- Case Number: a20090510.3
- Status: Execution
- Claimants: Guillaume Romagny (C)
- Respondents: Francois Sauterey (R)
Case Manager: UlrichSchroeter (at Exec steps)
- former Case Manager: Alejandro Mery
- Arbitrator: Lambert Hofstra (A)
- Date of arbitration start: 2009-05-11
- Date of ruling: 2009-09-06
- Case closed: 2011-##-##
- Complaint: Assurer with alter-egos even assured himself more than once
Francois Sauterey is assurer (at least) twice and he has (at least) one other account with points, and he has assured his alter-egos.
- Relief:
- Date of arbitration:
Log:
- A 20090511 : A sent email to involved parties (C, R, CM), with request to confirm email address, and to confirm parties accept the arbitration. A CC: has been sent to the email addresses that are claimed to be alter egos of R
- A 20090514 : no response to the email received
One of the principles of the CAcert assurance is the fact that new members will need to be assured by multiple assurers: no single individual should be able to give more than 35 points. Since C claims that R has three accounts, with two of them having assurer status, it could create a situation where one individual can give more than 35 points to a member. There has been no response from any of the three email addresses so far claiming that these addresses are linked to different persons. I therefore have to respond to the original claim.
Intermediate Ruling
I therefore rule that until the final ruling:
- The first account shall remain fully functional
- The second and third account must be frozen:
- No assurances are allowed involving the second and third account.
- No new certificates may be issued for second and third account.
- Existing certificates for second and third account can still be used and do not have to be revoked
Log:
- A 20090518 : Response from R: He accepts arbitration. Provides more info, R admits he has 4 accounts, and is currently trying to roll them all back into one
- A 20090518 : Requested overview of assurances with accounts of R: other accounts have received points from two accounts of R: this is in conflict with the current policy where a single person can issue a maximum of 35 points. 36 of these assurances were done on 20090514
Second intermediate Ruling
I therefore rule that until the final ruling:
- CAcert support will check which of the members assured by R is an assurer and report back to A
- CAcert support will freeze the accounts that were assured on 20090514
- No assurances are allowed by these accounts.
- No new certificates may be issued by these accounts.
- Existing certificates of these accounts can still be used and do not have to be revoked
Log:
A 20090521 : CM has cross-checked all members that were assured twice by R: only one has >100 points. Also: most of the remaining members have only received points from R, not from anyone else
- A 20090525 : received email from R in response to email sent with questions regarding this case: R has been away, but will respond within a few days with more info
- A 20090601 : Received first real feedback on June 1st. Asked another question, regarding a organisation that appears to be assured.
- A 20090601 : Sent a summary email with the 6 discovered issues to R, including the feedback I received from R on these issues. I asked if my summary was correct, and asked R to provide feedback
- A 20090602 : Email from R: answering takes time because all correspondence in English, and that language is difficult for R.
- A 20090602 : discussed the language issue with CM. Asked if CM could help in finding someone who can help R by translating between English and French: this can help ensure R fully understands the questions, and can respond with enough details.
- A 20090605 : Found a translator: fully assured CAcert member (150 points), agrees to accept the CCA, agrees to only share info with A and R, and signed the email with CAcert cert.
- A 20090605 : asked R if I can bring a translator to the case, to help in the language problem
- A 20090611 : R agrees. Last email with list of issues is translated in French, and sent to R for further feedback
- A 20090622 : No life sign from R. Asked translator to translate email from A to R, asking for quick response. When R cannot provide more detail the ruling cannot include his side of the story
- A 20090624 : Translator on holiday, waiting for translation.
- A 20090826 : Further discussions with R
- A 20090906 : Created ruling:
2010-02-24 (UlrichSchroeter): request for progress report
2010-09-08 (UlrichSchroeter): request for progress report from (A)
Ruling
The original dispute has led to further investigations. The case now includes the following issues:
- Respondent has multiple accounts
- 2 of Respondents accounts have assurer status
- Respondent assured 2 of his other accounts, giving in total more than 50 points to these accounts
- Respondent has assured accounts of other persons with both of his accounts, most of these were done after Respondent met Claimant (about 55 persons, one of them now has 100 points)
- Respondent assured with his first assurer account his second account, resulting in that account reaching 100 points, and becoming an assurer account.
- Respondent assured an organisation, Centre Ressource RĂ©seau Associatif et Syndical
Respondent's feedback so far is:
- yes, I have them, but I was trying to get it back into one, my first account was not a personal email address but a group email address (Respondent has provided a link to the CAcert support list to show a question)
- yes, but see 4)
- Yes, but as training for a real assurance
- yes, but this was as part of a training at the university where I work, where I assured my students both as an introduction to CAcert, and to provide them with named certs
- yes, but I was just trying to move the points to the new account
- yes, but I was looking for a way to have more persons control the account
So basically Respondent confirms the issues. One issue here was that Respondent does not speak English very well.
To limit the impact I had two intermediate rulings:
- Freeze all accounts of Respondent, except for the original
- Find all persons that were assured twice or more by Respondent and freeze those accounts
The ruling is per issue, summarized below
Ruling on multiple accounts
Respondent has multiple accounts.
A CAcert community member has a CAcert login account (see the assurance policy: http://www.cacert.org/policy/AssurancePolicy.php )
Such an account is the link between the Member (person) and the CAcert system, and information regarding the member (like name, DoB, assurance status) is linked to that account. Although there is no rule that forbids having two or more accounts, it is not recommended, since it can cause problems.
