- Case Number: a20120121.1
- Status: execute
- Claimants: Bas vD
- Respondents: CAcert, CAcert Inc president
Initial Case Manager: UlrichSchroeter
Case Manager: BernhardFröhlich
Arbitrator: UlrichSchroeter
- Date of arbitration start: 2012-01-22
- Date of ruling: 2012-05-02
- Case closed: 201Y-MM-DD
Complaint: I. Please remove <domain> from my Organisational Domains
- II. reqeuest to CAcert Inc president to take action so this case is solved ASAP
- Relief: I. Org Termination? Removal of Domains from Org-Admin account, last Org-Admin in Org
- II. ?
Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R1) CAcert Inc president (R2), Claimant: Bas vD (C), Case: a20120121.1
History Log
2012-01-21 (issue.c.o) case s20120121.55
- 2012-01-21 (iCM): added to wiki, redefine of dispute and relief, request for CM / A
- 2012-01-21 (A): I'll take care about this case as (A) if no one objects
- 2012-01-22 (A): sent initmailing to (C), (R2) with request of CCA/DRP acceptance under this arbitration
- 2012-01-22 (C): accepts CCA/DRP
- 2012-01-22 (C): outlines his viewpoint
- 2012-01-24 (CM): I'll take care about this case as (CM)
- 2012-01-25 (R2): accepts CCA/DRP under this arbitration
2012-01-25 (A): intermediate ruling #1, sent to (C), (R2), (CM)
- 2012-01-25 (A): request to (Support), ticket documentation 2011-09-13 14:14, certs overview from account (C) (Question 1.a)
- 2012-01-25 (A): 4 questions + statement request to (OAO), 4 questions + statement request to (Support t/l), (Question 1.b)
2012-01-25 (A): OAP findings regarding "current" revision, confirmation request to (OAO) and Ian G
2012-01-25 (A): request to (OAO) for detail infos about an Org related to this dispute
- 2012-01-25 (A): request of Org infos from (C), other Orgs linked?, counts of Org client certs, counts of Org server certs (active, expired, revoked) for Org in question {g}
- 2012-01-25 (A): hijacking an Org account, revoke Org client and server certs questions to (OAO) {0}
- 1012-01-25 (Support t/l): answering the 4 questions + gives a statement (in reply to Questions 1.b)
2012-01-25 (C): asks for action to do, 20 Org client certs revoked - latest expire date: 2010-09-05, 43 Org server certs - revoked - latest expire date: 2011-12-12 (in reply to
) - 2012-01-25 (C): 2nd part of answer (in reply to: {g} )
2012-01-25 (Iang): confirms that OAP in SVN is the "current" DRAFT document (in reply to
) - 2012-01-25 (A): question for clarification to 1.a answer by (C) (in reply to {g} )
- 2012-01-25 (C): answer to clarification question, only Org-Admin to Org in question (in reply to {g} )
- 2012-01-25 (A): requestiong further contact infos regarding org from (C) {b}
- 2012-01-25 (C): response to contact info request (in reply to {b} )
- 2012-01-25 (A): requesting infos about Org Assurance process back in around 2006 to (C) {b}
- 2012-01-25 (C): Org Assurance info sent to an Australian fax number {b}
- 2012-01-25 (A): who requested the COAP infos or who instructed to do so? request to (C) {b}
- 2012-01-25 (C): reply to previous question {b}
- 2012-01-25 (A): clarification regarding requestor of COAP process to (C) {b}
- 2012-01-25 (C): no further infos available {b}
- 2012-01-25 (A): request of COAP form scan from Public Officer of 2006 sent to (DG) {w}
2012-01-25 (A): requesting COAP form info from (SE) or (OA) received around 2006-04-11 by (GR)
2012-01-25 (OAO): response in reply to
- 2012-01-25 (DG): response to request in reply to {w} , no fax, no scan
2012-01-26 (GR): response to request in reply to
, info probably in support inbox of 2006 2012-01-29 (A): intermediate ruling #2, sent to (C), (R2), (OAO), (CM)
- 2012-01-29 (A): request to ex support crew to recover an email from support inbox Apr 2006 {r}
- 2012-01-29 (SE): response to recover email request: inbox goes back only to 2009, some other go back to 2008 or 2007. But there is no mail available from 2006 or earlier {r}
- 2012-01-29 (Prev. SE t/l): response to recover email request: recoverable emails 2007-2009, some more infos about early OA processes {r}
2012-04-12 (C): reminder: The org acount is still not removed
2012-04-18 (A): intermediate ruling #3, sent to (C), (R2), (OAO), (Org-Assurers), (CM)
2012-04-18 (A): Exec request following intermediate ruling #3 to (OAO), (Org-Assurers) with exec report request
- 2012-04-18 (A): sending information to (Organisation contact) that Org now enters "orphaned" state with request to keep the Org account open or start the delete Org account procedure with deadline set to 2012-05-02 {0}
2012-04-18 (OA): [s20120418.194] exec report, (C) removed as Org-Admin from domain in question
- 2012-04-19 (A): reminder to (OAO), (Ian), (Board) (in role as Policy Officer), with question, what prevents update of OAP in www.cacert.org/Policy directory with the current revision?
