this introduces a
 COI. To maintain the spirit of independence and transparancy of CAcerts
 arbitration system, CAcert Inc. directs its powers resulting from § 3.4
 DRP for case a20100212.2 to the arbitrator re-opening the case [3]."
to be removed
}}}
 . (A) 2012-11-06 Response from (A)
 {{{
It all comes back to the question "Which version of DRP is in force?" and I
think it is important to separate intent from result.

I agree that the intent of Board and Policy Group is to change it - I even
agree with the change....

However I still disagree with your premise that the publishing of the Policy
Group decision somewhere in the wiki is sufficient in and of itself to bring
the change into effect and "deep research" isn't necessary 

CCA 0.1.14 defines "CACert Official Documents" and makes clear that "changes
are managed and controlled" - this includes DRP.
CCA 4.2 specifies that "This agreement and controlled documents above are
primary, and may not be replaced or waived except by formal policy channels
and by Arbitration." - at this point the changes to the "primary documents"
have been approved by formal policy channels but the current CAcert official
document has NOT been replaced for whatever reason. 

I also note the example at the end of CCA 4.3 on the Assurer Handbook "The
Handbook is not however an agreement, and is overruled by this agreement and
others listed above." which clearly separates the primary documents from
other material.

Since the published and controlled versions of the CCA and the documents
listed at CCA 4.2 represent the contract between members and the community
at large and the primary basis for arbitration, I see them as the "binding
documents" - it is the responsibility of the Policy Officer, Policy Group
and the Board to ensure that this happens and to keep raising the issue if
it does not. 

I also see great danger to the community in allowing change and variation to
creep in from other sources however official they might seem to be - the
whole point of using a controlled document for this is to stop (for example)
someone inserting an apparent motion in the wiki stating that "All parties
to the CAcert Community Agreement agree to immediately  pay 250 Euros to
Ulrich" and then claiming it is binding because it is now part of the CCA

I also believe that the ordinary member has a right to know what they have
agreed to, and what the current state is - and they shouldn't be expected to
have to search all around the main wiki and other areas such as SVN to find
all the little changes that may or may not be in force. (I go back to my
Credit Card analogy - The banks wouldn't pay all the money they do to notify
their customers of changes if they didn't believe it was necessary to their
contract? I don't know how we can move changes to a "push" publish but
that's for another day.

As to the Board's waiver, the Board is entitled to handle its business in
any way it sees fit to - this could be by delegation, subcommittee,
individual responsibilities - as long as the whole Board approve it.
}}}
 . (A) 2012-11-07 From Ian Griggs (CAcert Board Member)
 {{{
On 7/11/12 04:26 AM, Alex Robertson wrote:
> It all comes back to the question "Which version of DRP is in force?" and I
> think it is important to separate intent from result.

No only important, essential.  The Arbitrator decides, full stop.

> I agree that the intent of Board and Policy Group is to change it - I even
> agree with the change....
>
> However I still disagree with your premise that the publishing of the Policy
> Group decision somewhere in the wiki is sufficient in and of itself to bring
> the change into effect and "deep research" isn't necessary 

It isn't, and it isn't even relevant, as you state below.

> CCA 0.1.14 defines "CACert Official Documents" and makes clear that "changes
> are managed and controlled" - this includes DRP.
> CCA 4.2 specifies that "This agreement and controlled documents above are
> primary, and may not be replaced or waived except by formal policy channels
> and by Arbitration." - at this point the changes to the "primary documents"
> have been approved by formal policy channels

That's it.  They have to be done by formal policy channels.  Which is defined by PoP.

> but the current CAcert official
> document has NOT been replaced for whatever reason. 

Right -- because the formal policy channels being PoP do not include publication.

It is an open question that policy group should possibly look at - is there any implication that publication is a part of the formal policy change process?  Should there be?  We note that e.g. credit card contracts would change by mail, is this appropriate?  Or?

> I also note the example at the end of CCA 4.3 on the Assurer Handbook "The
> Handbook is not however an agreement, and is overruled by this agreement and
> others listed above." which clearly separates the primary documents from
> other material.

