  * Case Number: a20110407.1
  * Status: running
  * Claimants: Richard T
  * Respondents: CAcert
  * Case Manager: BernhardFröhlich
  * Arbitrator: UlrichSchroeter
  * Date of arbitration start: 2011-04-13
  * Date of ruling: 201Y-MM-DD
  * Case closed: 201Y-MM-DD
  * Complaint: Please remove <domain> from my Organisational Domains

  * Relief: TBD

Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: Richard T (C), Case: a20110407.1


== History Log ==
 . 2011-04-07 (issue.c.o) case [s20110407.11]
 . 2011-04-13 (A): added to wiki, request for CM / A
 . 2011-04-13 (A): I'll take care about this case as (A)
 . 2011-04-13 (A): I appoint the (CM) as per [[Arbitrations/Meetings/ATAgendaandMinutes-20110405|Arbitration Team meeting 2011-04-05]] decision
 . 2011-04-13 (A): sending initmailing with CCA/DRP acceptance request to (C)
 . 2011-04-13 (C): accepts CCA/DRP under this arbitration, sending addtl. infos
 . 2011-04-30 (A): proposal for next steps to handle this case to (OA)
 . 2011-05-01 (OA): response to proposal to (CM), (A), (OAO)
 . 2012-01-22 (A): discovery and assumptions, investigations and interpretations, deliberations and conclusions to (OA)'s proposal dated 2011-05-01 to (OA), (OAO) (also applies to [[Arbitrations/a20120121.1|a20120121.1]])
 . 2012-05-02 (A): requesting Org certs status on (C)'s users account
 . 2012-05-02 (A): request to (OA) for Org-contact of Organisation in question
 . 2012-05-03 (OA): [s20120502.114] sends email address of Org-contact
 . 2012-05-03 (Support): [s20120502.113] no information available.
 . 2012-05-03 (OAO): called (A) by phone with informations regarding this case
 . 2012-05-03 (A): request to (OAO) to explain the received results (as done by phone)

== Original Dispute, Discovery (Private Part) ==

 * Link to Arbitration case [[Arbitrations/priv/a20110407.1|a20110407.1 (Private Part)]]

<<Include(Arbitrations/priv/a20110407.1)>>  

==== EOT Private Part ====

== Discovery ==
 * What is the correct current OAP?
  * by default it should be: [[http://www.cacert.org/policy/OrganisationAssurancePolicy.php]]
   {{{
OAP 	 	 Jens
POLICY m20070918.x
$Date: 2008-01-18 22:56:31 $
COD11 
}}}
  * Another revision is located in the SVN [[https://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/OrganisationAssurancePolicy.html|OAP in SVN]]
   {{{
CAcert Draft
Document: OAP COD11
Author: Jens Paul
Creation date: 2007-09-18
Status: POLICY/DRAFT 2007-09-18 m20070918.x
Changed: 2008-04-01 Teus Hagen policy list vote; add advisors and board
Next status: POLICY 2008
}}}
  * Board decisions 2008 - 2009 regarding OA area
   * [[EmailBoardDecisions2008-09|Decisions from Nov 2008 to July 2009]] summarizes all decisions voted upon by the board by email from the AGM in 2008 until the SGM in July 2009.
   * [[EmailBoardDecisionsUpdateFeb2008|Decisions 2008]] summarizes all decisions voted upon by the board in 2008.
  * [[PolicyDecisions|Policy Group Decisions]]
   * p20090218.1 Add Danish SVR trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - '''Carried'''
   * p20090210.1 Add Belgian KBO trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - '''Carried'''
   * p20080920 Organisation Assurance sub-policy for Europe voted to DRAFT - '''Carried'''
   * p20080429.1 Organisation Assurance Sub-Policy for Ireland - '''Carried'''
   * p20080402.1 Organisation Assurance Sub-Policy for Australia - '''Carried'''
   * p20080401.1 Policy on Organisation Assurance - '''Carried'''
   * p20080308.1 Organisation Assurance sub-policy for Austria - '''Carried'''
   * p20080128.1 Assurers are individuals not organisations - '''Carried'''
    {{{
for clarification:

   1. Assurers are individuals, not organisations.
   2. Organisation Assurers are individuals, too.
   3. Organisation Assurance does not rely on web-of-trust, but instead relies on quality processes. 