2012-04-30 (Ian): started some rework on OAP in policy group
- 2012-05-02 (Org-Contact): reply to mail from 2012-04-18, with request: add a new Org-Admin {0}
- 2012-05-02 (A): forward of Org change request by (Org-Contact) to (Organisation-Assurance), sent to (Support), (OAO)
Original Dispute, Discovery (Private Part)
Link to Arbitration case a20120121.1 (Private Part)
EOT Private Part
Discovery
Link to named respondent 2 (R2): CAcert Inc - Committee current
Preliminaries
- The Arbitrator reviews the available documentation (DRP 2.2.1)
- This case relates to the OA area
- related policies that may apply
- Organisation Assurance Manual:
- based on OAP: undefined
Further OA references in the wiki: Organisation Assurance section in the wiki
- Organisation Assurance Manual:
based on Organisation Assurance section in the wiki: OrganisationAssurance/Manual
- Addtl. Organisation Assurance Procedures: undefined
- related policies that may apply
- What is the correct current OAP?
- by reviewing the headers of the OAP listed under www.cacert.org, I'm in doubt this is the correct revision:
by default it should be: http://www.cacert.org/policy/OrganisationAssurancePolicy.php
OAP Jens POLICY m20070918.x $Date: 2008-01-18 22:56:31 $ COD11
Another revision is located in the SVN OAP in SVN
CAcert Draft Document: OAP COD11 Author: Jens Paul Creation date: 2007-09-18 Status: POLICY/DRAFT 2007-09-18 m20070918.x Changed: 2008-04-01 Teus Hagen policy list vote; add advisors and board Next status: POLICY 2008
- Board decisions 2008 - 2009 regarding OA area
Decisions from Nov 2008 to July 2009 summarizes all decisions voted upon by the board by email from the AGM in 2008 until the SGM in July 2009.
Decisions 2008 summarizes all decisions voted upon by the board in 2008.
p20090218.1 Add Danish SVR trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - Carried
p20090210.1 Add Belgian KBO trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - Carried
p20080920 Organisation Assurance sub-policy for Europe voted to DRAFT - Carried
p20080429.1 Organisation Assurance Sub-Policy for Ireland - Carried
p20080402.1 Organisation Assurance Sub-Policy for Australia - Carried
p20080401.1 Policy on Organisation Assurance - Carried
p20080308.1 Organisation Assurance sub-policy for Austria - Carried
p20080128.1 Assurers are individuals not organisations - Carried
for clarification: 1. Assurers are individuals, not organisations. 2. Organisation Assurers are individuals, too. 3. Organisation Assurance does not rely on web-of-trust, but instead relies on quality processes. In the above, _individuals_ is synonymous with _natural persons_ and _organisations_ is synonymous with _legal persons_ being organisations that are legally separated from people
p20080109.1 CCA to POLICY status - Carried
- p20071207.1 Organisation Assurance sub-policy for the Netherlands - called. Decided on policy email list by consensus, no votes seen.
p20071022 Organisation Assurance sub-policy for Germany - Carried
- policy decision taken by other means
p20070918.1 Policy on Organisation Assurance - TOP Pirmasens: m20070918.x
- Despite the fact OAP in SVN has a header note
WARNING: The proper policy document is located on the CAcert website . This document is a working draft to include future revisions only, and is currently only relevant for the [policy] group.
