= Arbitration / Training =
The Training Course for Case Managers and Arbitrators
[[Arbitrations/Training|Training Home]] / [[Arbitrations/Training/Lesson25|back]]
== Lesson 30 - Name Changes and the CPS ==
''' WIP '''
* The [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] comes to draft at Status: DRAFT p20091108
* Certs created before 2009-11-08 are not affected by this investigation
* Certs created after 2009-11-08 needs further investigations
* The certs problem
* If the user has created a client certificates with the not yet corrected name in the account, the certs are built up with the wrong givenname from account.
* [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] 3.1.1. Types of names - Client Certificates. The Subscriber Naming consists of:
* CN= The common name takes its value from one of:
* For individual Members, a Name of the Subscriber, as Assured under AP.
* The name in question isn't probably AP conform after name change
* On creating Client Certificates, users has the option to select between several variations
* from the source code: /pages/account/3.php line 64-68 (create client cert)
* No Name in the Cert (named: WoT user)
* Givenname + Lastname
* Givenname + Middlename + Lastname
* Givenname + Lastname + Suffix
* Givenname + Middlename + Lastname + Suffix
* Which certs has been created by a user?
* if a removal of a middle name is requested and user has created a client cert with Givenname + Lastname, this cert doesn't needs to be revoked because cert doesn't include the middle name
* on a suffix removal request, a cert that doesn't include the suffix, needs not to be revoked
* AP allows accounts with several name variations (i.e. different name variations in different accounts) (all have seen the CAP forms with the possible 3 rows for names from the end 2008, starting 2009 development ? named capnew.php). Those CAP forms (and those multiple lines of names proposed for a system change) allows multiple name variations added onto the CAP form and also to the system
* The Problem: this isn't yet implemented in the running system ( !LibreSsl )
* A patch is under development or finished, but currently not set active in the production environment
* But this question may influence the revocation of certs in a way that certs doesn't needs to be removed, if Arbitrator checks this possible variation
* i.e. users name is: Renate Bärbel Beckett
* user has a middle name with Umlaut: Bärbel
* user created client cert: Renate Beckett
* the name change from Renate Bärbel Beckett to Renate Baerbel Beckett doesn't affects the client cert
* i.e. users name is: Renate Bärbel Beckett
* user has a middle name with Umlaut: Bärbel
* user created client cert: Renate Bärbel Beckett
* the user wants to add Renate Baerbel Beckett to the account
* so this change request doesn't affects the client cert because the old name is still valid in the account
* the problem that the system doesn't allow to add an additional name variation is possible by AP but impossible to the system
* So this problem conflicts with the allowed name variation, the user is allowed by AP to add a second name variation caused by transliteration
* Assuming, that its possible through the system to allow a 2nd name variation, the cert with the Umlaut is still valid after the additional name with transliteration is added to the system, because the ID doc states a name with Umlaut.
* Now the question is: Why should the cert revoked, as per AP the name variation is allowed, but system cannot handle the 2nd name ?
* As with other naming issues, the system has only one line for one name, the unwritten rule says: we have to deal with this limitation, so this also limits the advanced AP view. Only an Arbitrator can overrule this rule.
* I can remember, somewhere in the translingo system, I have seen help descriptions how to write name variations into a name field: Renate B{ae|ä}rbel Beckett looks alike. There these definitions comes from ? Current Website doesn't include such help pages ...
* See also ruling Arbitration case [[Arbitrations/a20100208.1|a20100208.1]] ([[Arbitrations/a20100208.1|Minor name change]])
==== Questions ====
* Assume the users name is ''Bernd Fröhlich''. User created user account ''Bernd Fröhlich BF'' and created client cert ''Bernd Fröhlich BF''. After name change request: needs the cert to be revoked?
[[Arbitrations/Training/Lesson31|next]]
----
. CategoryArbitration
. CategoryArbitrationsTraining