The General Announcements setting of a members profile is under-utilized in CAcert. The setting, available to members at the URL https://secure.cacert.org/account.php?id=36, provides a good communication form for sending mails to subscribers. Its storage location on CAcert critical infrastructure protect members privacy quite well however it inhibits utilisation because:
1. It is inaccessible to those who need to email announcements (would require frequent arbitrator authorizations)
2, the critical infrastructure is poorly suited to the 100,000 emails (currently) that would be generated upon a general announcement.

In consultation with t/l of the Critical Systems Administration
team I propose that:
1. The SQL query extracting only general announcement email address ("SELECT users.email from users, alerts WHERE alerts.general = 1") be run on the webdb server.
2. results from the query are emailed over local or encrypted link to a lists.cacert.org mail box
3. results are loaded into a cacert-announce list which has the following properties:
   a) members of the list are not viewable by the public or other members (only the list owner and list administrator can view list)
   b) posting to the list is restricted to official communication authorized by the board
4.This process is to be automaticly run monthly (or more frequently should there prove to be sufficient demand and within the capabilities of the critical infrastructure to handle this load). Updates to this list will remove from the announce list members who no longer wish to receive general announcements.

The lists.cacert.org infrastructure already protects privacy information in arbitrator, support engineers and board-private email lists.

An arbitrators decision is desired  in favour of this operation under section 8.5 of the Security Manual.

I accept the Arbitration under the CAcert Community Agreement and the Dispute Resolution Policy. I accept the the governing law will be that of NSW Australia.

Before: Arbitrator name arbitor (A), Respondent: CAcert (R), Claimant: Daniel B (C1), Mario L. (C2), Case: a20100309.1

History Log

Discovery

SELECT users.email FROM users, alerts WHERE alerts.general = 1 AND alerts.memid=users.id;

Statement of SysAdmin Team Leader

The proposal is to export the result of an SQL query on the webdb server
to retrieve the general announcement e-mail address list, like:

   SELECT users.email FROM users, alerts WHERE alerts.general = 1 AND
      alerts.memid=users.id;

on a monthly basis to the lists.cacert.org system, to be used for general
announcement e-mail shots. We are expecting that the lists.cacert.org
administrator will make available for this purpose an e-mail address to
which this SQL query result can be sent by e-mail on an automatic basis.
In order to avoid accidental disclosure of the e-mail by transport problems,
a private gpg key should be associated with the target e-mail address, so we
can encrypt the data with its public key.
The information will be provided on a 'push'-basis, there will not be a way
for lists.cacert.org or any other system to 'pull' this information out of
the webdb system. Thus this data transport will use an already existing
outgoing channel of the webdb system, i.e. SMTP e-mail.

As the Critical Systems Administrator Team Leader, I am happy to implement the
above proposal with the stated restrictions, and will document its use of the
(already documented) SMTP egress channel in the CAcert Security Manual when we
proceed to implement it.

Clarifying his position in a second mail his position on the subject can be summarised:

Outlining the process in discussion

The process of export which is under discussion here is outlined as:

Reasoning

Ruling

Taking into account the facts and reasoning listed above I give the following ruling:

The export of mail adresses from accounts which have activated the "General Announcement" setting is hereby authorized if the following requirements can be satisfied:

Execution

Case is closed.

Similiar Cases

a20090525.1

Event officer request recurrent notification to assurers near the location of the following ATEs


Arbitrations/a20100309.1 (last edited 2010-12-20 22:00:35 by BernhardFröhlich)