Before: Arbitrator BernhardFröhlich (A), Respondent: CAcert (R), Claimant: UlrichSchroeter (C), Case: a20110608.1

History Log

Original Dispute, Discovery (Private Part)

EOT Private Part


The deadline for the original mailing has already passed, so the request has been adjusted and now asks for a precedent case to use in future similar situations:

From the Claimant's response to the initial mailing:

You're right, that this arbitration request should become a precedent
case similiar mailings to the events mailing script,
(Event officer request recurrent notification to assurers
 near the location of the following ATEs)
to inform the organisation related contacts in organisations about
CAcert changes in procedures, Policy changes, and probably more.
Some of these potential issues you've added in your request.
In general Organisation Assurance related infos that needs to contact
all organisations in one country or _all_ organisations.

As the events script is not applicable for informations regarding
organisation notifications, this request is about a modified script
standardized (central sql query still keeps the same) with
4 potential changing parameters
1. country
2. selection of contact person in organisation
    1  org respondent who signed the Org Assurance
    2  Org Admin
    3  org respondent + Org Admin
3. the subject line for the mailing
4. the filename with the message text for the
   individual scripted mailing

The Claimant has provided a sample script to implement the mailing. It is not in the scope of this Arbitration to decide if the script matches the ruling of this Arbitration, this is the job of the Software Assessment team. But the script looks quite good as a start to me.


comma/Identity/Communications has been considered, but found to contain no specific regulations for this case, since this Arbitration is about communicating to (organisation) community members and not the general public.

Checks and Balances

The default procedure which is intended here is that the OrgAO requests the mailing and the Critical Admins act as the watchdog, since they have to adjust the scripting parameters and check the mailing text anyway. If the Critical Admins are unsure or plainly reject the mailing request, a board motion may overrule their judgement.

IMHO this judgement is easy for Critical Admins in case of technical and policy questions, since they should have the technical knowledge and be somewhat up to date to policy decisions. Especially in technical things they most probably have already been involved in investigating/fixing the problem.

Deciding about a generic mailing is considerably harder. So there should be an additional supervising body, to prevent, for example, hasty actions of the OrgAO going awry. In absence of another appropriate formal body the board motion is proposed, but the Critical Admins should also accept the request if the OrgAO can provide evidence that it was thoroughly discussed and approved in another forum like a mailinglist or a team meeting.

And of course, common sense should apply! For example a mailing of "CAcert terminates all services" should indeed be backed by a board motion or policy group voting (or better, both)!

Target emails

The guidelines contain the strong recommendation ("should") to restrict generic mailings to Org Admins. The intention of this is to enable the Org Admins to unsubscribe from such mailings by deactivating the "General Announcements" in their profile.

Since Org Contacts in general do not have their own account (and if they have, it is not linked to the organisation record) unsubscribing is not possible for them. In addition, communication to an Org Contact can do much more harm in terms of PR than communicating with Org Admins, since Org Admins have to accept the CCA personally and are usually more closely bound into the community.

Nevertheless there may be occasions where the Org Contacts have to be contacted without an explicit technical or policy background. If the OrgOA can make plausible why Org Contacts must be addressed the Critical Admins should benevolently check the request even without explicit board motion.


Based on a20090525.1 I give the following ruling:

A scripted mailing to a subset or all known Organisation Contacts/Admins may be requested by the Organisation Assurance Officer or by a board motion of CAcert Inc.

Software development shall provide a script to implement the mailing which should have the following items easily configurable:

Critical Admins shall adjust the configuration of the script and run it versus the database.

If the mailing is requested by the Organisation Assurance Officer (not by board motion) the Critical Admins shall verify that the mailing conforms to the guidelines given below. The guidelines may be adapted and extended in the future to reflect experiences made. If in doubt the Critical Admins should ask for a board motion to confirm the mailing.

Each mailing shall be documented on this page, for example by mailing a report to the Arbitrator of this case, or anyone else who has write access to this page and is willing to add the documentation line. The report shall include:

Guidelines for mailings

As the term "guidelines" implies, these are not hard rules, and deviations may be accepted by Critical Admins if they seem plausible.

The mailing text should be of acceptable language and of relevance to the organisations.

There are three expected categories of mailings:

Technical Issues

Technical issues should be addressed to the Org Admins. Org Contacts may always be included and should be included if it is a more serious issue.

Policy related issues should be addressed to the Administrative Contacts. Org Admins should normally be included since they may have to counsel the Org Contacts about implications and background.

Everything else

Generic mailings should be targetted only to Org Admins who have accepted "General Announcements" in their account settings.

The Organisation Assurance Officer should consider to move the decision for such a mailing before the board.





Country Restriction

Recipient restriction

Number of mails sent



MarcusMängel as OAO



Org Admins and Org Contacts


Allowance to publish Organisation Assurance on CAcert website

Similiar Cases


Event officer request recurrent notification to assurers near the location of the following ATEs


Weak CAcert certificates found in EFF SSL Observatory data

Arbitrations/a20110608.1 (last edited 2011-09-14 21:35:57 by BernhardFröhlich)