In the above, _individuals_ is synonymous with _natural persons_ and _organisations_ is synonymous with _legal persons_ being organisations that are legally separated from people
}}}
   * p20080109.1 CCA to POLICY status - '''Carried'''
   * p20071207.1 Organisation Assurance sub-policy for the Netherlands - called. Decided on policy email list by consensus, no votes seen. 
   * p20071022 Organisation Assurance sub-policy for Germany - '''Carried'''

  * policy decision taken by other means
   * p20070918.1 Policy on Organisation Assurance - [[TopMinutes-20070917|TOP Pirmasens: m20070918.x]]

  * Despite the fact OAP in SVN has a header note
   {{{
WARNING:
The proper policy document is located
on the CAcert website .
This document is a working draft to include
future revisions only, and is currently
only relevant for the [policy] group.
}}}
   * This revision is more appropiate regarding the date state in the header then the one listed under www.cacert.org/policy

   * OAP in SVN revisions
    * 566 first revision in SVN
    * 567 2008-01-28 - moving these all into Policies so that they can be managed from one central place
    * 582 2008-02-19 - modified: future change, proper name for CCA is CAcert Community Agreement
    * 731 2008-04-01 - Trees are now one version. Join of the document version tree.
    * 733 2008-04-02 - Chaged info on status to POLICY/DRAFT due to unclearness in decision. So it is DRAFT now.
    * 735 2008-04-02 - Some minor changes for layout, spelling and definitions.

   * so "p20080401.1 Policy on Organisation Assurance" matches SVN revision #735
    * this revision is the "official" current revision, that was voted last in Policy Group
    * [[https://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/OrganisationAssurancePolicy.html|OAP in SVN (current!)]]
    * clarification regarding "current" revision from Policy Group mailing list
     * [[https://lists.cacert.org/wws/arc/cacert-policy/2008-04/msg00017.html]]

 * Proposed Delete Org Account procedure by an OA dated 2011-05-01
  {{{
Deleting an account:
 * SE highjacks organisation account by adding himself as admin.
 * Notes lates expiration date of certificates.
 * Revokes all certificates
 * Deletes the organisation (anonymisation for organisations not
   necessary imho), leaves a-number in comment field before.
 * Reports latest expiration date and deletion to Arbitrator.
 * Arbitrator sets CCA termination date to the date reported by SE.
   Case closed.
}}}
  * Problem 1: SE with admin flag set only, has no access to Org area (!) to remove Org-Admin from an organisation and/or delete an organisation
  * Problem 2: SE with admin flag set only, has no access to Org certs area (!) to revoke Org certs
   * with [[https://bugs.cacert.org/view.php?id=794|bug #794]] patch, an overview is possible to an individual members account, if there is an org cert related to an individual member account and their last expire dates
  * Problem 3: also a Support-Engineer who is also OA cannot access the list of Org client certs and Org server certs, so these certs cannot be revoked. The only delete Certs routine that is implemented in the system is, to delete an users account asssociated with such an org or to remove an Org by an OA or to remove a domain associated with an Organisation by an OA

== Deliberations ==
 * 2012-01-22 (A): discovery and assumptions, investigations and interpretations, deliberations and conclusions to (OA)'s proposal dated 2011-05-01 to (OA), (OAO) (also applies to [[Arbitrations/a20120121.1|a20120121.1]])
 {{{
fact 1:

ok, fist question, I've discovered under a20110407.1 is
which policy is current?

I've stumbled over several revisions and started investigations.
The result is listed under
https://wiki.cacert.org/Arbitrations/a20110407.1

I came to the conclusion after checking the PolicyDecisions page,
checking the Policy Mailing list archives that current OAP is
https://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/Organis
ationAssurancePolicy.html


fact 2:
is there any definition how to handle O-Admin resigns? in OAP or in a
handbook?
is there any definition how to handle Org terminations?

The latter is linked by:
OAP 4.1 d
the organisation has agreed to the terms of the  CAcert Community
Agreement , and is therefore subject to Arbitration. 

CCA 3.3  Termination 
You may terminate this agreement by resigning from CAcert. You may do this
at any time by writing to CAcert's online support forum and filing dispute
to resign. 

the first is still in question. Its not handled by OAP.
It may be handled under a handbook, but none that I'm aware off.


fact 3:
Role of O-Admin and the requirement for an Organisation to have one
appointed
is defined under:
OAP 2.4 Organisation Administrator 
b. Organisation is required to appoint O-Admin, and appoint ones as
required. 

So here I now start with interpretations, based on the discussion with
Mario back in May 2011 (see below attachment):
Once the last O-Admin gets removed from the list of O-Admins for an
Organisation, the Organisations state becomes orphaned as the Organisation
no longer fulfills the OAP 2.4 b requirement.

Let me turn around this question:
What do you do in a new OA request, if an organisation has no
O-Admin listed on the COAP form? (this question goes to the OrgAssurers in
the CC party) ?

Rejecting the OA request? returning the COAP form? until one O-Admin is
found?

Ok, assuming, your answer goes this direction, the outcome is clear:
An Org has to have at least one O-Admin, otherwise an Org can no longer
run under CAcert's OA program before the O-Admin requirement is fulfilled
again.


The next question, that araises out of this intermediate result is:
Is it allowed for an Organisation to enter the "orphaned" state
and stay for a while ?

To be able to answer this question, its required to get some more ideas
about the impact an orphaned state has for an organisation.
This is mainly based on issueing certificates.
The 2 critical topics in the Assurance area are:
 a) active certificates
 b) doing assurances
In the OA area, b) doesn't apply, so there is only a) left we
have to discover:

An O-Admin creates certificates on behalf for the whole organisation.
He handles the list of active certificates, to revoke certificates,
to issue new ones.
The question that araises out of here is:
Is someone other able to handle the certificates, that the
old, resigned O-admin has been issued?