- This revision is more appropiate regarding the date state in the header then the one listed under www.cacert.org/policy
- OAP in SVN revisions
- 566 first revision in SVN
- 567 2008-01-28 - moving these all into Policies so that they can be managed from one central place
- 582 2008-02-19 - modified: future change, proper name for CCA is CAcert Community Agreement
- 731 2008-04-01 - Trees are now one version. Join of the document version tree.
- 733 2008-04-02 - Chaged info on status to POLICY/DRAFT due to unclearness in decision. So it is DRAFT now.
- 735 2008-04-02 - Some minor changes for layout, spelling and definitions.
- so "p20080401.1 Policy on Organisation Assurance" matches SVN revision #735
- this revision is the "official" current revision, that was voted last in Policy Group
- clarification regarding "current" revision from Policy Group mailing list
- This case relates to the OA area
- The Arbitrator reviews the Respondents and Claimants with a view to dismissal or joining of additional parties. (DRP 2.2.3)
- (C), (R1) is NOD
- named (R2) is on discussion:
- is (R2) named correctly and is a party in this dispute filing?
The OA is appointed by the Board. Where the OA is failing the Board decides.
- so this is subject to interpretation, based on the history given under the dispute filing and given by (C)'s viewpoint outlined
Question 1: Is (R2) the correct named respondent for this case?
- Facts given:
Policy: OAP (current, in SVN) 2.1
- Board outsources tasks since at least 2009 back to the community as much is possible. The management of teams is referenced to teams and their respective teamleaders
- teamleader for the OA area is Marcus Maengel since May 2011
Marcus Mängel for OAO That the board accept Marcus as OAO
- The dispute story started: 13 september 2011
- The question that araises while reading the dispute filing:
- has the OAO been contacted regarding this case or brought to notice to the OAO?
- The original ticket received Support. Why this ticket was not moved into the OA queue and still sits in the Support queue?
There are many email recipients on the communications list, but all not having to do with OA area
Question 1.a:
- To Support:
- full ticket documentation regarding this case
- To Support:
Question 1.b:
- To OAO:
- Was OAO contacted regarding this case?
- To OAO:
Question 2: Is there a procedure defined, that gives instructions how to handle O-Admin resigns from an Org Account? or How to terminate an Org account?
Proposed Delete Org Account procedure by an OA dated 2011-05-01 under similar case a20110407.1
Deleting an account: * SE highjacks organisation account by adding himself as admin. * Notes lates expiration date of certificates. * Revokes all certificates * Deletes the organisation (anonymisation for organisations not necessary imho), leaves a-number in comment field before. * Reports latest expiration date and deletion to Arbitrator. * Arbitrator sets CCA termination date to the date reported by SE. Case closed.
Problem 1: SE with admin flag set only, has no access to Org area
to remove Org-Admin from an organisation and/or delete an organisation Problem 2: SE with admin flag set only, has no access to Org certs area
to revoke Org certs with bug #794 patch, an overview is possible to an individual members account, if there is an org cert related to an individual member account and their last expire dates
- Problem 3: also a Support-Engineer who is also OA cannot access the list of Org client certs and Org server certs, so these certs cannot be revoked. The only delete Certs routine that is implemented in the system is, to delete an users account asssociated with such an org or to remove an Org by an OA or to remove a domain associated with an Organisation by an OA
Deliberations
2012-01-22 (A): discovery and assumptions, investigations and interpretations, deliberations and conclusions to (OA)'s proposal dated 2011-05-01 to (OA), (OAO) (also applies to a20120121.1)
fact 1: ok, fist question, I've discovered under a20110407.1, that also applies to a20120121.1 is which policy is current? I've stumbled over several revisions and started investigations. The result is listed under https://wiki.cacert.org/Arbitrations/a20110407.1 and under Preliminaries 1.2 above I came to the conclusion after checking the PolicyDecisions page, checking the Policy Mailing list archives that current OAP is https://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/Organis ationAssurancePolicy.html fact 2: is there any definition how to handle O-Admin resigns? in OAP or in a handbook? is there any definition how to handle Org terminations? The latter is linked by: OAP 4.1 d the organisation has agreed to the terms of the CAcert Community Agreement , and is therefore subject to Arbitration. CCA 3.3 Termination You may terminate this agreement by resigning from CAcert. You may do this at any time by writing to CAcert's online support forum and filing dispute to resign. the first is still in question. Its not handled by OAP. It may be handled under a handbook, but none that I'm aware off. There still exist an Organisation Assurance Manual that has no