- Case Number: a20120305.1
- Status: closed
- Claimants: Роман Г
- Respondents: CAcert, Alexandr R, Werner D (SE)
Case Manager: MartinGummi
Arbitrator: UlrichSchroeter
- Date of arbitration start: 2012-03-07
- Date of ruling: 2013-03-16
- Case closed: 2013-03-17
- Complaint: Password Reset, Domain Dispute, Paypal Dispute
- Relief: TBD
Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R1) Alexandr R (R2) Werner D (R3), Claimant: Роман Г (C), Case: a20120305.1
History Log
2012-03-05 (issue.c.o) case s20120305.12
- 2012-03-07 (CM): added to wiki
- 2012-03-07 (A): I'll take care about this case as (A)
- 2012-03-07 (CM): I'll take care about this case as (CM)
- 2012-03-07 (A): Request to Support about tld and account match (primary email of account in question), requesting party is not the account owner, or owner who initialy created the account
- 2012-03-07 (Support): response with infos about effected member account with members name and primary email [s20120307.3]
- 2012-03-07 (A): sending initial mail to (C) + (R2), request to respond with deadline set to 2012-03-13
- 2012-03-07 (C): accepts CCA/DRP under this arbitration and sends his PoV
- 2012-03-07 (Support): is wondering why ticket is moved to Arbitration. Info request
- 2012-03-07 (A): response to (SE)
- 2012-03-07 (A): DRP 2.2 joining of addtl. parties: initial mail to (R3)
- 2012-03-07 (A): request to (Support): regarding secondary email addresses on (R2)'s account
- 2012-03-07 (R3): accepts CCA/DRP and outlines his viewpoint
- 2012-03-08 (Support): response regarding secondary email address of (R2)'s account [s20120307.643]
- 2012-03-08 (A): longer response, clarification and 3 questions to (C)
- 2012-03-08 (A): request to (Support), (Board) about procedural concept of paypal dispute handling and backtransfer of money paid
- 2012-03-08 (A): request to (Support), if an account exist with email address of (C)?
- 2012-03-08 (A): response from (Board) regarding about procedural concept of paypal dispute handling and backtransfer of money paid
- 2012-03-08 (A): response from (Support) regarding about procedural concept of paypal dispute handling and backtransfer of money paid
- 2012-03-08 (A): intermediate ruling and exec request to (Treasurer), sent to (C), (Treasurer), (R2), (R3), (CM)
- 2012-03-08 (Support): response to request to (Support), if an account exist with email address of (C)? yes, but account is not named as (C)
- 2012-03-08 (A): sending initmailing to (R2)'s 2nd account primary email address with request for CCA/DRP acceptance
- 2012-03-08 (A): research about (C)'s location that was given in the Paypal dispute as shipping address, to invite (C) to an assurance
- 2012-03-15 (A): sending reminder for exec request with request of exec report to (Treasurer)
- 2012-03-15 (A): sending reminder regarding: 2012-03-08 (A): longer response, clarification and 3 questions to (C) with deadline set to 2012-03-21
- 2012-03-15 (C): sent response to reminder with answers and more clarifications. (C) has recovered access to (R2) mailbox and (R2) account
- 2012-03-15 (A): intermediate ruling #2, sent to (C), (Treasurer), (Board)
- 2012-03-15 (A): Exec request following intermediate ruling #2 to (C)
- 2012-03-15 (C): first response following exec request (intermediate ruling #2)
- 2012-03-15 (A): sending some more details regarding exec request (intermediate ruling #2) to (C)
- 2012-03-15 (A): sending exec request to (Support) with step 1 (account lock), step 2 (administrative delete account after 2012-04-14) over (R2)'s 2nd account
- 2012-03-15 (A): sending exec request to: a) (Treasurer) to process the Paypal dispute to transfer back to (C)'s paypal account, b) (Board) escalation of this running Paypal dispute handling to add to the agenda of upcoming Board meeting
2012-03-15 (A): escalation to (Board), added to agenda of upcoming Board meeting 2012-03-18
- 2012-03-15 (Support): [s20120315.7] exec report step 1, 2nd account of (R2) locked, step 2: set reminder to 2012-04-14
- 2012-03-15 (Support): [s20120315.59] (Paypal) Dispute Closed: Case no. PP-...
- 2012-03-15 (Treasurer): response to exec request intermediate ruling #1 and #2, case handled last night
- 2012-03-16 (A): question to (Treasurer) team, if dispute closed notification means, that the money has been refunded or does it mean, that are addtl. actions needed?
