Arbitration / Training
The Training Course for Case Managers and Arbitrators
Actions for a Support Engineer (for the ruling) Version 3
If an account is to be killed ...
walk through bottom-up
- Server-Certs handling before Domain handling (server certs relates on domains, so deleting domains, makes existing server certs invisible) (if they'll becomes deleted is in question)
- Email address is replaced by the extended arbitration case number before Questions-and-Answers page will be opened and user receives an annoying "Your secrets page has been visited, this is a potential attack ..." (or whatever)
Detailed Checklist
In SE console mode
- set a new password (and forget it later)
- (optional) Take a snapshot of the account information and print it to PDF
- including all account informations, certificate informations and so on, and send it to arbitrator (if requested by an arbitrator)
In User mode
- login to the account to hijack
- If user has a language you cannot read, take as first step
- My Details - Default Language
- set to English and delete all Additional Language Preferences
- My Details - Default Language
- revoke all certificates
- Server Certificates - View
- select "View all certificates"
- revoke Server certificates, even expired
- Domains - View
- Delete Domains
- GPG PGP Keys - View
revoke certificates 1
- Client Certificates - View
- select "View all certificates"
- revoke Client certificates, even expired
- Server Certificates - View
- Email Accounts - Add
add email address cYYYYMMDD.x.y@cacert.org (mind the correct spelling of the mail address)
- where c = one char - default: a - can be another char ruled by arbitrator
- YYYYMMDD is the arbitration case date and x the running number of the arbitration of that date
- y is a unique increasing number starting at 1
- if multiple email addresses shall be deleted in one arbitration case, the first account
to delete becomes 1, the 2nd -> 2, the 3rd -> 3 and so on
- if multiple email addresses shall be deleted in one arbitration case, the first account
- verify new email address sent by email to support inbox (the verification mail should
- be placed automatically in the Delete Account bucket)
- relogin into user account (with old email address)
switch primary email address to cYYYYMMDD.x.y@cacert.org
select cYYYYMMDD.x.y@cacert.org and make default
- delete all email addresses (except the primary email address)
- Email - View
- remove email address(es) (except new primary)
- Select "delete checkbox" on (old) users email address, hit 'delete'
- remove email address(es) (except new primary)
- Email - View
- Walk through the My Details and Submenues
- My Alert Settings
- deselect all checkboxes
- My Details - Location
- set to: Denistone East, New South Wales, Australia (2256755)
- My Details - My Listing
- set to: I don't want to be listed
- clear the text field if filled
- My Details - Default Language
- set to English and delete all Additional Language Preferences
- My Details - Edit
- fill the secret questions and answers with junk
- My Alert Settings
- Logout
In SE console mode
- System admin - Find user
search for cYYYYMMDD.x.y@cacert.org
- fill Givenname, Middlename, Lastname and Suffix with the
- extended arbitration number cYYYYMMDD.x.y
- set DoB to 1900-01-01
reset all flags to '0', most important are those which assign special privileges like:
- TTP Admin
- Location Admin
- Admin
- Ad Admin
- all assurances received / given are left untouched if any
- As the last action lock the account
- set 'Account Locking:' to 1
In OTRS
- report the youngest date of the revoked certificates
- (optional attach the PDF files if requested by the arbitrator)
Notes and Comments
Procedure was applied to a20100531.1 and worked for most part. According to support the verification mail was not placed in the Delete Account bucket but in the Triage queue. IMHO this should be fixed but does not block usage of the procedure. BernhardFröhlich
Footnotes