link from OAP (nor the one under www.cacert.org/policy, nor the one in the svn). * [[https://wiki.cacert.org/Brain/EducationTraining/OrganisationAssurance/Manual#Introduction:_Why_Assure_Organisations|OrganisationAssurance/Manual]] What happens if the administrator leaves? * When an administrator leaves the certificates he has created remain valid. Usually the problem is noticed when the certificates expires, which may happen up to two year later, when the ex-administrator is well out of reach for the company. * Since the admin has added the company domain to his personal account, the domain has to be disputed if the old administrator is not reachable or not willing to surrender it voluntarily. * So the new administrator has to take on the tedious process of issuing new certificates, using his personal account once again. This gives no answer to our question. The section assumes, another Org-Admin is available. Our case hase to handle, when the last Org-Admin leaves the company. fact 3: Role of O-Admin and the requirement for an Organisation to have one appointed is defined under: OAP 2.4 Organisation Administrator b. Organisation is required to appoint O-Admin, and appoint ones as required. So here I now start with interpretations, based on the discussion with Mario back in May 2011: Once the last O-Admin gets removed from the list of O-Admins for an Organisation, the Organisations state becomes orphaned as the Organisation no longer fulfills the OAP 2.4 b requirement. Let me turn around this question: What do you do in a new OA request, if an organisation has no O-Admin listed on the COAP form? (this question goes to the OrgAssurers in the CC party) ? Rejecting the OA request? returning the COAP form? until one O-Admin is found? Ok, assuming, your answer goes this direction, the outcome is clear: An Org has to have at least one O-Admin, otherwise an Org can no longer run under CAcert's OA program before the O-Admin requirement is fulfilled again. The next question, that araises out of this intermediate result is: Is it allowed for an Organisation to enter the "orphaned" state and stay for a while ? To be able to answer this question, its required to get some more ideas about the impact an orphaned state has for an organisation. This is mainly based on issueing certificates. The 2 critical topics in the Assurance area are: a) active certificates b) doing assurances In the OA area, b) doesn't apply, so there is only a) left we have to discover: An O-Admin creates certificates on behalf for the whole organisation. He handles the list of active certificates, to revoke certificates, to issue new ones. The question that araises out of here is: Is someone other able to handle the certificates, that the old, resigned O-admin has been issued? Ok, last night I've started some software testing under cacert1.it-sls.de and played around with O-admin's, OA's and Support-Engineers and OA's + SE's accounts based on the proposed ................................................................ Deleting an account: * SE highjacks organisation account by adding himself as admin. * Notes lates expiration date of certificates. * Revokes all certificates * Deletes the organisation (anonymisation for organisations not necessary imho), leaves a-number in comment field before. * Reports latest expiration date and deletion to Arbitrator. * Arbitrator sets CCA termination date to the date reported by SE. Case closed. ................................................................ procedure, proposed by Mario back in May 2011 The question that I've started was, can an SE handle OA accounts? With the tests made, I come to the following conclusion: * Problem 1: SE with admin flag set only, has no access to Org area (!) to remove Org-Admin from an organisation and/or delete an organisation * Problem 2: SE with admin flag set only, has no access to Org certs area (!) to revoke Org certs * with bug #794 patch, an overview is possible to an individual members account, if there is an org cert related to an individual member account and their last expire dates, but SE cannot act anything. * Problem 3: also a Support-Engineer who is also OA cannot access the list of Org client certs and Org server certs, so these certs cannot be revoked. The only delete Certs routine that is implemented in the system is, a. to delete an users account asssociated with such an org -or- b. to remove an Org by an OA -or- c. to remove a domain associated with an Organisation by an OA So any request regarding OA tasks needs to be transfered to the OA area. But also this is limited (eg actions regarding certs). Ok, back to my original question: "Is someone other able to handle the certificates, that the old, resigned O-admin has been issued?" The answer is => NO !!! Ok, thinking off an certs issue. Someone files an dispute and a certificate needs to be revoked. Who can revoke the cert of an Organisation account, where an O-Admin is no longer available? No one is able to do so! The only workaround is by an OA, to remove the domain from the Org's domains list -or- to remove the Org entirely. The latter goes the CCA termination