= Arbitration / Training =
The Training Course for Case Managers and Arbitrators

[[Arbitrations/Training|Training Home]] / [[Arbitrations/Training/Lesson25|back]]

== Lesson 30 - Name Changes and the CPS ==

 ''' WIP '''

 * The [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] comes to draft at Status: DRAFT p20091108
  * Certs created before 2009-11-08 are not affected by this investigation
  * Certs created after 2009-11-08 needs further investigations


 * The certs problem
  * If the user has created a client certificates with the not yet corrected name in the account, the certs are built up with the wrong givenname from account.
  * [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] 3.1.1. Types of names - Client Certificates. The Subscriber Naming consists of:
   * CN= The common name takes its value from one of:
    * For individual Members, a Name of the Subscriber, as Assured under AP.
  * The name in question isn't probably AP conform after name change

 * On creating Client Certificates, users has the option to select between several variations
   * from the source code: /pages/account/3.php line 64-68 (create client cert)
   * No Name in the Cert  (named: WoT user)
   * Givenname + Lastname
   * Givenname + Middlename + Lastname
   * Givenname + Lastname + Suffix
   * Givenname + Middlename + Lastname + Suffix
  * Which certs has been created by a user?
   * if a removal of a middle name is requested and user has created a client cert with Givenname + Lastname, this cert doesn't needs to be revoked because cert doesn't include the middle name
   * on a suffix removal request, a cert that doesn't include the suffix, needs not to be revoked

 * AP allows accounts with several name variations (i.e. different name variations in different accounts) (all have seen the CAP forms with the possible 3 rows for names from the end 2008, starting 2009 development ? named capnew.php). Those CAP forms (and those multiple lines of names proposed for a system change) allows multiple name variations added onto the CAP form and also to the system
  * The Problem: this isn't yet implemented in the running system ( !LibreSsl )
   * A patch is under development or finished, but currently not set active in the production environment
  * But this question may influence the revocation of certs in a way that certs doesn't needs to be removed, if Arbitrator checks this possible variation
  * i.e. users name is: Renate Bärbel Beckett
   * user has a middle name with Umlaut: Bärbel
   * user created client cert: Renate Beckett
   * the name change from Renate Bärbel Beckett to Renate Baerbel Beckett doesn't affects the client cert
  * i.e. users name is: Renate Bärbel Beckett
   * user has a middle name with Umlaut: Bärbel
   * user created client cert: Renate Bärbel Beckett
   * the user wants to add Renate Baerbel Beckett to the account
   * so this change request doesn't affects the client cert because the old name is still valid in the account
   * the problem that the system doesn't allow to add an additional name variation is possible by AP but impossible to the system
   * So this problem conflicts with the allowed name variation, the user is allowed by AP to add a second name variation caused by transliteration
   * Assuming, that its possible through the system to allow a 2nd name variation, the cert with the Umlaut is still valid after the additional name with transliteration is added to the system, because the ID doc states a name with Umlaut.
   * Now the question is: Why should the cert revoked, as per AP the name variation is allowed, but system cannot handle the 2nd name ?
   * As with other naming issues, the system has only one line for one name, the unwritten rule says: we have to deal with this limitation, so this also limits the advanced AP view. Only an Arbitrator can overrule this rule.
   * I can remember, somewhere in the translingo system, I have seen help descriptions how to write name variations into a name field: Renate B{ae|ä}rbel Beckett looks alike. There these definitions comes from ? Current Website doesn't include such help pages ...

 * See also ruling Arbitration case [[Arbitrations/a20100208.1|a20100208.1]] ([[Arbitrations/a20100208.1|Minor name change]])

==== Questions ====
 * Assume the users name is ''Bernd Fröhlich''. User created user account ''Bernd Fröhlich BF'' and created client cert ''Bernd Fröhlich BF''. After name change request: needs the cert to be revoked? 


[[Arbitrations/Training/Lesson31|next]]

----
 . CategoryArbitration
 . CategoryArbitrationsTraining