Ruling: It is not forbidden to have multiple accounts
Ruling on multiple accounts with assurer status
2 of Respondents accounts have assurer status
There is no rule that forbids a CAcert Member to have two accounts with assurer status. However, a Member with assurer status assures, and uses a CAcert account to register the assurance. Since an Assurer can only assure another member (a person) only once, it is forbidden for an assurer to assure a single person and register that assurance with more than one account. An assurer can only give the number of points linked to the account that is used to assure someone. Therefore, since having multiple assurer accounts is not required, it is strongly advised not to allow them.
Ruling: It is not forbidden to have multiple assurer accounts
Ruling: To avoid issues like this one, CAcert shall review if having multiple assurer accounts is acceptable
Ruling on assuring your own accounts
Respondent assured 2 of his other accounts, giving in total more than 50 points to these accounts
Ruling: An assurer cannot meet himself/herself. Therefore all assurances by Respondent of accounts of the Respondent are invalid and must be revoked
Ruling on assuring other accounts twice
Respondent has assured accounts of other persons with both of his accounts, most of these were done after Respondent met Claimant (about 55 persons, one of them now has 100 points)
Ruling: An assurer can only assure a CAcert member once, with a single account, not with multiple accounts. Assurances of a member by using a second, third, or even more accounts are invalid and corresponding assurance points must be revoked.
Therefore, in all cases where Respondent used more than one account to assure another CAcert member, the second (and further) assurances of a single member must be revoked.
Ruling: All CAcert members that were assured more than once by Respondent must be informed that the illegal assurances and corresponding points will be revoked.
Ruling: In case these revocations will result in having less than 50 points (can request named certificates) the CAcert member will have a grace period of two months to get assured by others before actually loosing these named certificates. If after the period of two months the member does not have at least 50 points his/her named certificates will be revoked.
Ruling: In case a CAcert member had 100 assurance points and is assurer, and assurance points will be revoked because he/she was assured twice by Respondent, he/she will have a grace period of two months before actually loosing assurance status. During these two months the member is not allowed to make further assurances until he/she acquired enough assurance points to reach the 100 point level.
Ruling on assuring your own account
Respondent assured with his first assurer account his second account, resulting in that account reaching 100 points, and becoming an assurer account.
Ruling: It is impossible to meet yourself face-to-face, therefore the assurance of the second assurer account of Respondent is illegal. As a result the corresponding assurance points will be revoked and the second account will loose assurance status. Respondent will receive a grace period of two months to get his second account assured up to a point where he has 100 assurance points.
Ruling: If after the grace period of two months Respondent has not acquired 100 assurance points for his second assurer account, the second account will permanently loose assurer status, and all users assured with this second assurer account will loose the issued points with a grace period of two months.
Ruling: There will be no further revocation beyond that point (second degree and beyond, meaning persons assured by an assurer assured by Respondent's second account) to stop the ripple turning into a tsunami.
Ruling on assuring an organisation as if it was a person
Respondent assured an organisation, as if it was a person
Ruling: Respondent cannot meet an organisation in person or check Id's of an organisation . Therefore the assurance is illegal, and must be revoked, all issued certificates must be revoked, and the account must be deleted.
Generic Rulings
Ruling: The use of two or more accounts of the assurer to assure a single person is a clear violation of the rules. Respondent will loose assurer status on all accounts if this happens again in the future.
Ruling: All "frozen" accounts can be "unfrozen" after the required revocations are performed
Background
Underlying issue: when a CAcert member has multiple assurer accounts, he/she can bypass the controls that limit the maximum number of points that a normal assurer can give to 35. This control is in place to make sure
- two (2) separate assurers have met and assured a person before he/she can create named certificates, and,
- three (3!) separate assurers have met and assured a person, before he/she can become assurer.
Relevant text in the Assurance Policy:
- The purpose of Assurance is to add confidence in the Assurance Statement made by the CAcert Community of a Member.(Assurance Policy, chapter 1)
- The maximum number of Assurance Points that may be awarded by an Assurer is determined by the Experience Points of the Assurer. (Assurance Policy, 4.4. Experience points)
Execution
2011-03-09 (CM): UlrichSchroeter, I'll take care as replacement of former (CM)
- 2011-03-09 (A): request to (Support): current state of 6 accounts
- 2011-03-10 (Support): [s20110309.70] sends (A) requested infos
- 2011-03-23 (A): exec req #1 to (Support)
- 2011-03-24 (Support): [s20110323.242] Unfortunately we are not able handle smime encrypted mail yet in OTRS, so please send it either not crypted to support or crypted to my privated address
- 2011-03-24 (A): resends exec req #1 to (Support) unencrypted
- 2011-03-25 (Support): [s20110324.123] exec report for req #1, problems with Delete Account procedure with email address mask on 2nd account
- 2011-03-25 (CM): info to (A), to contact (SA) (dirk), proposal using email address mask: arbitration_aYEARMMDD.#.#@c.o
- 2011-04-20 (A): question to (SA): Can we add a sequence number ? eg arbitration_aYEARMMDD.#.#@c.o ?
- 2011-04-21 (SA): in patch the mask x11111111.111 defines a string with 11 to 13 characters, but can be extended, proposal to add to the upcoming Software-Assessment project meeting
- 2011-04-27 (A): re-request for info about the X11111111.111.111 proposal to (SA)
2011-05-04 (SA): minutes from Software-Assessment Project Team meeting 2011-05-04, Ok
2011-05-06 (CM): new Delete Account for SE's Procedure v3 ruled under a20110502.1
2013-04-30 (CM): bug #893 checks for regexp /^[a-z]\d{8}\.\d+\.\d+$/i
- 2013-07-24 (CM): reminder to (A) to continue with an order to (Support)