direction. One more thought is about, an Org with no remaining certs. Then the risk for CAcert is minimized, nearly zero, because the "critical" topic is the "active" certs issue. With no remaining "active" certs, the risk is minimized and can be probably ignored. Under this, and only this exception, an Org can stay "orphaned" for a while. Ok, what does this mean for the remove last O-Admin from an Org account task? An OA has to check, that there is no remaining "active" cert issued under an Org account. If there are remaining certs, the removal request cannot be processed. Here, an OA has to interact with an SE, who can view if there are Org certs active/expired under an O-Admins account. If the count is > 0 the result needs to be communicated to the OA, who requests the revocation of all org certs from the last O-Admin (verification request to SE). There might be one problem here, if an O-Admin has more then one Organisation under his member account linked. So one Organisation's certs to revoke still leaves the other Organisations unhandled. The SE admin console view lists _all_ certs of _all_ Organisations. So there is no one who can confirm, that the O-Admin revoked all certs of a specified Organisation. If there are active certs revoked in this process, the 3 months "hold" rule we've added for common delete my account procedures, probably applies here also. Before an O-Admin can be removed from the O-Admin list of an Org, the 3 months hold delay has to pass. Assuming, that an orphaned Org will become active again in a year or two by adding a new O-Admin, the Org account can be kept open under above exceptions given. As there are many interactions, in handling such a case, one needs to pickup the task to take control over the overall process. So also, the company contact should be informed by an OA, that the company is running in a potential "orphaned" state, and the company is required to appoint a new O-Admin. if the company will continue staying as a CAcert member. Otherwise a dispute filing has to be initiated, that the company no longer wants to stay under the CAcerts OA program (-> CCA termination). This all needs to be controled and directed by an OA. So the OA can be seen as a mentor in this process. An O-Admin doesn't has the knowledge about all the facts and requirements behind the scene.- one topic not covered currently: removal of one domain by OA to revoke certs (authorisation given? by whom? modification of the Orgs account data that requires later re-add of the domain to the org account if the org continues to be a member)
Intermediate Ruling #1
From the investigations made, also under the similar case a20110407.1 and the presented reliefs, I hereby come to the following intermediate ruling:
relief 1. All certificated are to be revoked from the org account.
From the facts given, that no one as the Org-Admin itself can revoke certificates under an Organisation, this task has to be delayed until all the facts are discovered and presented to this case and a final execution order can be given.
relief 2. Org account must be remove from my account ASAP
The discovery prosess disclosed a wider impact that nobody did forseen yet, in removing the last Org-Admin from an Org account. The Org-Admin is the only person, who can execute the steps that are required under an Org termination process (!). If not all the facts and actions are taken, I cannot can give an order to remove the last Org-Admin from an organisation.
There still exist no procedure to terminate an Organisations account nor to remove the last Org-Admin from an Organisation account. The only reference is given by CCA that termination of membership has to be filed as dispute.
relief 3. Support gets informed that they were neglecting their duty in this
- case, for letting it lay down for more then 5 months.
Support is the wrong area to handle Org-Admin removals. The only task that Triage members have is to move Organisation Assurance related tickets into the OA queue. From the conversations given in the dispute filing and in the addtl. PoV statement, all or most participients could not handle this case because no procedure was available for the given request.
I cannot give a quick ruling before I have not all facts discovered that relates to the organisation and the appropriate recipients.
Your removal request is identified. A related potential termination request for the organisation started. The potential acting parties are identified.
- revocation of certificates by the last Org-Admin if Org still wants to continue as a member
- initial start sequence takes about 2 weeks
the removal process for an Org-Admin is 3 months in duration if certs are still active
- removal of Org-Admin is to handle by an Org-Assurer
- termination of an Org to be ruled by an Arbitrator
- removal of Org is to handle by an Org-Assurer
Arbitration is the fallback option if procedures, policys leaves an undefined state for an issue. Your Org-Admin removal request is such a case. So I must also request your patience until all the preliminaries steps have been passed, that allows to start with execution orders in this case.
