- Case Number: a20110608.1
- Status: closed
- Respondents: CAcert
Case Manager: SebastianKueppers
- Date of arbitration start: 2011-07-06
- Date of ruling: 2011-07-24
- Case closed: 2011-07-24
- Complaint: Scripted Mailing to Organisation contacts for Class3 Subroot Re-sign project
- Relief: TBD
- 2011-06-08 (issue.c.o) case [s20110608.24, s20110608.128]
- 2011-06-09 (OAO) added note
- 2011-06-11 (iCM): added to wiki, request for CM / A
- 2011-07-06 (A): I'll take this case as Arbitrator, Sebastian will be Case Manager
- 2011-07-06 (A): Sent initial mail
- 2011-07-07 C responds to initial mailing, gives some details/adjustments to the original filing
- 2011-07-07 (A): Proposed ruling given
- 2011-07-09 (A): Refined proposal and reasoning given. Sent a mail to involved parties asking for comments.
- 2011-07-09 (A): Received reply from one board member (IanG) that ruling is acceptable
- 2011-07-22 (A): Received reply from Critical Admins that the ruling is acceptable
- 2011-07-24 (A): Made ruling final, case closed
Original Dispute, Discovery (Private Part)
Link to Arbitration case a20110608.1 (Private Part)
EOT Private Part
The deadline for the original mailing has already passed, so the request has been adjusted and now asks for a precedent case to use in future similar situations:
From the Claimant's response to the initial mailing:
You're right, that this arbitration request should become a precedent case similiar mailings to the events mailing script, https://wiki.cacert.org/Arbitrations/a20090525.1 (Event officer request recurrent notification to assurers near the location of the following ATEs) to inform the organisation related contacts in organisations about CAcert changes in procedures, Policy changes, and probably more. Some of these potential issues you've added in your request. In general Organisation Assurance related infos that needs to contact all organisations in one country or _all_ organisations. As the events script is not applicable for informations regarding organisation notifications, this request is about a modified script standardized (central sql query still keeps the same) with 4 potential changing parameters 1. country 2. selection of contact person in organisation 1 org respondent who signed the Org Assurance 2 Org Admin 3 org respondent + Org Admin 3. the subject line for the mailing 4. the filename with the message text for the individual scripted mailing
The Claimant has provided a sample script to implement the mailing. It is not in the scope of this Arbitration to decide if the script matches the ruling of this Arbitration, this is the job of the Software Assessment team. But the script looks quite good as a start to me.
comma/Identity/Communications has been considered, but found to contain no specific regulations for this case, since this Arbitration is about communicating to (organisation) community members and not the general public.
Checks and Balances
The default procedure which is intended here is that the OrgAO requests the mailing and the Critical Admins act as the watchdog, since they have to adjust the scripting parameters and check the mailing text anyway. If the Critical Admins are unsure or plainly reject the mailing request, a board motion may overrule their judgement.
IMHO this judgement is easy for Critical Admins in case of technical and policy questions, since they should have the technical knowledge and be somewhat up to date to policy decisions. Especially in technical things they most probably have already been involved in investigating/fixing the problem.
Deciding about a generic mailing is considerably harder. So there should be an additional supervising body, to prevent, for example, hasty actions of the OrgAO going awry. In absence of another appropriate formal body the board motion is proposed, but the Critical Admins should also accept the request if the OrgAO can provide evidence that it was thoroughly discussed and approved in another forum like a mailinglist or a team meeting.
And of course, common sense should apply! For example a mailing of "CAcert terminates all services" should indeed be backed by a board motion or policy group voting (or better, both)!
The guidelines contain the strong recommendation ("should") to restrict generic mailings to Org Admins. The intention of this is to enable the Org Admins to unsubscribe from such mailings by deactivating the "General Announcements" in their profile.
Since Org Contacts in general do not have their own account (and if they have, it is not linked to the organisation record) unsubscribing is not possible for them. In addition, communication to an Org Contact can do much more harm in terms of PR than communicating with Org Admins, since Org Admins have to accept the CCA personally and are usually more closely bound into the community.
Nevertheless there may be occasions where the Org Contacts have to be contacted without an explicit technical or policy background. If the OrgOA can make plausible why Org Contacts must be addressed the Critical Admins should benevolently check the request even without explicit board motion.
Based on a20090525.1 I give the following ruling:
A scripted mailing to a subset or all known Organisation Contacts/Admins may be requested by the Organisation Assurance Officer or by a board motion of CAcert Inc.
Software development shall provide a script to implement the mailing which should have the following items easily configurable:
- Restriction to organisations registered to one specific country
- Subject line of the mail
- Text of the mail
- Selection of target emails:
- Administrative contacts of organisations only ("Org Contact", the one who signed the Org Assurance)
- Technical contacts of organisations only ("Org Admins", the ones able to issue certificates for organisations)
- Both, technical and administrative contacts
- Only technical contacts who have accepted "General Announcements" in their account settings
Critical Admins shall adjust the configuration of the script and run it versus the database.
If the mailing is requested by the Organisation Assurance Officer (not by board motion) the Critical Admins shall verify that the mailing conforms to the guidelines given below. The guidelines may be adapted and extended in the future to reflect experiences made. If in doubt the Critical Admins should ask for a board motion to confirm the mailing.
Each mailing shall be documented on this page, for example by mailing a report to the Arbitrator of this case, or anyone else who has write access to this page and is willing to add the documentation line. The report shall include:
- The requestor of the mailing
- The category of the mailing (see guidelines)
- The Restrictions (country and target emails) of the query
- The Date of the mailing
- Number of mails sent
Guidelines for mailings
As the term "guidelines" implies, these are not hard rules, and deviations may be accepted by Critical Admins if they seem plausible.
The mailing text should be of acceptable language and of relevance to the organisations.
There are three expected categories of mailings:
- Technical issues that require actions of the Org Admins, fundamental changes in procedures or security issues
- Policy related issues, for example when policy applying to the organisation is changed and must be confirmed
- Everything else, for example announcement of new features or a fund raising drive
Technical issues should be addressed to the Org Admins. Org Contacts may always be included and should be included if it is a more serious issue.
Policy related issues
Policy related issues should be addressed to the Administrative Contacts. Org Admins should normally be included since they may have to counsel the Org Contacts about implications and background.
Generic mailings should be targetted only to Org Admins who have accepted "General Announcements" in their account settings.
The Organisation Assurance Officer should consider to move the decision for such a mailing before the board.
Number of mails sent
MarcusMängel as OAO
Org Admins and Org Contacts
Allowance to publish Organisation Assurance on CAcert website
Weak CAcert certificates found in EFF SSL Observatory data