> Since the published and controlled versions of the CCA and the documents
> listed at CCA 4.2 represent the contract between members and the community
> at large and the primary basis for arbitration, I see them as the "binding
> documents" - it is the responsibility of the Policy Officer, Policy Group
> and the Board to ensure that this happens and to keep raising the issue if
> it does not. 

What is "this" in the above?

It seems that this amounts to a challenge to the words:

"This agreement and controlled documents above are primary, and may not be replaced or waived except by formal policy channels and by Arbitration."

Especially the notion of formal policy channels.

> I also see great danger to the community in allowing change and variation to
> creep in from other sources however official they might seem to be - the
> whole point of using a controlled document for this is to stop (for example)
> someone inserting an apparent motion in the wiki stating that "All parties
> to the CAcert Community Agreement agree to immediately  pay 250 Euros to
> Ulrich" and then claiming it is binding because it is now part of the CCA

That's why we have the policy decisions wiki page.  It is strongly scrutinised by all on the policy group.  Indeed, there has been one attempt to steamroller a change, and it failed.  There has also been an exciting attempt at a board veto - and it succeeded, thus slowing us down by a month or two.  We have our process and we've followed it.

> I also believe that the ordinary member has a right to know what they have
> agreed to, and what the current state is - and they shouldn't be expected to
> have to search all around the main wiki and other areas such as SVN to find
> all the little changes that may or may not be in force. (I go back to my
> Credit Card analogy - The banks wouldn't pay all the money they do to notify
> their customers of changes if they didn't believe it was necessary to their
> contract? I don't know how we can move changes to a "push" publish but
> that's for another day.

OK, so let's distance ourselves from the banks.  When Banks change contracts they are doing it for their benefit - the banks.  They are intending to take more money from customers.

When we change contracts, we are doing it for the benefit of our community.  Check the record - every change we have made has not resulted in fees going up :)

Of course banks have to then publish their contracts - because courts won't back them raping their customers if they don't give their customers at least a publication.  We aren't in that business.  We are not going to a court and asking them to force a fee increase over the customer.

The notion that we would try and force an unpopular change over our customers -- our community -- by just a publication ... is really not germane.  We took a different path.  Publication isn't the issue, our "formal policy channel" is.

> As to the Board's waiver, the Board is entitled to handle its business in
> any way it sees fit to - this could be by delegation, subcommittee,
> individual responsibilities - as long as the whole Board approve it.

OK, delegation works.  As long as the Arbitrator accepts it.  Not sure about that, complicated question, but nicely not a question I have to answer :)
}}}
 . (A) 2012-11-07 Response from (A)
 {{{
Hi Ian

>> but the current CAcert official
>> document has NOT been replaced for whatever reason. 

> Right -- because the formal policy channels being PoP do not include publication.

PoP 5.3 "Policy group may propose changes to a POLICY document in order to update it. When changes move to DRAFT status, they may be included in the POLICY document, but must be clearly indicated within as DRAFT not POLICY."

So what should have happened is that there should have been that DRP 3.4 should have had the new text inserted and that section flagged as "DRAFT".
Nothing has been included in the "POLICY document"  to date 22 months after the Policy Group voted that change in.


>> and the Board to ensure that this happens and to keep raising the 
>> issue if it does not. 

> What is "this" in the above?

I'd edited a chunk and then got distracted and failed to complete the update (sounds familiar :) )

Should have read " it is the responsibility of the Policy Officer to organise updating the relevant documents and Policy Group and the Board to ensure that this happens and to keep raising the issue if it does not.

> It seems that this amounts to a challenge to the words:
> "This agreement and controlled documents above are primary, and may 
> not be replaced or waived except by formal policy channels and by Arbitration."

> Especially the notion of formal policy channels.

Not intended as such - the challenge is that the formal policy channels have not been followed through properly to completion


> That's why we have the policy decisions wiki page. It is strongly 
> scrutinised by all on the policy group.

Excellent - this is necessary

> We have our process and we've followed it.

I assume you mean the "Board Veto" example for this and that "our" means "Policy Group's" - so..

Where is "our process" fully documented - and I mean the actual process itself - and how can you demonstrate that you've followed it in any given scenario?? Think in terms of ISO9001! Think about the issues raised by this case!