Ok, last night I've started some software testing under
cacert1.it-sls.de and played around with O-admin's, OA's
and Support-Engineers and OA's + SE's accounts
based on the proposed 
................................................................
Deleting an account:
 * SE highjacks organisation account by adding himself as admin.
 * Notes lates expiration date of certificates.
 * Revokes all certificates
 * Deletes the organisation (anonymisation for organisations not
   necessary imho), leaves a-number in comment field before.
 * Reports latest expiration date and deletion to Arbitrator.
 * Arbitrator sets CCA termination date to the date reported by SE.
   Case closed.
................................................................
procedure, proposed by Mario back in May 2011

The question that I've started was, can an SE handle OA accounts?
With the tests made, I come to the following conclusion:

 * Problem 1:
   SE with admin flag set only, has no access to Org area (!)
   to remove Org-Admin from an organisation and/or delete an organisation

 * Problem 2:
   SE with admin flag set only, has no access to Org certs area (!)
   to revoke Org certs

   * with bug #794 patch, an overview is possible to an individual
     members account, if there is an org cert related to an individual
     member account and their last expire dates, but SE cannot
     act anything.

 * Problem 3:
   also a Support-Engineer who is also OA cannot access the list of
   Org client certs and Org server certs, so these certs cannot be
revoked.
   The only delete Certs routine that is implemented in the system is,
   a. to delete an users account asssociated with such an org -or-
   b. to remove an Org by an OA -or-
   c. to remove a domain associated with an Organisation by an OA 

So any request regarding OA tasks needs to be transfered to the OA area.
But also this is limited (eg actions regarding certs).

Ok, back to my original question:
"Is someone other able to handle the certificates, that the
old, resigned O-admin has been issued?"
The answer is =>  NO !!!

Ok, thinking off an certs issue. Someone files an dispute and a
certificate
needs to be revoked.
Who can revoke the cert of an Organisation account, where an O-Admin
is no longer available?
No one !

The only workaround is by an OA, to remove the domain from the Org's
domains list
or to remove the Org entirely. The latter goes the CCA termination
direction.

One more thought is about, an Org with no remaining certs.
Then the risk for CAcert is minimized, nearly zero, because the
"critical" topic is the "active" certs issue. With no remaining
"active" certs, the risk is minimized and can be probably ignored.
Under this, and only this exception, an Org can stay "orphaned"
for a while.


Ok, what does this mean for the remove last O-Admin from an Org account
task?
An OA has to check, that there is no remaining "active" cert issued
under an Org account. If there are remaining certs, the removal
request cannot be processed.
Here, an OA has to interact with an SE, who can view if there are
Org certs active/expired under an O-Admins account. If the count is > 0
the result needs to be communicated to the OA, who requests the
revocation of all org certs from the last O-Admin (verification request
to SE).

There might be one problem here, if an O-Admin has more then one
Organisation
under his member account linked. So one Organisation's certs to revoke
still leaves the other Organisations unhandled. The SE admin console view
lists _all_ certs of _all_ Organisations. So there is no one who
can confirm, that the O-Admin revoked all certs of a specified
Organisation.

If there are active certs revoked in this process, the 3 months "hold"
rule
we've added for common delete my account procedures, probably applies
here also. Before an O-Admin can be removed from the O-Admin list
of an Org, the 3 months hold delay has to pass.


Assuming, that an orphaned Org will become active again in a year or two
by adding a new O-Admin, the Org account can be kept open under above
exceptions given.

As there are many interactions, in handling such a case, one needs to
pickup the task to take control over the overall process.
So also, the company contact should be informed by an OA, that
the company is running in a potential "orphaned" state, and
the company is required to appoint a new O-Admin.
if the company will continue staying as a CAcert member.
Otherwise a dispute filing has to be initiated, that the
company no longer wants to stay under the CAcerts OA program
(-> CCA termination).

This all needs to be controled and directed by an OA.
So the OA can be seen as a mentor in this process.
An O-Admin doesn't has the knowledge about all the
facts and requirements behind the scene.
}}}
  * one topic not covered realy: removal of one domain by OA to revoke certs (authorisation? modification of the Orgs account data)


== Ruling ==

== Execution ==

== Similiar Cases ==

|| [[Arbitrations/a20120121.1|a20120121.1]] || [[Arbitrations/a20120121.1|Please remove <domain> from my Organisational Domains]] ||

----
 . CategoryArbitration
 . CategoryArbCaseOrgAssurance

''' and please add one of the following Topics, delete the rest '''

 . CategoryArbCaseAccountDelAssurer
 . CategoryArbCaseAccountDelNonAssurer
 . CategoryArbCaseAccountCleanup
 . [[CategoryArbCaseCCAViolation]]
 . CategoryArbCaseDomainDispute
 . CategoryArbCaseSystemTasks
 . CategoryArbCaseOthers
 . CategoryArbCaseExternal