Frankfurt/Main, 2012-01-25
Discovery II
- 20 Org client certs
- state: all revoked
- oldest expire date: 2007-04-12
- latest expire date: 2010-09-05
- 43 Org server certs
- state: all revoked
- oldest expire date: 2008-06-18
- latest expire date: 2011-12-12
- Org creation date (calculated based on certs expire dates)
- oldest certs expire date: 2007-04-12
- calculated org creation date: before 2006-04-13
Org Assurers Netherlands (from Organisation Assurers List)
Netherlands
Nederland<theus AT SPAMFREEFOREVER theunis DOT org>
<maurice AT SPAMFREEFOREVER cacert DOT org>CCA History aka Registered User Agreement (RUA)
p20080109.1 CCA to POLICY status
DRAFT: m20070918.4 at "Top" meeting 2007 September 17-21 - Day 2 - Policies
- Calculated from the cert tables infos, the Org account was created around or before 2006-04-13. Looking for Organisation Assurers for the Netherlands from before 2007, I stumble over the OA listing, that references Teus and Maurice, to be nominated as OA at m20071218.3 and m20081027.1
At the time, the Org Assurance was made, probably OAP and CCA was state WIP. While issuing certs after mid of 2009, you have had to agree to the CAcert Community Agreement. So at least by the last expire date of a cert -> that is 2011-12-12 minus 1 year -> this is 2010-12-13, the acceptance of the CCA is fulfilled regarding this Organisation account. So CCA applies to this case including all procedures that applies in a termination process.
- I note, that probably the Org Assurance was made in the bootstrapping period of OA where Teus and Guillaume (maybe in role as SE by the time) and probably others worked on this project.
- Probably: Org Assurance process back in April 2006
- download of pre? COAP form
- sent to fax number given (Australian fax number), probably the Public Officer by the time?
- a fax number was not in service by (DG), was it (RC)?
- forwarded to Support (probably)
- request should have been received around 2006-04-11, is there an archive of support inbox avail?
- added by golf_romero 2006-04-11 into the system
- Public Officer for around Apr 2006
from the historical records: Committee from AGM 2005-07-03 to SGM 2007-05-25
President and Public-Officer
Duane Groth
AU
Resignation 2007-03-26
Intermediate Ruling #2
By following Delete my Account Arbitration cases procedures, that Arbitration has deployed over the last 2 years lists 2 topics as critical:
- Assurances given
- Certificates issued
In an OA case, assurances given isn't handled like in the individual assurance process, so there are no CAP forms to recover. So only b. applies to this case.
Issued certificates risk is, that something may go wrong with one issued certificate. With the unique serial number of a cert, the link to an account is given. Once the party agreed to Arbitration, arbitration is our weapon to catch such an issue. Arbitration takes this topic seriously and defines a 3 months hold time if the last certificate expires or had been revoked. This delay is a saving time, to await if a late dispute will be filed regarding one certificate that is subject to the delete my account case.
In Discovery II, there are Org client certs and Org server certs identified to be either active, expired or revoked. The latest expire date counts for the CCA termination date not to be before the calculated date. See also CCA termination date calculation
- Org client certs
- latest expire date: 2010-09-05
- Org server certs
- latest expire date: 2011-12-12
- highest expire date: 2011-12-12
- CCA termination not before highest expire date 2011-12-12 + 3 months, that is: 2012-03-11
A CCA termination date for a Org-Admin removal and also for a Organisation removal relates to the same date in this case as certificates were involved and arbitration has to take into account this issue with the hold delay time of 3 months after the last certificate expired.
The question that is still open that is, if the Organisation still keeps the member account, and only the last Org-Admin link gets removed or if its also an Organisation account removal request. One sidenote was given by (Lambert) in one of the pre-arbitration case email communications "It also includes removing the org as a member since there is no one available". The original request "I no longer work at (org) can you remove the org account of (org) from my account. (org) has no assuers that can take over." doesn't implies an Organisation account removal. CAcert membership can be seen as a lifetime membership. This doesn't directly relates or means that every service needs to be used everytime by the members. So there might be breaks possible were an account enters a hold state to become one or two years later reactivated, if the services needs to be used again. So this might relates also to the running case. Because (C) requests the Org-Admin removal from his account this doesn't disqualify the Organisation to continue their membership and until a new Org-Admin is found the Organisation account enters the "orphaned" state and cannot use any Organisation account related services. But this doesn't mean someone cannot be a member.