> OK, so let's distance ourselves from the banks. When Banks change 
> contracts they are doing it for their benefit - the banks.
>  They are intending to take more money from customers.
>
> When we change contracts, we are doing it for the benefit of our community.
>  Check the record - every change we have made has not resulted in fees going up :)

I'm not sure that the reason for a contractual change matters - you are forcing an unilateral change to many existing contracts AND you are not making it easy for an uninformed member to understand or find out what the current status of that contract actually is. I just typed "DRP" into the Wiki search - on titles nothing was returned and on a full text search more that 10 pages of references were returned.
 
> Of course banks have to then publish their contracts - because courts 
> won't back them raping their customers if they don't give their 
> customers at least a publication.
> We aren't in that business.  We are not going to a court and asking 
> them to force a fee increase over the customer.

Again, it doesn't really matter - what is important is the principal that contracts cannot and should not be changed without at least the knowledge of all parties involved. Publication of change is part of satisfying that process - Banks use a push process (mailing to the last known address
usually) for precisely the reason you state - there may be more flexibility in how we choose to approach the concept - but I am of the opinion that this falls outside the remit or immediate needs of this case and thus should fall back to Policy Group to consider at their convenience.
}}}
 . (A) 2012-11-10 Email from Werner Dworak (CACert Board Committee member)
 {{{
Hello Alex,

> PoP 5.3 "Policy group may propose changes to a POLICY document in 
> order to update it. When changes move to DRAFT status, they may be 
> included in the POLICY document, but must be clearly indicated within
> as DRAFT not POLICY."

> So what should have happened is that there should have been that DRP
>  3.4 should have had the new text inserted and that section flagged 
> as "DRAFT". Nothing has been included in the "POLICY document"  to 
> date 22 months after the Policy Group voted that change in.

This I regard as unacceptable. But I assume it is due to the missing
Policy Officer. And now you run into problems which version of the DRP
you can regard as valid.

> Should have read " it is the responsibility of the Policy Officer to 
> organise updating the relevant documents and Policy Group and the 
> Board to ensure that this happens and to keep raising the issue if it
> does not.

Indeed. But seemingly no one did anything. I start to feel sorry for
Megan about the backlog she has to cope with. But I am confident she can
cope with it.

> Not intended as such - the challenge is that the formal policy 
> channels have not been followed through properly to completion

Seemingly. And I am happy this will come to an end soon.

> I'm not sure that the reason for a contractual change matters

Indeed. That there is a change at all does count.

> you are forcing an unilateral change to many existing contracts AND 
> you are not making it easy for an uninformed member to understand or 
> find out what the current status of that contract actually is.

That is the point. And that should change.

> I just typed "DRP" into the Wiki search - on titles nothing was 
> returned and on a full text search more that 10 pages of references 
> were returned.

This I call really confusing.

> what is important is the principal that contracts cannot and should
> not be changed without at least the knowledge of all parties
> involved. Publication of change is part of satisfying that process

Indeed. CCA 3.4 clearly states "Changes will be notified to you by email
to your primary address.", but this never happened up to now.

So generally our regulations are right but the practice lacks.

Kind regards, Werner

}}}
 . (A) 2012-11-10 From Ian Grigg (CAcert Board member)
 {{{
I suggest that we separate the tasks here somewhat.  Any changes to the policy and any clarifications should be debated on policy group.

Any comments made concerning the current Arbitration can continue here.  
But I think everything's been said, really :) or at least I don't think we can help by rehashing arguments.

iang
}}}
 . (A) 2012-11-10 Observation from (A) noted here "for the record"
 {{{
This is what has already effectively happened - there have been a load of emails that have not been forwarded to the "offical lists" as copied, only to cacert-policy@c.o which I've not included here. With the exception of the one from Werner above, none have had anything new to offer.
}}}

== Discovery 4a ==

 . (A) 2012-11-12 (A) Mail from IanG (CACert Board Member to cacert-board list
 {{{
In motion https://community.cacert.org/board/motions.php?motion=m20101212.2 CAcert Inc appealed against a ruling that brought it some increased liabilities.

