• Arbitrations
• Training
• Lesson20

Arbitration / Training

The Training Course for Case Managers and Arbitrators

Training Home / back

Lesson 20 - Arbitration Case - Delete Account Request

Checklist for Arbitrators

On Delete my Account request, Arbitrators have to check several conditions and have to rule on each topic:

• Topic	Ruling Action	Checked ?
  Account created, no points, no certs	delete account
  Issued Certificates? - Client Certs - Server Certs - Codesigning Certs - GPG/PGP keys	Revoke Certificates - revoke Client Certs - revoke Server certs - revoke Codesigning Certs - revoke GPG/PGP keys
  Received Assurances	you don't need to take care about
  Is Assurer, 0 Assurances given	you don't need to take care about
  Is Assurer, >0 Assurances given	transfer collected CAP forms to CAcert
  Open/running disputes?	Hold termination process until other cases are closed
  Is Organisation Admin?	check Organisation entry? other Admins available?
  Is Organisation Assurer?	transfer COAP forms to CAcert
  Is TTP Assurer?	transfer TTP paperwork to CAcert
  Infrastructure Admin?	revoke access permissions, change admin passwords
  CCA Termination When?	Define CCA termination date

In Detail

If user made assurances or created certs, the case needs to be handled different so we have at least 4 options with different solutions

• table 1

case 1

... with no assurances made and no cert has been created, support can remove the account as long as there are no special conditions met that require an arbitration anyway. In this case support acts similar to an arbitrator.

For details see: Arbitration precedent case a20111128.3, Delete Account: no assurances made, no certs created. Arbitrator: UlrichSchroeter

case 2

• needs to be handled for the assurances made. CAP forms needs to be sent over to the arbitrator

• For details see: a20090328.1, Assurer wants his account deleted, Arbitrator: Philipp Dunkel

• See also case a20090618.3 for modified ruling about how to handle the Email address x1)

case 3

• certs needs to be handled

• For details see: a20090328.1, Assurer wants his account deleted, Arbitrator: Philipp Dunkel

• See also case a20090618.3 for modified ruling about how to handle the Email address x1)

case 4

• needs to be handled for the assurances made. CAP forms needs to be sent over to the arbitrator
• certs needs to be handled

• For details see: a20090328.1, Assurer wants his account deleted, Arbitrator: Philipp Dunkel

• See also case a20090618.3 for modified ruling about how to handle the Email address x1)

x1) 2009-12-10 Email address is modified to: a20YYMMDD.x.y@c.o (regexp: /^a[0-9]{8}\.[0-9]\.[0-9]*$/) where a20YYMMDD.x is the arbitration number and y a running number for the deleted account inside the arbitration.

Policies

CPS

• Certification Practice Statement

  • section 4.
    • 4.4. Certificate acceptance
    • 4.4.1. Conduct constituting certificate acceptance
    • 4.5. Key pair and certificate usage (references CCA)
    • 4.5.2. Relying Party Usage and Responsibilities
      • Certificates are issued to Members only.
      • in the case a member leaves CAcert, all certs (even expired) have to be revoked
    • 4.7. Certificate re-key
      • potential attack scenario if member leaves CAcert and expired certs are left open
    • 4.9. Certificate revocation and suspension (covers delete account procedure)
      • 4.9.1. Circumstances for revocation
      • Certificates may be revoked under the following circumstances:
        1. As initiated by the Subscriber through her online account.
        2. As initiated in an emergency action by a support team member. Such action will immediately be referred to dispute resolution for ratification.
        3. Under direction from the Arbitrator in a duly ordered ruling from a filed dispute.
      • These are the only three circumstances under which a revocation occurs.
    • 4.9.6. Revocation checking requirement for relying parties

• CCA

  • 3.3 Termination
    • You may terminate this agreement by resigning from CAcert. You may do this at any time by writing to CAcert's online support forum and filing dispute to resign. All services will be terminated, and your certificates will be revoked. However, some information will continue to be held for certificate processing purposes.

Other Sources

• https://wiki.cacert.org/FAQ/HowToTerminate (reference from new CCA)

  • description for members how termination affects WoT

Notes

a20090618.3 uses this case as a precedent and gives some clarifications about data retention.

Hijacking Accounts

Hijacking accounts is a workaround to get informations in special cases. It indeed is a dirty workaround, so the support engineer needs explicit authorisation to do so by an Arbitrator, and an Arbitrator should only give this authorisation if the account is due to deletion or deactivation anyway.

See https://wiki.cacert.org/Support/SE/Manual#About_Deleting_and_Deactivating_Accounts on how to hijack an account.

Actions for a Support Engineer (for the ruling)

If an account is to be killed ...

• Arbitrations/Training/Lesson20/DeleteAccountProcSEv3

Previous working versions (depreciated)

• Arbitrations/Training/Lesson20/DeleteAccountProcSEv1 (depreciated)

• Arbitrations/Training/Lesson20/DeleteAccountProcSEv2a (depreciated)

• Arbitrations/Training/Lesson20/DeleteAccountProcSEv2 (depreciated)

Account handling with patch #794 installed

If no assurances made by the account owner and no certs are created (case 1), the account can be deleted after one precedent ruling is made by an arbitrator. All subsequent cases can be handled by this new case#

Proposal Procedure for Arbitrators (WIP)

1. Send notification to (C) (Arbitration starts)

   • Dear <claimant>,
     
     We've received your "Delete my Account" request dated ####-##-##.
     If this is in error, please respond to this notification within 14 days
     (deadline set to: ####-##-##)
     or please confirm your "Delete my Account" request. Otherwise this
     case will continue automaticly.
     