- 2012-03-16 (A): asking (C) for a confirmation, that the refund received (C)'s paypal account
- 2012-03-16 (Treasurer): response to (A)'s question: The full payment was refunded. That automatically involves the dispute with Paypal to be closed
- 2012-03-20 (A): reminder to (C): confirmation request refund received
- 2012-03-20 (A): reminder to (C): exec request to update account data
- 2012-04-14 (Support): reminder about Administrative Account Delete of account #2 of (R2)
- 2012-04-15 (A): review of the case revealed a discrepancy in used email addresses to contact (C) and (R2). Info sent to (Support)
- 2012-04-15 (A): reminder: sending initmailing to (R2)'s 2nd account primary email address with request for CCA/DRP acceptance with deadline set to 2012-04-29
- 2012-04-15 (A): reminder: intermediate ruling #2 orders to (C)'s a) primary email address of account #1, b) primary email of (C) used in this arbitration communications with deadline set to 2012-04-29 with warning about administrative account delete while breaching CCA clauses
- 2012-06-30 (Support): [s20120315.7] asking for next action step (includes step 1 + step 2 actions to take of intermediate ruling #2, report that step 1 has been executed, and a reminder set to 2012-04-14)
- 2012-10-16 (Support): [s20120315.7] - (same as 2012-06-30), Shall I close the account according to Delete Account Routine v3?
- 2012-10-21 (A): delayed until I get some spare time, to get again an overview of current state of this case to (Support)
- 2013-01-18 (Support): [s20120315.7] reminder again (same as 2012-06-30)
- 2013-01-18 (A): Exec request step 2 following: Intermediate ruling #2 - Arbitration case a20120305.1 - Notification of Paym... to (Support)
- 2013-02-11 (Support): [s20130118.18] exec report intermediate ruling #2 - step 2, account#2 of (C) closed, server cert cannot be revoked (domain no longer exist in this account)
- 2013-02-11 (A): request to Software-Assessment project team regarding potential bug (server cert cannot be revoked caused by missing domain)
- 2013-02-12 (A): intermediate ruling #3, sent to (C), (R2), (R3), (Support), exec requests follows in separate emails
- 2013-02-12 (A): exec request to (C) following intermediate ruling #3, to send full name, DoB to (A)
- 2013-02-12 (A): exec request to (Support) following intermediate ruling #3, to lock members account #1
- 2013-02-12 (Support): exec report to intermediate ruling #3: account is locked now, there are no assurances given or received, certs are expired
- 2013-03-16 (Support), (A): quick update current state via phone, no response received by either (Support) nor (A)
Original Dispute, Discovery (Private Part) (optional)
Link to Arbitration case a20120305.1 (Private Part)
EOT Private Part
Discovery
Paypal dispute - Deadline set: 26 Mar 2012
- Case was initialized as "external" Paypal dispute with potential CCA violation
- Case started as "external" dispute, (C) accepts CCA/DRP on request, so therefor is "within" CAcert
- disputed domain and disputed account primary email mismatches the requestors email
- the member who owns the "individuals" account in question left the company
- potential administrative delete account, depends on a successful try to contact the member in question
probably: freeing domain, so that requestor can recover the domain in question (-> domain dispute)
- (C) wrotes a dispute against (R3) in his viewpoint
- CAcert's Paypal account access is under the Treasurer's control
- 4 potential solutions, to handle (C)'s request
- to get access to a CAcert account, that is not the account in question
- to get access to the domain in question
Solution 1: --------------- Requirement: access to the mailbox: <old email address> Procedural steps (all to do by (C)) 1. create a new individual account with your name, your email address, your DoB 2. login to your new CAcert account 3. start a domain dispute for domain <disputed domain> under the main CAcert website 4. connect to the mailbox: <old email address> 5. confirm the domain dispute request (click the link) ( Now the domain is free'd from the orgin account.) 6. login to your newly created account 7. add domain <disputed domain> under your account * sidenote: the old account needs to be closed (administrative delete account) or primary email address corrected by the "old" member Solution 2: -------------- Requirement: contact the old user via another email address Procedural steps (following steps to do by the Arbitrator) 1. contact the user with an alternate address 2. instruct the user, to replace his current primary email address with a new working email address 3. instruct the user, to remove the domain in question (following steps to do by (C)) 4. create a new individual account with your name, your email address, your DoB 5. login to your new CAcert account 6. add domain <disputed domain> under your account Solution 3: ----------- Requirement: "old" member doesn't respond anymore and isn't contactable Procedural steps: (following steps to do by the Arbitrator) 1. contact the user with his primary email with the formal administrative delete account ruling 2. waiting up to 14 days for response from the user 3. process the delete account procedure (this includes removal of the primary email and domain record in the users account) (following steps to do by (C)) 4. create a new individual account with your name, your email address, your DoB 5. login to your new CAcert account 6. add domain <disputed domain> under your account Solution 4: ----------- Requirement: Organisational Assurance of your company Org-Admin at hand Procedural steps: 1. administrative shutdown of the account in question -or- contact the "old" user, to free up the domain and replace the primary email address (following steps to do by (C)) 2. create a new individual account with your name, your email address, your DoB 3. add domain <disputed domain> under your user account (optional, as the OA process will take a while) 4. initiate an Organisation Assurance over your company 5. name the Org-Admin (steps to be done by an Org-Assurer) 6. add domain <disputed domain> under your Org account
Intermediate Ruling
This intermediate ruling covers the question, that
- the Paypal dispute is justified (in contrast to CCA 2.3.3 violation)
- the Paypal disputed amount has to be payed back to the user
Rationale
- In the DRP 2.2 Preliminaries process, it has been identified, that (C) falls under the status: Non-Related Person (NRP) while opening this arbitration case.
