## page was renamed from Arbitrations/Training/Lesson10 ## page was renamed from Arbitrations/Training/Lession10 = Arbitration / Training = The Training Course for Case Managers and Arbitrators {{{#!wiki caution '''WARNING''' obsolete need's work }}} [[Arbitrations/Training|Training Home]] / [[Arbitrations/Training/Lesson19|back]] == Lesson 20 - Arbitration Case - Delete Account Request == <> == Checklist for Arbitrators == On Delete my Account request, Arbitrators have to check several conditions and have to rule on each topic: || '''Topic''' || '''Ruling Action''' || '''Checked ?''' || || Account created, no points, no certs || delete account || || || Issued Certificates? <
>- Client Certs<
>- Server Certs<
>- Codesigning Certs<
>- GPG/PGP keys || Revoke Certificates<
>- revoke Client Certs<
>- revoke Server certs<
>- revoke Codesigning Certs<
>- revoke GPG/PGP keys || || || Received Assurances || you don't need to take care about || || || Is Assurer, 0 Assurances given || you don't need to take care about || || || Is Assurer, >0 Assurances given || transfer collected CAP forms to CAcert || || || Open/running disputes? || Hold termination process until other cases are closed || || || Is Organisation Admin? || check Organisation entry? other Admins available? || || || Is Organisation Assurer? || transfer COAP forms to CAcert || || || Is TTP Assurer? || transfer TTP paperwork to CAcert || || || Infrastructure Admin? || revoke access permissions, change admin passwords || || || CCA Termination When? || Define CCA termination date || || == In Detail == If user made assurances or created certs, the case needs to be handled different so we have at least 4 options with different solutions || case # || Assurances received Yes/No || Assurances done Yes/No || Certs created Yes/No || || 1 || {{attachment:choice-yes.gif}} or {{attachment:choice-cancel.gif}} || {{attachment:choice-cancel.gif}} || {{attachment:choice-cancel.gif}} || || 2 || {{attachment:choice-yes.gif}} or {{attachment:choice-cancel.gif}} || {{attachment:choice-yes.gif}} || {{attachment:choice-cancel.gif}} || || 3 || {{attachment:choice-yes.gif}} or {{attachment:choice-cancel.gif}} || {{attachment:choice-cancel.gif}} || {{attachment:choice-yes.gif}} || || 4 || {{attachment:choice-yes.gif}} or {{attachment:choice-cancel.gif}} || {{attachment:choice-yes.gif}} || {{attachment:choice-yes.gif}} || . ''table 1'' ==== case 1 ==== ... with no assurances made and no cert has been created, support can remove the account as long as there are no special conditions met that require an arbitration anyway. In this case support acts similar to an arbitrator. For details see: Arbitration precedent case [[Arbitrations/a20111128.3|a20111128.3]], Delete Account: no assurances made, no certs created. Arbitrator: UlrichSchroeter ==== case 2 ==== * needs to be handled for the assurances made. CAP forms needs to be sent over to the arbitrator * For details see: [[Arbitrations/a20090328.1#Ruling|a20090328.1]], [[Arbitrations/a20090328.1#Ruling|Assurer wants his account deleted]], Arbitrator: Philipp Dunkel * See also case [[Arbitrations/a20090618.3#Ruling|a20090618.3]] for modified ruling about how to handle the Email address x1) ==== case 3 ==== * certs needs to be handled * For details see: [[Arbitrations/a20090328.1#Ruling|a20090328.1]], [[Arbitrations/a20090328.1#Ruling|Assurer wants his account deleted]], Arbitrator: Philipp Dunkel * See also case [[Arbitrations/a20090618.3#Ruling|a20090618.3]] for modified ruling about how to handle the Email address x1) ==== case 4 ==== * needs to be handled for the assurances made. CAP forms needs to be sent over to the arbitrator * certs needs to be handled * For details see: [[Arbitrations/a20090328.1#Ruling|a20090328.1]], [[Arbitrations/a20090328.1#Ruling|Assurer wants his account deleted]], Arbitrator: Philipp Dunkel * See also case [[Arbitrations/a20090618.3#Ruling|a20090618.3]] for modified ruling about how to handle the Email address x1) x1) 2009-12-10 Email address is modified to: ''a20YYMMDD.x.y@c.o'' (regexp: ''/^a[0-9]{8}\.[0-9]\.