This caused a problem because CAcert Inc (as its board) was then the hearer of any appeals.  It cannot appeal to itself.  So at the time, the Board proposed in motion https://community.cacert.org/board/motions.php?motion=m20101212.1 a novel fix:
Resolved, that the board directs its powers resulting from § 3.4 DRP for
case a20100212.2 to the arbitrator re-opening the case and,

that the policy group amends § 3.4 DRP to specify what are appropriate
solutions when the board is a party.

In my opinion, the first part, that is, directing its powers to another party, is impossible.  It lacks foundation.  It isn't in the powers of an Arbitrator or an Arbitration Panel to simply hand on its powers.  All it can really do is hear the case, or not.

To my mind, this leaves the case in deadlock.  It leaves the board unable to appeal because it is then forced to not hear the case, because of conflict of interest.  Oh well, such is life?

In the alternate, if the Board as Arbitration Panel does this, it also sets a precedent that any Arbitrator can also do it for any other case.  Philipp could direct his powers to the Catholic Church of which he's very fond, Ulrich can direct his powers to the MAD, and I as Arbitrator could direct my powers to my cat.

In the other alternate, in Associations Act 2009 there is a clause that says that any decision exercised by the board is deemed to stand, even if there is defect in the form of it.  That is, even if we make a mistake about minutes or quorums, our decisions stand if not challenged.  This gives us substantial latitude to make things work.  But, I think we also need to be wiser and not make things harder for ourselves.

This above decision makes Arbitration messier and riskier.  As Arbitration is an extremely powerful and important part of our overall governance equation, I think it better for the Board to not interfere and weaken it.

Therefore I propose to repeal the above motion.  Comments?
}}}

== Intermediate Ruling 4 (Reviewed and not confirmed by Supervising Arbitrator) ==
--( . With regard to the email referenced in Discovery 4A )--

--( . Since this appeal is currently underway, this represents an attempt to interfere with the course of a running arbitration, and I therefore rule that this proposal is out of order. )--

 . This ruling were it to stand would be unconscionable. It would prohibit parties to an arbitration to hold their own council and act on their own behalf. The standard to apply to a party to a case interfering needs to be considerably higher. Such a bar in a court of law would be for example "tampering with evidence". Under no circumstance does holding ones own council, discussing a case or coming to a conclusion or decision that affects the case rise to that level.

 . A case could be made that a board decision as proposed does interfere with the case at hand, and an arbitrator could then choose to rule that the decision will only apply to future cases. However ruling that the board does not have the right to make such a decision or take on the discussion that might lead to such a decision would rise to an egregious miscarriage of justice. As such this intermediate ruling does not stand.

== Discovery ==

== Ruling ==

== Discovery ==
 . (A) 2012-11-01 (R) Statement of position.
 {{{
Hi,

> -----Original Message-----
> From: Alex Robertson [mailto:alex-uk@cacert.org] 
> Sent: Monday, October 29, 2012 9:01 AM
> To: ulrich@cacert.org; 'Mario Lipinski'; secretary@cacert.org;
cacert-board-private@lists.cacert.org
> Cc: alex-uk@cacert.org; p.dunkel@cacert.org;
arbitration-archives@cacert.org
> Subject: Arbitration case a20110310.1 init mailing



  5. The next thing I would like both sides to do is to prepare a short
     email that outlines their viewpoint. No longer than a page, please!


By accepting the CAcert Community Agreement, the member accepts a contract
between himself and CAcert Inc, where CAcert Inc is the legal representive
of the CAcert Community.

https://www.cacert.org/policy/CAcertCommunityAgreement.php
 0. Introduction
This agreement is between you, being a registered member ("Member") within
CAcert's community at large ("Community") and CAcert Incorporated
("CAcert"), being an operator of services to the Community. 

so its fact, that CAcert Inc is the contract partner of each individual
CAcert Community Agreement
accepted by a community member.


Current CAcert Community Agreement defines procedures if someone
resigns, but doesn't include any definitions if a member deceases

https://www.cacert.org/policy/CAcertCommunityAgreement.php
3.3 Termination
.........................................................................
 You may terminate this agreement by resigning from CAcert. You may do
this at any time by writing to CAcert's online support forum and filing
dispute to resign. All services will be terminated, and your certificates
will be revoked. However, some information will continue to be held for
certificate processing purposes.

