Arbitration / Training
The Training Course for Case Managers and Arbitrators
Appendix 02: What Support can do
When making a ruling it helps to know what Support is able to do using the Support console.
For one thing you can try the console yourself using the testsystem at https://cacert1.it-sls.de/, but of course an experienced Support Engineer can do more things than a lowly Arbitrator just playing around a bit.
So this page should give you an idea about the things that are possible. Of course you may still ask Support for their advice if you don't know whether some action is possible or not.
Finding an Account
To find an account Support has to know an email address. Or at least a large enough part of it.
When searching for a mail address the Support Console is looking in all possible mail addresses, including secondary and deleted mail adresses.
In the search mask, SQL wildcard characters can be used, so "%cacert%" will find all addresses containing the string "cacert" somewhere. The search will only show the "first" 100 results, so probably the search for "%cacert%" won't show every address.
Examining an Account
Using the Support Console a Support Engineer can see almost everything that's connected to an account.
This includes (but is not limited to):
- Mail adresses and domains associated to the account
- Assurances given and received (some info only available in account history, see below)
- Successfully completed trainings (CATS test et al)
- The number of certificates in different states (detailed listing is available in account history)
- View the "Lost Password Details". If this feature is used the account owner is notified of the fact.
- Association to Organisation Accounts
Account History available as soon as bug 1138 is put onto the production server
Viewing the account history provides more data but is logged and shown to the user. This is only allowed when requested by an Arbitrator (at least that's my guess).
Additional information provided:
- Detailed list of associated mail adresses and domains, including deleted ones, with date of creation (and deletion where applicable)
- Dates when the CCA was agreed actively (by clicking a checkbox before some account activities) or passively (when an Assurer clicked the checkbox that the account owner did agree during an Assurance)
- Detailed list of Client and Server Certificates, including individual expiry and revocation dates
- Assurances given and received, including revoked ones. This list also includes the automatically generated timestamp when the Assurance was entered into the system (as opposed to the manually entered date when the personal meeting had been)
- The "Admin Log" about special administrative actions made using the Support Console
Modifying an Account
If ordered by Arbitration a SE can "hijack" a user account, that is, s/he may set a new password and use this password to log in to the account. S/he can then do everything the account owner could do. Obviously the original account owner will loose access to his account if this procedure is used, since the original password can not be recovered.
The following actions are possible using the Support Console without hijacking an account:
Modify Name fields an DoB
Set or remove the "Assurer" flag. If the flag is set the account owner may enter Assurances into the system, regardless of his/her orn Assurance Points. If the Assurer flag is removed by Support the account owner just has to pass one more CATS test (if Assurance Points are still 100 or more), so this is a mild sanction available for Arbitrations.
Set or remove the "Blocked Assurer" flag. If this flag is set, the account owner may not enter Assurances into the system, even if s/he has all other prerequesites. Setting this flag (temporarily or continually) is a more severe sanction available to Arbitration, if someone is considered unfit to be an Assurer, but is still allowed to stay a member of CAcert.
Set or remove the "Account Locking" flag. If this flag is set the user may not log in to his/her account. Also a severe sanction when the user is not allowed to create new certificates anymore. Continually setting this flag is probably the same as expelling the user from the CAcert community.
- Set or delete several other flags which control some extra features like code signing certs, access to Support Console and some similar things.
"Delete" an accout. AFAIK this is not used anymore, see Lesson 20
Revoke all certificates of the account, but it's not possible to revoke a specific one without hijacking the account. All personal certificates are revoked (client and server), Org certificates managed by the user are not affected.
Revoke Assurances the user got or gave. If given Assurances are revoked the user may repeat to assure the Assuree once again. ToDo: What are the side effects? How are Experience Points affected?
Support has no access to Organisation Accounts. The only thing possible by using the Support Console is to find out whether a specific domain is linked to a personal account or an Org Account, and whether a specific user is Administrator for one or more Org Accounts.
So every order to modify Org Accounts must be addressed to an Org Assurer.
An Org Assurer may
- Edit an Organisation's account (Name, Contact Mail, Town, State, Country, Comment)
- List, add, remove and rename domains associated with an Organisation's Account. Remove and rename automatically revokes all Org certificates issued for this domain.
- List, add and remove Administrators to an Organisation's account. Only existing personal accounts which are Assurers can be added as Org Admins.
Note that an Org Assurer as such cannot revoke specific Org certificates. But she may add herself as Org Admin to an Org Account, revoke one or more certificates and remove herself once again. (N.B.: I hope such actions are logged for auditing...)