[0-9]*$/'') where ''a20YYMMDD.x'' is the arbitration number and y a running number for the deleted account inside the arbitration. == Policies == === CPS === * [[https://www.cacert.org/policy/CertificationPracticeStatement.php|Certification Practice Statement]] * section 4. * 4.4. Certificate acceptance * 4.4.1. Conduct constituting certificate acceptance * 4.5. Key pair and certificate usage (references CCA) * 4.5.2. Relying Party Usage and Responsibilities . Certificates are issued to Members only. . in the case a member leaves CAcert, all certs (even expired) have to be revoked * 4.7. Certificate re-key . potential attack scenario if member leaves CAcert and expired certs are left open * 4.9. Certificate revocation and suspension (covers delete account procedure) * 4.9.1. Circumstances for revocation * Certificates may be revoked under the following circumstances: 1. As initiated by the Subscriber through her online account. 1. As initiated in an emergency action by a support team member. Such action will immediately be referred to dispute resolution for ratification. 1. Under direction from the Arbitrator in a duly ordered ruling from a filed dispute. * These are the only three circumstances under which a revocation occurs. * 4.9.6. Revocation checking requirement for relying parties * [[https://www.cacert.org/policy/CAcertCommunityAgreement.php|CCA]] * 3.3 Termination . You may terminate this agreement by resigning from CAcert. You may do this at any time by writing to CAcert's online support forum and filing dispute to resign. All services will be terminated, and your certificates will be revoked. However, some information will continue to be held for certificate processing purposes. === Other Sources === * [[https://wiki.cacert.org/FAQ/HowToTerminate]] (reference from new CCA) . description for members how termination affects WoT == Notes == [[Arbitrations/a20090618.3|a20090618.3]] uses this case as a precedent and gives some clarifications about data retention. === Hijacking Accounts === Hijacking accounts is a workaround to get informations in special cases. It indeed is a dirty workaround, so the support engineer needs explicit authorisation to do so by an Arbitrator, and an Arbitrator should only give this authorisation if the account is due to deletion or deactivation anyway. See https://wiki.cacert.org/Support/SE/Manual#About_Deleting_and_Deactivating_Accounts on how to hijack an account. <> === Actions for a Support Engineer (for the ruling) === If an account is to be killed ... <> [[Arbitrations/Training/Lesson20/DeleteAccountProcSEv3]] <> Previous working versions ('''depreciated''') * [[Arbitrations/Training/Lesson20/DeleteAccountProcSEv1]] (depreciated) * [[Arbitrations/Training/Lesson20/DeleteAccountProcSEv2a]] (depreciated) * [[Arbitrations/Training/Lesson20/DeleteAccountProcSEv2]] (depreciated) == Account handling with patch #794 installed == If no assurances made by the account owner and no certs are created (case 1), the account can be deleted after one precedent ruling is made by an arbitrator. All subsequent cases can be handled by this new case# <> <> == Proposal Procedure for Arbitrators (WIP) == 1. Send notification to (C) (Arbitration starts) {{{ Dear , We've received your "Delete my Account" request dated ####-##-##. If this is in error, please respond to this notification within 14 days (deadline set to: ####-##-##) or please confirm your "Delete my Account" request. Otherwise this case will continue automaticly. I'll take this case as Case Manager (). The Arbitrator is (), the case number is . The status of the case is recorded at [1]. If you notice any missing or wrong information there feel free to provide us your point of view on it. Like every case this also is opened by some formalities: 1. Please reply to this email and confirm that you accept the Arbitration under the CAcert Community Agreement [2] and the Dispute Resolution Policy [3]. 2. The governing law will be that of NSW, Australia. It is possible to request a change of law, but it is unlikely to be helpful in this case. 3. You each need to notify me if you are seeking legal counsel (a lawyer). This is not recommended. Rather, if you feel the need for help, I can ask an experienced Assurer to assist you. Finally, please remember: this forum is about sorting out our common difficulties and improving our ability to secure ourselves. Unlike other forums, I ask you to maintain a positive and helpful spirit at all times! The proceedings of the Arbitration have to be in English. If you have troubles expressing yourself in English we