The question that needs to be answered in the next discovery step is, if the Organisation wants to continue their membership or if the Organisation wants their account deleted. Here I will follow the Delete my Account Arbitration cases procedures to continue with this case. An Organisation contact is listed in the Organisation account who needs to be contacted in this issue.
The Org-Admin removal request cannot be fulfilled before the CCA termination date calculated, that is: 2012-03-11 because the Org-Admin removal process probably also removes all links of the old certs to the Organisation account. As long there is no documentation over Organisation accounts, Certs issued, there related Org-Admin links and what happens if the last Org-Admin gets removed, as long there is no procedural documentation regarding Org-Admin removal requests, the save processing with a hold delay time is the only process path we may rely on, that no links becomes broken to the Organisation account, before the hold delay time expires.
Org-Admin removals can be only processed by Org-Assurers. Processing of Org-Admins from Organisation accounts is prevented by system restrictions. So therefor Org-Admin removal requests have to be processed by Organisation Assurers.
A CCA termination and removal of the Organisation account needs to be confirmed first by further discovery and investigations.
An Org-Assurer should remove the Org-Admin link of (C) after 2012-03-11, but not before this date.
One more question I've tried to discover is/was the Organisations account state, as the Org account was created before around 2008 the OAP comes in effect so the question araises if the handling of this organisation is out of the range of the OAP scope. But, as there were also Org certs issued after February 2009 were CCA comes into effect, the boundary of CCA and OAP also effects the active old organisations. Using services w/o CAcert Community Agreement is impossible at least since mid of 2009 so therefor the Organisation entered the CCA aggreed state at least by the latest issued certs and the full Delete my Account Arbitration cases procedures applies to this case.
In the "current" OAP question I've received a confirmation by Ian who monitors the Policy repository and keeps track on the old and WIP policies. The found discrepancy between the OAP revisions in the policy repository and in the SVN shall be solved. The SVN OAP html revision shall be updated with an uptodate header and shall replace the OAP (php) revision on policy repository on main website to be processed by the critical team or the Software-Assessors sending an update to the critical team. All links and references to http://www.cacert.org/policy/OrganisationAssurancePolicy.php shall be updated with the replaced revision link: http://www.cacert.org/policy/OrganisationAssurancePolicy.html. Current policy listing script can handle both extensions. OAO shall correct the wiki documentations regarding "current OAP" and OAP links in OAP subpolicies in the SVN.
Frankfurt/Main, 2012-01-29
Discovery III
- 2012-04-18 (A): no verification chain path is available about the original Org Assurance except the record in the database. All questions fizzled out by some uncertain responses or no infos available or inconsistent responses.
Intermediate Ruling #3
- By following intermediate ruling #2 dated 2012-01-29, the set deadline passed, that defined Org-Admin can be removed from the Organisation account in question.
As found in the discovery process, that only an OrgAssurer can handle the exec defined under intermediate ruling #2 (removal of Org-Admin) I hereby order to the Org-Assurance team, that Org-Admin of (C) on Org account in question shall be removed and responded with an exec report.
- The Org Account owner shall be contacted and informed (to be handled by (CM)/(A)), that
the Organisation Account enters the "orphaned" state with the request to give a statement, that the Org account should be kept in "orphaned" state until another OrgAdmin has been found and added to the Org account -or-
- that the Org account should be deleted.
- The request is to set with a deadline of 14 days until 2012-05-02. After this time without a response from the contact email the Org account shall be deleted by a further ruling with further details.
Frankfurt/Main, 2012-04-18
Ruling
- Claimants request to remove him as Org-Admin from the Org-Account in question, despite the fact he was the last Org-Admin under this Organisation, has been passed under Intermediate Ruling #2 with some requirements given.
- Org-Contact requests to keep the Organisation-account open and sends a change request for adding a new Org-Admin. This request to be handled by Organisation-Assurance area.
