Can Bas act as a non-critical systems engineer, given the fact that Bas is Oophaga Systems Engineer and acts as Access engineer for CAcert critical systems.

As an Access Engineer Bas has access to the cabinet (but has no passwords for the critical systems).

Bas has offered to do some work on non-critical systems (wiki, mailserver). In order to do that, Bas will get root passwords and access to some non-critical servers.

Is this a conflict of interest? If so, Bas will withdraw his offer to act as non-critical systems engineer.

Before: Arbitrator Lambert Hofstra (A). Respondent: CAcert (R) Claimant: Bas van den Dikkenberg (C) Case Manager: Hans Verbeek (M) Case: a20090804.1


Claimant, who is access engineer for critical systems, is allowed to act as a system admin for specific non-critical systems, as long as claimant has no physical access to these non-critical systems.
Since Claimant only acts as system admin for specific non-critical systems that are implemented as virtual machines, Claimant does not have the equivalent of physical access to these specific systems. Therefore Claimant can act as system admin for these virtual servers.
Claimant is not allowed to act as system admin of the server hosting these virtual systems.
This ruling can be applied to similar cases where an access engineer for critical systems is considered as system admin for non-critical systems, as long as the access engineer does not have physical access to these non-critical systems.


This case is regarding the question if there is a conflict when an access engineer (who has physical access but no unrestricted logical access (root/admin account)) to critical systems, also acts as a system administrator (who has unrestricted logical access) for non-critical systems.
Definitions (taken from the security policy):

Access Engineer
    A Member who manages the critical hardware, including maintenance, access control and physical security. See §1.1. 
Software Assessor
    A Member who reviews patches for security and workability, signs-off on them, and incorporates them into the repository. See §7. 
Support Engineer
    A Member who mans the support list, and has access to restricted data through the online interface. See §8. 
Systems Administrator
    A Member who manages a critical system, and has access to security-sensitive functions or data. 

In order to rule in this case we have to establish

  1. what systems are critical and what are not
  2. what type of access is granted to the two roles that the claimant fulfills
  3. if the current security policy applies to this case
  4. if it applies, what the current security policy writes about such cases
  5. In case the policy makes no specific statement, whether it would be in line with the spirit of the current security policy

--- Regarding 1: The security policy clearly defines what systems are critical, and what are not (security policy,, point 1.1) :

This Security Policy sets out the policy for the secure operation of the CAcert critical computer systems. These systems include:

   1. Physical hardware mounting the logical services
   2. Webserver + database (core server(s))
   3. Signing service (signing server)
   4. Source code (changes and patches)

According to the sysadmin team, the following systems are considered core critical:

Supporting servers that are critical:

--- Regarding 2: as an access engineer C has physical access to the critical systems. No unrestricted (meaning root/admin access) logical access is granted in any way to these systems or any other physical system.
(see [3]: According to the sysadmin team, R has no unrestricted logical access to any (!!!) of the physical servers. R only has access to virtual servers)
--- Regarding 3: the current security policy applies to critical systems. Claimant is access manager to the critical systems, therefore the security policy applies.
--- Regarding 4: The security policy, Paragraph 1.1.2 states that non-critical systems are out of scope, but may be guided by it, or impacted by it where they are found within the security context. This should be read as: non-critical systems are impacted and should comply with the current security policy, if they can influence the security of the critical systems.
Claimant is system admin of the mail server and the Wiki. These do not provide access to data in the critical systems or directly influence the security of the critical systems. As such there is no conflict.
The security policy however is inconclusive as to how this relates to dual roles. The security manual, paragraph 2.3.2 states:

Physical access is only possible through Oophaga's Access Engineers. At least one Oophaga Access Engineer must be present. At least one CAcert Systems Administrator will be present for logical access to CAcert critical servers.
Regarding non-critical systems:

    * non-critical servers: one Access Engineer and one systems administrator.

It also states

       Access Engineers do not access the data.

Combining this I conclude that a person can either be access engineer or systems administrator for a specific server. This applies to both critical and non-critical servers.
The current policy however does not make a statement on different roles for different servers, e.g. being access engineer for server A and system administrator for server B.
We have established that Claimant, who is access engineer for the critical systems does not have unrestricted logical access to critical systems ([3] and [4])
We therefore have to assess whether Claimant, who is system administrator of (some of the) non-critical systems, also has physical access to these same non-critical systems (e.g. he is both system admin and access engineer).
Statement [4] explicitly states that the non-critical systems are implemented as virtual systems.
Because of this the equivalent of an access engineer of such a virtual system would be the system admin of the host OS in which these virtual systems are running. Statement [4] explains that Claimant has no logical access to this (physical) host environment.
As a result I conclude that, given the current configuration with virtual machines for the non-critical servers, Claimant can only act as access engineer to the critical systems (not system admin, no unrestricted logical access), and only act as system admin (not access engineer) to the assigned non-critical systems.
In this case I therefore rule that there is no conflict of interest.
[1] Security Policy:
[2] Security Manual:
Statement regarding physical and logical access to systems: [3] and [4]

Arbitrations/a20090804.1 (last edited 2009-12-09 03:38:08 by UlrichSchroeter)