- Acceptance to CCA/DRP has been requested to (C) that he accepted. So further processing continues under CAcert's internal arbitration.
- Further it has been identified, that (C) who triggered a support ticket to reset the password of an account who has a domain in question linked was not the account owner of the account in question. (C) has no account at CAcert.
- The support ticket has been started as a Password Reset request. It has been turned out that the standard procedures for Password Reset requests doesn't apply to this case. In the meanwhile (C) started a Paypal Dispute, that triggered this arbitration case.
- In the potential workable solutions 1 to 4 to handle (C)'s request (see Discovery above), no one of the procedures allows a password reset over the existing "old" member account. This account has been identified as a different user, this situation has been also explained by (C) to (Support) in the support ticket communications.
Answers, Intermediate Ruling
Answer to question a)
- At the time, the Paypal dispute has been started by (C), (C) wasn't a CAcert member and didn't fall under the CAcert rules, so this cannot be ruled as a CCA 2.3.3 violation (to submit all your disputes to (CAcert internal) Arbitration (DRP)). So from the viewpoint of (C), a NRP under CAcert's view, the Paypal dispute was (C)'s correct action (outside CAcert's policy framework by the time the Paypal dispute was started)
Answer to question b)
The Paypal payment that was made by (C) to CAcert's Paypal account has the subject: "Description:CAcert Password Reset Service"
- The request (through a Paypal dispute) to transfer back the money, that was sent by (C) to CAcert's Paypal account is a valid request, as no Password Reset has been done and cannot be made under this arbitration.
- In the discovery process I've received the info, that Treasurer is the CAcert's Paypal account holder who can trigger the money transfer back, or who can respond to the running Paypal dispute. So therefor I hereby order Treasurer, to transfer back the money as disputed through the Paypal dispute to (C)'s Paypal account.
Frankfurt/Main, 2012-03-08
Discovery II
- A 2nd account of (R2) exist that includes the primary email of (C) and a 3rd primary email address that uses also the email domain of the domain in question
- Both accounts of (R2) are 0 assurance points accounts
- 2012-03-08 (A): sending initmailing to (R2)'s 2nd account primary email address with request for CCA/DRP acceptance
sending initmailing to (R2)'s 2nd account with primary email address: <anonymized>
This account has (C)'s email address <anonymized> included
- This reads that (C) has accepted CCA/DRP, but the 2nd accounts name is also the name of (R2) that doesn't match (C)'s name either
- Under the assumption, that (C) is not (R2) (2 identities, this is unconfirmed = two 0 assurance points accounts), (C) never accepted CCA/DRP before the initmailing of this running dispute
- (C)'s statements that (R2) left the company I have to read unconfirmed, but there is no indication, that (C) doesn't tell the truth
- The last request to (Support) shows up, that (C) is not able to create a new account, as his email address is used in (R2)'s 2nd account as a secondary email
- Assuming that no CAcert assurer is nearby (C)'s location, the only chance to receive an identity check is through the proposed TTP-assisted-assurance Subpolicy process.