The provisions on Arbitration survive any termination by you by leaving
CAcert. That is, even if you resign from CAcert, you are still bound by
the DRP (COD7), and the Arbitrator may reinstate any provision of this
agreement or bind you to a ruling.

Only the Arbitrator may terminate this agreement with you. 
.........................................................................

The topic "all services will be terminated and your certificates will be
revoked"
is an essential part in termination of the given contract.
This also relates to members who deceased.

The second part of this CCA topic
"The provisions on Arbitration survive any termination by you by leaving
CAcert. That is, even if you resign from CAcert, you are still bound by
the DRP (COD7), and the Arbitrator may reinstate any provision of this
agreement or bind you to a ruling."
makes it complicated, in the case a member deceased.
The member can no longer be bound to CCA/DRP (he is no longer available)
also the arbitrator can no longer reinstate any provision of this
agreement.

This is mostly no problem, if the notification that a member deceased
receives
CAcert and the case is handled in a proper time (eg within 14 days ?!?)

But this didn't happen under referenced case
https://wiki.cacert.org/Arbitrations/a20100212.2

The notification that the member deceased receives CAcert
at 2010-02-12, has been transfered into the disputes queue
at 2010-02-15
but has been picked up first 9 months later
at 2010-11-03

No one from Support, no one from Arbitration team, no one
from CAcert board did takes care about this "special" case
and the problems that may araise, if the account will
be kept open without any interaction (that is: lock the account,
revoke all remaining certificates)

So this "non-action taken" issue leads to the part
in the final ruling, that the passed time w/o any action 
needs a definition how the remaining R/L/O's 
within this time period needs to be defined.

As CCA gives no answer nor any other policies,
I've tried to find an answer by a similiar
real life case:
using a life-insurance contract as a sample,
where the defined parties in the contract
are no longer available and how this case
probably will be handled ...
The contract probably goes back to the
company who is the remaining contract partner.
The contract will be set on hold until a
recipient can be identified and discovered,
at least infinite.

In relation to the CCA contract between a
member and CAcert Inc, this means, the
contract is still held by CAcert Inc
and CAcert Inc is responsible to pass
the remaining steps that are required
to close the issue. This includes the
termination of the account, revoke of
remaining certificates that the R/L/O's
can be closed.

As this didn't happen in a 9 months period,
the potential R/L/O are still open,
so to be kept by the remaining contract
party, that is CAcert Inc.
As the CAcert membership is not transferable
to a relation or another named party
CAcert Inc is the only one to name.

At the time, the a20100212.2 case was
running, we had not realy a defined procedure
how to handle such deceased cases.

Support was in a mess, Arbitration was in a mess
Support just has restarted working and building up
experience. In 2011 Arbitration and Support
deployed a series of precedent cases, where
Support engineers can handle cases appropiate.
At the time a20100212.2 has been filed, no one
of the Support crew had enough experience
to pickup the case at Support level, to lock
the account, to revoke the remaining
certificates. Also from Arbitration team
nobody takes care about this special case
and the potential risk this case did enclose.

Today such a case will be probably handled properly
as Support has built up enough experience to take
care about such "special" cases
so the problems that did appear with
the named case no longer will happen.


From my PoV, most of CAcert community and
also of CAcert Inc wasn't and aren't aware,
that some issues that receives CAcert Inc and
also CAcert Community needs immideate
interactions to prevent any harm from the
CAcert Community and CAcert Inc.
"Member deceased" is such an issue, that needs
intermediate action - lock the account, revoke
remaining certificates, file a dispute
(that is a default SP procedure)

As nothing did happen that way under a20100212.2
this case brought me to the ruling as given.

>> CAcert Inc. is convinved, that taking over all R/L/O of a member is
>> inappropriate as it might e.g. not be involved in contracts between the
>> deceases member and other community members and has no influence on
>> this. Probably most of the R/L/O can be voided.

The board motion
https://community.cacert.org/board/motions.php?motion=m20101212.2
CAcert Inc. appeals on the ruling of a20100212.2 as it is convinced that
taking over risks, liabilities and obligations of a deceased member is
incorrect because Cacert is not a party in disputes between the deceased
member and other community members.

is incorrect as CAcert Inc is the contract partner of the CCA (see above)
between each member as contract partner 1 and CAcert Inc as contract
partner 2
(on behalf of CAcert Community). As such, has CAcert Inc been named in
the ruling.