- I hereby order OAO to document the "Remove last Org-Admin from an Org Account" procedure as outlined under this arbitration with reference to this arbitration case as precedent including the obligation to contact the Org-Contact with the question to keep the Org-Account in the "orphaned" state for later re-use or to "terminate" the Org-Account. The latter to reference to Arbitration. To reactivate an "orphaned" state Org-account, the Org-Contact has to name at least one another Org-Admin to become OAP compliant.
- OA is allowed to request the revocation of all remaining certificates from the last Org-Admin under an Organisation to fulfill the requirements that are needed that a last Org-Admin can leave the Organisation. OA is further allowed to send a request to (Support) asking the current state of Org Client and Org Server certs for the Org-Admin in question to continue with the Org-Admin removal from the Org-Account. OA's obligation is to take care about the 3 months hold time when the last certs revoked and expired before the requesting member can be removed from an Org-account.
- OA's obligation is, to start asap a request to the Org-Contact either if the Org-Account should continue in "orphaned" state, or to name a new Org-Admin or if the Org-account shall be terminated. Depending the Org-Contacts response OA shall proceed with the OA related change requests or shall forward a termination request to Arbitration.
- OAO's obligation is to keep track on further similar cases, that requires a managed proceeding. OAO is allowed to delegate such tasks to another OA, but his obligation to keep track on the process still remains under OAO role.
- (Support) shall document under their Handbook that all Organisation-Assurance related requests from Organisation Contacts, Organisation-Admins regarding a Organisation shall be moved to the OA queue to be picked up by an OA. If further action is needed by a Support-Engineer, OA has to send the request to (Support). The reason to proceed this way is the limitation of the admin-console that gives only access to Individual member accounts and prevents Support for Organisation related tickets. The only exception is the count of Org related certs issued under a member account that can be read by (Support) under an individual members account.
- The original "last Org-Admin removal from Organisation account" request was sent to (Support). By the time there still exist no procedure how to handle such requests. Not under (Support), nor under the (Organisation-Assurance) area. So this ticket still remains open month by month. The default behavior in all undefined cases is to move it to Arbitration as Arbitration is our weapon within CAcert for all unforseen cases. Once this case was forwarded to Arbitration it has been picked up and a procedure has been deployed that such a request can be responded. So the only question that still remains is: why this ticket has not been moved to Arbitration earlier? Here the simple answer is, that (SE)'s wasn't aware that they couldn't handle this case within their (Support) area. Moving the ticket to (OA) area was no option either. And the request to CAcert Inc. president doesn't solve this problem, as the blockage reason was an undefined procedure that cannot be handled by either involved parties. The only 2 targeted areas that can handle such a blockage are Policy Group or Arbitration. Policy Group is a long term procedure and the question here is, if Policy Group is the correct intended recipient for such a case. As the original request is a procedural issue, the correct intended recipient is Org-Assurance area to start a deployment of a new procedure to be backed up by Arbitration, or Arbitration.
- All before-Arbitration involved parties aren't the intendend recipients of the original request, so who should get liable? The member, who didn't sent the request directly as a dispute? Support, who didn't moved the ticket to Arbitration? Org-Assurance, who didn't get aware of the open ticket in the (SE) queue? (OAO) who is also (SE) for not-moving the ticket to the (OA) queue? In role as (OAO) this ticket was his intended area related topic, but 'caused by not yet defined procedures, this ticket could not be handle under (Support) nor by (Org-Assurance) nor by CAcert Inc's president without further support by (Org-Assurance), so this was more a brain blockage, then a procedural blockage. Also Arbitration takes this case so long as this running case did undergo a deployment process.
- I admit a learning curve to all participients in the pre-arbitration process, that no one picked up the case as required for such a case to move the case to arbitrationa. So therefor I surrender for punishment and order an advise to (Support) and (OA) how to handle such tickets with a similar topic.
- This case shall be set as precedent for similar cases to be handled by (Support): moving similar cases to OA queue, and to be handled by an Org-Assurer.
Frankfurt/Main, 2012-05-02
Execution
- 2012-05-02 (A): sending ruling and exec request to: (C), (Org-Contact), (R2), (Support t/l), (OAO), (CM)
2012-05-04 (OAO): documentation Org-Assurance handbook: Delete Org-Admin, delete Organisation requests started
Similiar Cases