can try to find a translator for you. -- CM's or A's signature [1] http://wiki.cacert.org/Arbitrations/ [2] http://www.cacert.org/policy/CAcertCommunityAgreement.php CAcert Community Agreement [3] http://www.cacert.org/policy/DisputeResolutionPolicy.php Dispute Resolution Policy }}} 2. Response to initmail ? * No: CCA/DRP acceptance doesn't exist -> continue step 3 * Yes: * User refuses the request -> dismiss -> stop. * Did user accepts CCA / DRP ? * No: CCA/DRP acceptance doesn't exist -> continue step 3 * Yes: CCA/DRP acceptance exist -> continue step 3 3. Addtl. check of CCA acceptance state through informations from account and/or informations about account {{{ Request to (Support) Infos from Account needed Hijacking request (probably intermediate ruling) Infos for Support * Name * Primary Email Requesting infos from Support * Additional Email addresses? Yes/No * Assurances Received? List of Assurances incl. assurance date * Assurances Given? List of Assurances incl. assurance date * !IsAssurer? Trainings > 0? Yes/No * Client Certs exists? Yes/No * on Yes: list of issue/expire date(s) * Server Certs exists? Yes/No * on Yes: list of issue/expire date(s) * Domain on Domain list? Yes/No * GPG keys exists? Yes/No }}} 4. Does CCA/DRP acceptance exist ? 1. through email response 2. through account informations 1. assurances received/given > February 2009 (AP rollout) -> yes, otherwise no 2. Client certs, Server certs issued after mid 2009 (CCA checkbox within system added) -> yes, otherwise no * No: handle at SE level * State in ruling, that there exists no CCA acceptance, order Support account deletion by manual arbitration_a#### procedure * Yes: handle under Arbitration level -> continue step 5 5. Selection * Assurances Given ? * No -> case type #1 or #3 (see table 1 on top) * continue quick termination step 6 * Yes -> case type #2 or #4 (see table 1 on top) * you are in need to request CAP forms from (C) * continue step 7 6. Quick termination, fast ruling * research: open arbitrations or involved in other arbitrations ? (except termination request) * Does Client Certs, Domain Certs and Domains exists on account ? -> Certs revocation request * Ruling incl. calculated CCA termination date * Finished 7. Account w/ Assurances given * is the user currently bound to CCA? * Assurances received / given after (mid 2008), 02/2009? (answer from req #1 to Support) * No: check if certs created after mid 2009, continue 5.1 * Yes: bound to CCA fact established 1. req #2 to Support * Intermediate Ruling to Support (req #2): hijack account for Certs info 2. Certs created after mid 2009 ? * No: bound to CCA fact not established * request CCA agreement (hard way) ??? * Yes: bound to CCA fact established 3. request CAP forms from (C) * sealing 4. Other researches and tasks * research: open arbitrations or involved in other arbitrations ? (except termination request) * Does Client Certs, Domain Certs and Domains exists on account ? * Ruling incl. calculated CCA termination date * Finished <> * Calculate CCA termination date (referenced to [[https://wiki.cacert.org/Arbitrations/Meetings/Transcripts/transcript-meeting-100104|Arbitration team meeting 2010-01-04]] 22:09:05) * practical view: on account close request, SE walks through the list of Certs, searches the Cert with the longest expiry time, returns this info to arbitrator, arbitrator notice this, SE revokes certs, CCA ends after the date + 3 month Arbitrator noticed * .... (or ruling if this is later) * Sample: today = 2010-10-21 is the date the last cert expires * day: 21 - 1 = 20 => calculated CCA termination day: 20 * month: 10 + 3 => calculated CCA termination month: January * calculated CCA termination date: 2011-01-20 * '''A''' if calculated date is before ruling date, termination date is ruling date, otherwise calculated ruling date * '''B''' also: !IsAssurer - last Assurance date + 7 years * '''A''' > '''B''' then '''A''' * '''A''' < '''B''' then '''B''' === Procedure graph === <> '''DRAFT v1 !!!''' {{attachment:CAcert delete account.png}} ---- <> '''DRAFT v2 !!!''' {{attachment:CAcert delete account-v2.png}} ---- == Why Revocation of Assurance Points is no option ? == [[Arbitrations/Training/Lesson20/PointsRevocation]] <> ---- [[Arbitrations/Training/Lesson21|next]] ---- . CategoryArbitration . CategoryArbitrationsTraining