>> However, CAcert Inc. accepts that this special case might introduce new
>> R/L/O at its disadvantage. This is a risk CAcert Inc. has to carry for
>> operating a CA, but whether this requires it to be help liable for this
>> should be decided on a case by case basis.

The R/L/O that still remains until a notification has been received
by CAcert and the case will be handled gives no option to decide
on a case by case basis. The R/L/O still remains open until
the case will be handled appropiate, that is to lock the account,
to revoke all remaining certs.
As long this did not happen, CAcert Inc becomes liable caused
by the contract and CCA definition itself.


>> A wildcard delegation of R/L/O might introduce R/L/O for CAcert Inc.
>> which are out of its control and so inappropriate.

CAcert and CAcert Inc has its under control, as long procedures
exist or becomes deployed, that "deceased member notifications"
will be handled as "emergency issue" ... to be handled asap.
This brings no extra burden to CAcert Inc and the Community
except to handle such cases immediately


>> Another issue is that CAcert Inc. was not represented in the dispute.

This topic is still an open topic within arbitration, how to name
the "unknown" party in administrative disputes.
eg member as Claimant against whom ?

In delete my account cases by default Respondent is named "CAcert",
this is all times CAcert Inc as a contract partner.
CAcert Inc will be seldom contacted and heard in such a case
as the procedures are delegated to Arbitration (CCA 3.3 termination)

The lack of definition what happens with the R/L/O in a case
a member deceased and the account will not be handled properly
in an appropiate short time after receiving the notification
is a situation that isn't and wasn't yet defined in a policy.
As Arbitration is the fallback for such unforseen issues
it was handled by me under a20100212.2

The option CAcert Inc and the CAcert Community has
in the future is to define procedures for
intermediate actions with a list of issues that
fall under this regime.

One other known issue are "external" disputes
that requires intermediate action by Arbitration
within about 14 days, at least with an intermediate ruling.

For Arbitration such a "High Priority Cases"
procedure has been defined under
https://wiki.cacert.org/Arbitrations/Training/Lesson25
Lesson 25 - High Priority Disputes
dated 2012-03-08
that gives some background info, why such cases needs
to be handled asap

So I've picked up all such "High Priority Disputes" within
the last 2 years (no one of the other arbitrators still picked up such
cases)
to bring them at least to an intermediate ruling state.
Probably this needs some education in the Support and Arbitration teams
but this is up to their team leaders

>> As the appeal will have to be handled by the board this introduces a
>> COI. To maintain the spirit of independence and transparancy of CAcerts
>> arbitration system, CAcert Inc. directs its powers resulting from § 3.4
>> DRP for case a20100212.2 to the arbitrator re-opening the case [3].

The appeal procedure has been updated in policy voted by policy group
https://wiki.cacert.org/PolicyDecisions#p20110108
DRP #3.4 Appeal handled by Arbitrators
and is no longer an issue.
So current DRP #3.4 supersedes last directs of power given
in above order in dispute filing of the appeal.



-- 
mit freundlichen Gruessen / best regards
Ulrich Schroeter - CAcert Assurance Team Leader, CAcert Case Manager,
CAcert Arbitrator
 
CAcert.org - Free Certificates
E-Mail: ulrich@cacert.org 
}}}

== Ruling ==

I find no evidence of any of clear injustices, egregious behaviour or unconscionable Rulings in the initial case and therefore rule that this case may not proceed to a full appeal!

Action placed on Policy Group - The CCA and related documents need to be updated to allow for the death of a member of the community - preferably regardless of whether or not CAcert is notified.

The issue of the lack of maintainance of the COD controlled policy master documents needs addressing as a matter of some urgency. I have therefore filed a separate dispute [[https://wiki.cacert.org/Arbitrations/a20121101.1 | a20121101.1]] although Policy Group may wish to pick this up prior to that case being heard.


=== Background. ===

The original case arose because of the notification of the death of a member.

