- Case Number: a20110407.1
- Status: running
- Claimants: Richard T
- Respondents: CAcert
Case Manager: BernhardFröhlich
Arbitrator: UlrichSchroeter
- Date of arbitration start: 2011-04-13
- Date of ruling: 201Y-MM-DD
- Case closed: 201Y-MM-DD
Complaint: Please remove <domain> from my Organisational Domains
- Relief: TBD
Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: Richard T (C), Case: a20110407.1
History Log
- 2011-04-07 (issue.c.o) case [s20110407.11]
- 2011-04-13 (A): added to wiki, request for CM / A
- 2011-04-13 (A): I'll take care about this case as (A)
2011-04-13 (A): I appoint the (CM) as per Arbitration Team meeting 2011-04-05 decision
- 2011-04-13 (A): sending initmailing with CCA/DRP acceptance request to (C)
- 2011-04-13 (C): accepts CCA/DRP under this arbitration, sending addtl. infos
- 2011-04-30 (A): proposal for next steps to handle this case to (OA)
- 2011-05-01 (OA): response to proposal to (CM), (A), (OAO)
2012-01-22 (A): discovery and assumptions, investigations and interpretations, deliberations and conclusions to (OA)'s proposal dated 2011-05-01 to (OA), (OAO) (also applies to a20120121.1)
- 2012-05-02 (A): requesting Org certs status on (C)'s users account
- 2012-05-02 (A): request to (OA) for Org-contact of Organisation in question
- 2012-05-03 (OA): [s20120502.114] sends email address of Org-contact
- 2012-05-03 (Support): [s20120502.113] no information available.
- 2012-05-03 (OAO): called (A) by phone with informations regarding this case
- 2012-05-03 (A): request to (OAO) to explain the received results (as done by phone)
Original Dispute, Discovery (Private Part)
Link to Arbitration case a20110407.1 (Private Part)
EOT Private Part
Discovery
- What is the correct current OAP?
by default it should be: http://www.cacert.org/policy/OrganisationAssurancePolicy.php
OAP Jens POLICY m20070918.x $Date: 2008-01-18 22:56:31 $ COD11
Another revision is located in the SVN OAP in SVN
CAcert Draft Document: OAP COD11 Author: Jens Paul Creation date: 2007-09-18 Status: POLICY/DRAFT 2007-09-18 m20070918.x Changed: 2008-04-01 Teus Hagen policy list vote; add advisors and board Next status: POLICY 2008
- Board decisions 2008 - 2009 regarding OA area
Decisions from Nov 2008 to July 2009 summarizes all decisions voted upon by the board by email from the AGM in 2008 until the SGM in July 2009.
Decisions 2008 summarizes all decisions voted upon by the board in 2008.
p20090218.1 Add Danish SVR trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - Carried
p20090210.1 Add Belgian KBO trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - Carried
p20080920 Organisation Assurance sub-policy for Europe voted to DRAFT - Carried
p20080429.1 Organisation Assurance Sub-Policy for Ireland - Carried
p20080402.1 Organisation Assurance Sub-Policy for Australia - Carried
p20080401.1 Policy on Organisation Assurance - Carried
p20080308.1 Organisation Assurance sub-policy for Austria - Carried
p20080128.1 Assurers are individuals not organisations - Carried
for clarification: 1. Assurers are individuals, not organisations. 2. Organisation Assurers are individuals, too. 3. Organisation Assurance does not rely on web-of-trust, but instead relies on quality processes. In the above, _individuals_ is synonymous with _natural persons_ and _organisations_ is synonymous with _legal persons_ being organisations that are legally separated from people
p20080109.1 CCA to POLICY status - Carried
- p20071207.1 Organisation Assurance sub-policy for the Netherlands - called. Decided on policy email list by consensus, no votes seen.
p20071022 Organisation Assurance sub-policy for Germany - Carried
- policy decision taken by other means
p20070918.1 Policy on Organisation Assurance - TOP Pirmasens: m20070918.x
- Despite the fact OAP in SVN has a header note
WARNING: The proper policy document is located on the CAcert website . This document is a working draft to include future revisions only, and is currently only relevant for the [policy] group.