But there is some indication through the Paypal dispute notification, that directs to a location with 6x 35pts assurers and a dozen more with lesser points in this area, so there is a potential chance to get (C) into an assurance invited or invite the assurers of the area to a VIP assurance
Current (Treasurer) as listed under CAcert Inc. Committee (Board of Directors) (Current)
- (C) recovered access to account in question
- (R2) has 2 active accounts. Account #1 has the domain in question added. Account #2 holds (C)'s email address as secondary email address. All email addresses of both accounts uses the email domain of the domain in question and disputed by (C).
- Contacting (R2) by other email addresses is impossible, because no other email addresses are known and cannot be discovered.
Intermediate Ruling #2
- Since this arbitration case was started, the init mailing to (R2) was sent with a deadline set to 2012-03-13
- The deadline passed w/o any response from the respondent.
- The original user can no longer be contacted. No workable email address available that the user can send in his PoV
- Further investigations revealed a 2nd account in use by (R2)
- (C) has recovered access to (R2)'s email account.
- This means (C) has overtaken (R2)'s mailbox and therefor current identity (yet unverified) in CAcert's view. CCA acceptance has been established through arbitration prelimanary steps
- So at this current stage of the account recovery process, this is a known, controlled hijacking under this arbitration of a former member account.
- I hereby order, that (C) shall modify the account details of the hijacked/recovered 0 assurance points account, so the account reflects (C)'s identity.
- A user can modify the name and DoB in a CAcert account until the account has no assurance points transfered
- I also order (C) to initiate an Email dispute for his primary used email address through the CAcert main website from user account #2
I further rule, that the original members account #2 shall be locked immideately and shall be closed by undergoing an administrative delete account after a hold delay time of 1 month, to give the former member a chance to get access to "his" 2nd account and to continue the CAcert membership, as the former member didn't respond to the init mailing (CCA violation 2.3.3 3.5) and no working email address could be discovered to contact the former member of the 0 assurance points account as all email addresses in question are under (C)'s authority.
- I hereby renew my intermediate ruling #1 (dated 2012-03-08) to (Treasurer) regarding (C)'s refunding of his Password Reset fee paid by either processing the paypal dispute or by responding with a proposal of another step by step procedural instruction to handle the paypal dispute issue to prevent a potential blockage of CAcert's paypal account by Paypal as there was a deadline set by Paypal (until 26 Mar 2012) to handle the paypal dispute (Treasurer didn't respond so far). In parallele to escalate this "Paypal" issue to (Board) before next Board meeting on upcoming weekend.
Frankfurt/Main, 2012-03-15
Discovery III
- 2012-03-15 (C): first response following exec request (intermediate ruling #2)
- no refund received yet
- 2012-03-15 (Support): [s20120315.59] (Paypal) Dispute Closed: Case no. PP-
- Paypal Dispute case # verification
- Original and closed dispute case # are identical
- 2012-04-15 (A): while reviewing the email communications to (C) and (R2), I cannot find any email sent to (R2)'s 2nd account primary email address. This prevents processing of the Administrative Delete Account procedure not before any email has been sent to the user by his used primary email address. Same happens to account #1 regarding intermediate ruling #2 orders given.
- this also isn't completely correct:
- 2012-03-08 (A): sending initmailing to (R2)'s 2nd account primary email address with request for CCA/DRP acceptance
- this also isn't completely correct:
- 2013-02-11 (A): case reviewed after receiving intermediate ruling #2 step 2 exec report
- account #2 of 2 accounts closed.
- account #1 still exist
- account #1 still has the name and probably DoB of (R2) under authority of (C)
- (C) has received initial change request for Name and DoB 2012-03-15 for account #1 (1 response, pwd changed)
- (C) has received 2nd email explenations to change Name and DoB for account #1
- Intermediate ruling #2 exec request to (C) to change Name and DoB on account #1 dated 2012-03-15 to reflect (C)'s name and DoB
(C) closed paypal dispute, info received via PayPal
- reminder to (C) to update Name + DoB of account #1 (2012-03-20)
- reminder to (C) to update Name + DoB of account #1 (2012-04-15), deadline set: 2012-04-29
- (C) did not respond on any reminder sent (2 change requests before intermediate ruling + intermediate ruling #2 change request + 2 reminders with last deadline set to 2012-04-29
- as of 2013-02-11 the data in account #1 has not been corrected, still has the old members name and probably DoB
Intermediate Ruling #3
- (Claimant) (Roman) did not respond on any reminder sent to change the Name and DoB of the administrative recovered account #1 (Alexandr)
- 2 change requests before intermediate ruling #2
- + intermediate ruling #2 change request
- + 2 reminders with last deadline set to 2012-04-29
- (so in total 5 change requests) has been sent to (Claimant) (Roman)
- as of 2013-02-11 account #1 (Alexandr) still has the old members name and probably DoB, so the change request to (Claimant) (Roman) to change the name and DoB in this account #1 has not been executed by (Claimant) (Roman)
- The deadline set for those requests, that I've set in intermediate ruling #2 for 2012-04-29 did pass w/o actions by (Claimant) (Roman)
- The fact is, that (Claimant) (Roman) still has access over an account #1 (Alexandr) with known wrong name and DoB set.