It was not picked up or processed in a timely manner by “the CAcert system”

A decision to transfer the R/L/O to CAcert Inc. was made.

=== Reasoning. ===

In the general case of the death of a member, the original arbitrator has ruled that the Risks, Liabilities and Obligations (R/L/O) fall back on the CACert Inc. as the other party to the CCA contract which seems a reasonable decision. It is also one of the (necessary) corollaries of running a CA - or any other organisation. It should not be an issue if the notification of the death of a member is processed in a sensible timeframe (<14 days!)
 
The transfer of liability to CAcert Inc. in this specific case was primarily because of the failure of “the system” to process the case to close down the member’s account in a timely manner after the notification was received “so this is CAcert’ s administrative fault.” It is also arguable that this may set a precedent for future cases involving deceased members of the community.

There is a potential risk arising from the original ruling that CACert Inc. could be brought into arbitration in the window between receiving notification of a member’s death and the account being closed. The original arbitrator has recognised this and has stated “This said, I strongly propose to take care about future Dispute filings with notification, that a member deceased. To handle these cases immediately, with an intermediate ruling, a quick arbitration process, so the community keeps protected.” 

That said, the risk of such an action is low and arbitrators are (or at least should be!) sensible enough to realise when one of the parties to a case is a dead person represented either directly by his executors or indirectly by some other interested party (such as CAcert Inc. on behalf of the community).

The potential liabilities incurred do not actually change CAcert Inc.’s possible liability - all members (including the legal member CACert Inc.) are limited to a total maximum of 1000 Euros.

In the event of other members dying and CAcert being notified, an arbitration is currently necessary to close the member’s account. It may be necessary for the claimant to be CAcert Inc. as the “other party” in the CAcert Community Agreement since the deceased is not really in a position to request this action. This “close account” arbitration also provides a point at which a further query about actions in that particular case could be raised if the Board (or any other party) has further concerns.

Whilst the Board were very quick to progress a proposal to change the DRP section on appeals to allow for the potential for “conflict of interest”, one wonders why they have not followed the appealed case in a similar manner by proposing (and following through!) changes to the CCA and related documents to Policy Group to allow for the death of a member of the community and therein  to clarify what is to happen when the community is notified that a member has died. This is a direction that is still open to them and something that probably needs to be done - we are all likely to die at some point!

From a more pragmatic viewpoint, there is no clear definition of what happens when we are NOT notified when the death of a community member occurs. I would expect such notification to be unusual - CAcert is unlikely to be high in anyone’s viewpoint in processing the affairs of the dead person if it is considered at all.

Obviously the deceased person is not monitoring their primary email and falls foul of CCA 3.5 - but, since they will not respond, how is the “close account” case to proceed.  A greater concern is where such a person has made assurances in the past seven years since it is very possible that we will lose the “paper trail” that underpins our web of trust - in a normal “close account” case, the paperwork relating to assurances is expected to be returned to an Arbitrator to be held in the event of any query relating to those assurances. If we are not notified, it is very possible that this paperwork will get lost or destroyed in the closing of the decedent’s affairs.

The non-notified death could also be potentially covered if the CCA were updated to clarify what should be done in this case.

Therefore I place an action on Policy Group to update the CCA  and related documents to cater for the death of a community member.

Since this ruling is against the appeal, it transpires that the prior discussions about “which version of the DRP applies” are redundant, although it does leave the issues raised (ie the lack of maintainance of the master policy documents) as a potential problem that needs fairly urgent resolution. To that end, I’ve filed a separate dispute [[https://wiki.cacert.org/Arbitrations/a20121101.1 | a20121101.1]] to get this issue examined and hopefully resolved.

Alex Robertson<<BR>>
CAcert Arbitrator<<BR>>
Crewe, UK<<BR>>
3rd March, 2013<<BR>>


== Execution ==

== Similiar Cases ==

----
 . CategoryArbitration

''' and please add one of the following Topics, delete the rest '''

 . CategoryArbCaseAccountDelAssurer
 . CategoryArbCaseAccountDelNonAssure
 . CategoryArbCaseSystemTasks
 . CategoryArbCaseOthers
 . CategoryArbCaseExternal
 . CategoryArbCaseAppeal