- This revision is more appropiate regarding the date state in the header then the one listed under www.cacert.org/policy
- OAP in SVN revisions
- 566 first revision in SVN
- 567 2008-01-28 - moving these all into Policies so that they can be managed from one central place
- 582 2008-02-19 - modified: future change, proper name for CCA is CAcert Community Agreement
- 731 2008-04-01 - Trees are now one version. Join of the document version tree.
- 733 2008-04-02 - Chaged info on status to POLICY/DRAFT due to unclearness in decision. So it is DRAFT now.
- 735 2008-04-02 - Some minor changes for layout, spelling and definitions.
- so "p20080401.1 Policy on Organisation Assurance" matches SVN revision #735
- this revision is the "official" current revision, that was voted last in Policy Group
- clarification regarding "current" revision from Policy Group mailing list
- Proposed Delete Org Account procedure by an OA dated 2011-05-01
Deleting an account: * SE highjacks organisation account by adding himself as admin. * Notes lates expiration date of certificates. * Revokes all certificates * Deletes the organisation (anonymisation for organisations not necessary imho), leaves a-number in comment field before. * Reports latest expiration date and deletion to Arbitrator. * Arbitrator sets CCA termination date to the date reported by SE. Case closed.
Problem 1: SE with admin flag set only, has no access to Org area to remove Org-Admin from an organisation and/or delete an organisation
Problem 2: SE with admin flag set only, has no access to Org certs area to revoke Org certs
with bug #794 patch, an overview is possible to an individual members account, if there is an org cert related to an individual member account and their last expire dates
- Problem 3: also a Support-Engineer who is also OA cannot access the list of Org client certs and Org server certs, so these certs cannot be revoked. The only delete Certs routine that is implemented in the system is, to delete an users account asssociated with such an org or to remove an Org by an OA or to remove a domain associated with an Organisation by an OA
Deliberations
2012-01-22 (A): discovery and assumptions, investigations and interpretations, deliberations and conclusions to (OA)'s proposal dated 2011-05-01 to (OA), (OAO) (also applies to a20120121.1)
fact 1: ok, fist question, I've discovered under a20110407.1 is which policy is current? I've stumbled over several revisions and started investigations. The result is listed under https://wiki.cacert.org/Arbitrations/a20110407.1 I came to the conclusion after checking the PolicyDecisions page, checking the Policy Mailing list archives that current OAP is https://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/Organis ationAssurancePolicy.html fact 2: is there any definition how to handle O-Admin resigns? in OAP or in a handbook? is there any definition how to handle Org terminations? The latter is linked by: OAP 4.1 d the organisation has agreed to the terms of the CAcert Community Agreement , and is therefore subject to Arbitration. CCA 3.3 Termination You may terminate this agreement by resigning from CAcert. You may do this at any time by writing to CAcert's online support forum and filing dispute to resign. the first is still in question. Its not handled by OAP. It may be handled under a handbook, but none that I'm aware off. fact 3: Role of O-Admin and the requirement for an Organisation to have one appointed is defined under: OAP 2.4 Organisation Administrator b. Organisation is required to appoint O-Admin, and appoint ones as required. So here I now start with interpretations, based on the discussion with Mario back in May 2011 (see below attachment): Once the last O-Admin gets removed from the list of O-Admins for an Organisation, the Organisations state becomes orphaned as the Organisation no longer fulfills the OAP 2.4 b requirement. Let me turn around this question: What do you do in a new OA request, if an organisation has no O-Admin listed on the COAP form? (this question goes to the OrgAssurers in the CC party) ? Rejecting the OA request? returning the COAP form? until one O-Admin is found? Ok, assuming, your answer goes this direction, the outcome is clear: An Org has to have at least one O-Admin, otherwise an Org can no longer run under CAcert's OA program before the O-Admin requirement is fulfilled again. The next question, that araises out of this intermediate result is: Is it allowed for an Organisation to enter the "orphaned" state and stay for a while ? To be able to answer this question, its required to get some more ideas about the impact an orphaned state has for an organisation. This is mainly based on issueing certificates. The 2 critical topics in the Assurance area are: a) active certificates b) doing assurances In the OA area, b) doesn't apply, so there is only a) left we have to discover: An O-Admin creates certificates on behalf for the whole organisation. He handles the list of active certificates, to revoke certificates, to issue new ones. The question that araises out of here is: Is someone other able to handle the certificates, that the old, resigned O-admin has been issued? Ok, last night I've started some software testing under cacert1.it-sls.de and played around with O-admin's, OA's and Support-Engineers and OA's + SE's accounts based on the proposed ................................................................ Deleting an account: * SE highjacks organisation account by adding himself as admin. * Notes lates expiration date of certificates. * Revokes all certificates * Deletes the organisation (anonymisation for organisations not necessary imho), leaves a-number in comment field before. * Reports latest expiration date and deletion to Arbitrator. * Arbitrator sets CCA termination date to the date reported by SE. Case closed. ................................................................ procedure, proposed by Mario back in May 2011 The question that I've started was, can an SE handle OA accounts? With the tests made, I come to the following conclusion: * Problem 1: SE with admin flag set only, has no access to Org area (!) to remove Org-Admin from an organisation and/or delete an organisation * Problem 2: SE with admin flag set only, has no access to Org certs area (!) to revoke Org certs * with bug #794 patch, an overview is possible to an individual members account, if there is an org cert related to an individual member account and their last expire dates, but SE cannot act anything. * Problem 3: also a Support-Engineer who is also OA cannot access the list of Org client certs and Org server certs, so these certs cannot be revoked. The only delete Certs routine that is implemented in the system is, a. to delete an users account asssociated with such an org -or- b. to remove an Org by an OA -or- c. to remove a domain associated with an Organisation by an OA So any request regarding OA tasks needs to be transfered to the OA area. But also this is limited (eg actions regarding certs). Ok, back to my original question: "Is someone other able to handle the certificates, that the old, resigned O-admin has been issued?" The answer is => NO !!! Ok, thinking off an certs issue. Someone files an dispute and a certificate needs to be revoked. Who can revoke the cert of an Organisation account, where an O-Admin is no longer available? No one ! The only workaround is by an OA, to remove the domain from the Org's domains list or to remove the Org entirely. The latter goes the CCA termination direction. One more thought is about, an Org with no remaining certs. Then the risk for CAcert is minimized, nearly zero, because the "critical" topic is the "active" certs issue. With no remaining "active" certs, the risk is minimized and can be probably ignored. Under this, and only this exception, an Org can stay "orphaned" for a while. Ok, what does this mean for the remove last O-Admin from an Org account task? An OA has to check, that there is no remaining "active" cert issued under an Org account. If there are remaining certs, the removal request cannot be processed. Here, an OA has to interact with an SE, who can view if there are Org certs active/expired under an O-Admins account. If the count is > 0 the result needs to be communicated to the OA, who requests the revocation of all org certs from the last O-Admin (verification request to SE). There might be one problem here, if an O-Admin has more then one Organisation under his member account linked. So one Organisation's certs to revoke still leaves the other Organisations unhandled. The SE admin console view lists _all_ certs of _all_ Organisations. So there is no one who can confirm, that the O-Admin revoked all certs of a specified Organisation. If there are active certs revoked in this process, the 3 months "hold" rule we've added for common delete my account procedures, probably applies here also. Before an O-Admin can be removed from the O-Admin list of an Org, the 3 months hold delay has to pass. Assuming, that an orphaned Org will become active again in a year or two by adding a new O-Admin, the Org account can be kept open under above exceptions given. As there are many interactions, in handling such a case, one needs to pickup the task to take control over the overall process. So also, the company contact should be informed by an OA, that the company is running in a potential "orphaned" state, and the company is required to appoint a new O-Admin. if the company will continue staying as a CAcert member. Otherwise a dispute filing has to be initiated, that the company no longer wants to stay under the CAcerts OA program (-> CCA termination). This all needs to be controled and directed by an OA. So the OA can be seen as a mentor in this process. An O-Admin doesn't has the knowledge about all the facts and requirements behind the scene.
- one topic not covered realy: removal of one domain by OA to revoke certs (authorisation? modification of the Orgs account data)
Ruling
Execution
Similiar Cases
and please add one of the following Topics, delete the rest