- This I can no longer allow.
- I hereby order (Support) to lock (Claimant)'s (Roman's) account #1 immediately
- (Claimant) (Roman) was a Non-Related-Person before, who accepted CCA on 2012-03-07 as part of the current arbitration case preliminaries
- (Claimant) (Roman) then violates CCA 2.3, 3.2, 3.5 by not following Arbitrators ruling exec requests of intermediate ruling #2
- There is still a slight chance, that misunderstandings exist by (Claimant) (Roman) regarding the exec requests to (Claimant). I hereby give (Claimant) (Roman) a last chance with a deadline for 2 weeks by now, set to Monday 2013-02-25 to (Claimant) (Roman) to bring his account #1 in a good shape by send in his full name and his real DoB that also can be found in one of his Id documents to the (Arbitrator), so that (Arbitrator) later is able to order (Support) (in another intermediate ruling) to change the full name and DoB of (Claimant)'s account #1 to the correct data, so that (Claimant) (Roman) later can continue to use his account #1 (otherwise the account #1 has also to undergo an administrative delete account)
Frankfurt/Main, 2013-02-12
Discovery IV
- 2013-03-16 (Support), (A): quick update current state via phone, no response received by either (Support) nor (A)
- 2013-02-12 (Support): account in question is locked now
- Account state:
- there are no assurances given or received
- there exist expired certs
- (C) didn't respond to to the intermediate ruling #3 dated 2013-02-12, nor did he respond to the exec request to (C) following intermediate ruling #3
Ruling
- The case started with a paypal dispute, that has been solved within this arbitration.
- The final ruling also relates to the topics that followed the solved paypal dispute.
- All attempts to bring the disputed account in a good shape failed by no longer responsive claimant
- The last attempt that was made within the last 4 weeks with a fixed deadline set.
- This deadline passed w/o any response from claimant.
- So therefor I order Support:
- to make a snapshot printout of current state of the remaining account to become part of this arbitration file.
- to start with an administrative delete account following Delete Account procedure #3 over account #1 of (Claimant) including revocation of all remaining certificates, removal of domains and emails referenced with this account (details see Delete Account procedure #3)
- As in the discoveries found, respondent (R2) did hold 2 accounts. One transfered over to (C), the 2nd one remains authoritive by (R2), that did undergo an administrative delete account. Despite the fact, (R2) can no longer be contacted, the final ruling has now to cover the 1st account under authority of (Claimant) and the 2nd, another account, that was under Respondents (R2) authority and had been closed by Intermediate Ruling #2 dated 2012-03-15
- Administrative Delete Account: CCA termination date calculation for Claimant:
- by assurances given: no
- by issued certificates:
- latest certificate expired: 2012-09-02
- 2012-09-02 + 3 months = 2012-12-02
- this is before current date.
- CCA termination date calculated: today
- Administrative Delete Account: CCA termination date calculation for Respondent (R2):
- by assurances given: no
- by issued certificates:
- The last certificate expired in April 2010
- 2010-04-30 + 3 months = 2010-07-30
- this is before current date.
- CCA termination date calculated: today
- As this continued case tweaks in procedure, I hereby rule, that CCA termination hold time requires an extension for addtl. 3 months for both (Claimant) and (Respondent) (R2), in case Respondent (R2) or Claimant (C) will give a response to the current and final ruling and also to span the notification and execution period.
- CCA termination date fixed date set for (Claimant): 2013-06-16
- CCA termination date fixed date set for (Respondent) (R2): 2013-06-16
Frankfurt/Main, 2013-03-16
Execution
- 2013-03-16 (A): ruling notification to (C), (R2), (R3), (Support) sent
- 2013-03-16 (A): exec request delete account following final ruling sent to (Support)
- 2013-03-16 (Support): [s20120315.7] exec report, executed the ruling
- 2013-03-17 (A): final notification to (C), (R2), (R3) sent, case closed
Similiar Cases