     I'll take this case as Case Manager <name casemanager> (<email casemanager>).
     The Arbitrator is <name arbitrator> (<email arbitrator>), the case number is <a case number>. 
     
     The status of the case is recorded at [1]. If you notice any missing or wrong information there feel free to provide us your point of view on it.
     
     Like every case this also is opened by some formalities:
     
       1. Please reply to this email and confirm that you accept the
          Arbitration under the CAcert Community Agreement [2] and the
          Dispute Resolution Policy [3].
       2. The governing law will be that of NSW, Australia. It is possible
          to request a change of law, but it is unlikely to be helpful in
          this case.
       3. You each need to notify me if you are seeking legal counsel (a
          lawyer). This is not recommended. Rather, if you feel the need for
          help, I can ask an experienced Assurer to assist you.
     
     Finally, please remember: this forum is about sorting out our common 
     difficulties and improving our ability to secure ourselves. Unlike other 
     forums, I ask you to maintain a positive and helpful spirit at all times!
     
     The proceedings of the Arbitration have to be in English. If you have troubles 
     expressing yourself in English we can try to find a translator for you.
     
     
     --
     CM's or A's  signature
     
     
     [1] http://wiki.cacert.org/Arbitrations/<case number>
     [2] http://www.cacert.org/policy/CAcertCommunityAgreement.php  CAcert Community Agreement
     [3] http://www.cacert.org/policy/DisputeResolutionPolicy.php   Dispute Resolution Policy

2. Response to initmail ?

   • No: CCA/DRP acceptance doesn't exist -> continue step 3

   • Yes:

     • User refuses the request -> dismiss -> stop.

     • Did user accepts CCA / DRP ?

       • No: CCA/DRP acceptance doesn't exist -> continue step 3

       • Yes: CCA/DRP acceptance exist -> continue step 3

3. Addtl. check of CCA acceptance state through informations from account and/or informations about account

   • Request to (Support)
     Infos from Account needed Hijacking request (probably intermediate ruling)
     
     Infos for Support
      * Name
      * Primary Email
     
     Requesting infos from Support
      * Additional Email addresses? Yes/No
      * Assurances Received?  List of Assurances incl. assurance date
      * Assurances Given?     List of Assurances incl. assurance date
      * !IsAssurer? Trainings > 0? Yes/No
      * Client Certs exists? Yes/No
       * on Yes: list of issue/expire date(s)
      * Server Certs exists? Yes/No
       * on Yes: list of issue/expire date(s)
      * Domain on Domain list?  Yes/No
      * GPG keys exists? Yes/No

4. Does CCA/DRP acceptance exist ?
   1. through email response
   2. through account informations

      1. assurances received/given > February 2009 (AP rollout) -> yes, otherwise no

      2. Client certs, Server certs issued after mid 2009 (CCA checkbox within system added) -> yes, otherwise no

   3. No: handle at SE level
      • State in ruling, that there exists no CCA acceptance, order Support account deletion by manual arbitration_a#### procedure

   4. Yes: handle under Arbitration level -> continue step 5

5. Selection
   • Assurances Given ?

     • No -> case type #1 or #3 (see table 1 on top)

       • continue quick termination step 6

     • Yes -> case type #2 or #4 (see table 1 on top)

       • you are in need to request CAP forms from (C)
       • continue step 7
6. Quick termination, fast ruling
   • research: open arbitrations or involved in other arbitrations ? (except termination request)

   • Does Client Certs, Domain Certs and Domains exists on account ? -> Certs revocation request

   • Ruling incl. calculated CCA termination date
   • Finished
7. Account w/ Assurances given
   • is the user currently bound to CCA?
     • Assurances received / given after (mid 2008), 02/2009? (answer from req #1 to Support)
       • No: check if certs created after mid 2009, continue 5.1
       • Yes: bound to CCA fact established
   • req #2 to Support
     • Intermediate Ruling to Support (req #2): hijack account for Certs info
   • Certs created after mid 2009 ?
     • No: bound to CCA fact not established
       • request CCA agreement (hard way) ???
     • Yes: bound to CCA fact established
   • request CAP forms from (C)
     • sealing
   • Other researches and tasks
     • research: open arbitrations or involved in other arbitrations ? (except termination request)
     • Does Client Certs, Domain Certs and Domains exists on account ?
     • Ruling incl. calculated CCA termination date
     • Finished

• Calculate CCA termination date (referenced to Arbitration team meeting 2010-01-04 22:09:05)

  • practical view: on account close request, SE walks through the list of Certs, searches the Cert with the longest expiry time, returns this info to arbitrator, arbitrator notice this, SE revokes certs, CCA ends after the date + 3 month Arbitrator noticed
    • .... (or ruling if this is later)
  • Sample: today = 2010-10-21 is the date the last cert expires

    • day: 21 - 1 = 20 => calculated CCA termination day: 20

    • month: 10 + 3 => calculated CCA termination month: January

    • calculated CCA termination date: 2011-01-20

  • A if calculated date is before ruling date, termination date is ruling date, otherwise calculated ruling date

  • B also: IsAssurer - last Assurance date + 7 years

  • A > B then A

  • A < B then B

Procedure graph

DRAFT v1 !!!

DRAFT v2 !!!

Why Revocation of Assurance Points is no option ?

• Arbitrations/Training/Lesson20/PointsRevocation

next

• CategoryArbitration

• CategoryArbitrationsTraining