Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R1) CAcert Inc president (R2), Claimant: Bas vD (C), Case: a20120121.1

History Log

Original Dispute, Discovery (Private Part)

EOT Private Part

Discovery

Preliminaries

  1. The Arbitrator reviews the available documentation (DRP 2.2.1)
    1. This case relates to the OA area
    2. What is the correct current OAP?
      • by reviewing the headers of the OAP listed under www.cacert.org, I'm in doubt this is the correct revision:
      • by default it should be: http://www.cacert.org/policy/OrganisationAssurancePolicy.php

        • OAP              Jens
          POLICY m20070918.x
          $Date: 2008-01-18 22:56:31 $
          COD11 
      • Another revision is located in the SVN OAP in SVN

        • CAcert Draft
          Document: OAP COD11
          Author: Jens Paul
          Creation date: 2007-09-18
          Status: POLICY/DRAFT 2007-09-18 m20070918.x
          Changed: 2008-04-01 Teus Hagen policy list vote; add advisors and board
          Next status: POLICY 2008
      • Board decisions 2008 - 2009 regarding OA area
      • Policy Group Decisions

        • p20090218.1 Add Danish SVR trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - Carried

        • p20090210.1 Add Belgian KBO trade office registrar to the OA sub-policy Europe table of accepted trade office registrars - Carried

        • p20080920 Organisation Assurance sub-policy for Europe voted to DRAFT - Carried

        • p20080429.1 Organisation Assurance Sub-Policy for Ireland - Carried

        • p20080402.1 Organisation Assurance Sub-Policy for Australia - Carried

        • p20080401.1 Policy on Organisation Assurance - Carried

        • p20080308.1 Organisation Assurance sub-policy for Austria - Carried

        • p20080128.1 Assurers are individuals not organisations - Carried

          • for clarification:
            
               1. Assurers are individuals, not organisations.
               2. Organisation Assurers are individuals, too.
               3. Organisation Assurance does not rely on web-of-trust, but instead relies on quality processes. 
            
            In the above, _individuals_ is synonymous with _natural persons_ and _organisations_ is synonymous with _legal persons_ being organisations that are legally separated from people
        • p20080109.1 CCA to POLICY status - Carried

        • p20071207.1 Organisation Assurance sub-policy for the Netherlands - called. Decided on policy email list by consensus, no votes seen.
        • p20071022 Organisation Assurance sub-policy for Germany - Carried

      • policy decision taken by other means
      • Despite the fact OAP in SVN has a header note
        • WARNING:
          The proper policy document is located
          on the CAcert website .
          This document is a working draft to include
          future revisions only, and is currently
          only relevant for the [policy] group.
        • This revision is more appropiate regarding the date state in the header then the one listed under www.cacert.org/policy
        • OAP in SVN revisions
          • 566 first revision in SVN
          • 567 2008-01-28 - moving these all into Policies so that they can be managed from one central place
          • 582 2008-02-19 - modified: future change, proper name for CCA is CAcert Community Agreement
          • 731 2008-04-01 - Trees are now one version. Join of the document version tree.
          • 733 2008-04-02 - Chaged info on status to POLICY/DRAFT due to unclearness in decision. So it is DRAFT now.
          • 735 2008-04-02 - Some minor changes for layout, spelling and definitions.
        • so "p20080401.1 Policy on Organisation Assurance" matches SVN revision #735
  2. The Arbitrator reviews the Respondents and Claimants with a view to dismissal or joining of additional parties. (DRP 2.2.3)
    • (C), (R1) is NOD
    • named (R2) is on discussion:
    • is (R2) named correctly and is a party in this dispute filing?
    • OAP (current, in SVN) 2.1

      • The OA is appointed by the Board. Where the OA is failing the Board decides.
      • so this is subject to interpretation, based on the history given under the dispute filing and given by (C)'s viewpoint outlined

Question 1: Is (R2) the correct named respondent for this case?

Question 2: Is there a procedure defined, that gives instructions how to handle O-Admin resigns from an Org Account? or How to terminate an Org account?

Deliberations

Intermediate Ruling #1

From the investigations made, also under the similar case a20110407.1 and the presented reliefs, I hereby come to the following intermediate ruling:

relief 1. All certificated are to be revoked from the org account.

From the facts given, that no one as the Org-Admin itself can revoke certificates under an Organisation, this task has to be delayed until all the facts are discovered and presented to this case and a final execution order can be given.

relief 2. Org account must be remove from my account ASAP

The discovery prosess disclosed a wider impact that nobody did forseen yet, in removing the last Org-Admin from an Org account. The Org-Admin is the only person, who can execute the steps that are required under an Org termination process (!). If not all the facts and actions are taken, I cannot can give an order to remove the last Org-Admin from an organisation.

There still exist no procedure to terminate an Organisations account nor to remove the last Org-Admin from an Organisation account. The only reference is given by CCA that termination of membership has to be filed as dispute.

relief 3. Support gets informed that they were neglecting their duty in this

Support is the wrong area to handle Org-Admin removals. The only task that Triage members have is to move Organisation Assurance related tickets into the OA queue. From the conversations given in the dispute filing and in the addtl. PoV statement, all or most participients could not handle this case because no procedure was available for the given request.

I cannot give a quick ruling before I have not all facts discovered that relates to the organisation and the appropriate recipients.

Your removal request is identified. A related potential termination request for the organisation started. The potential acting parties are identified.

  1. revocation of certificates by the last Org-Admin if Org still wants to continue as a member
    • initial start sequence takes about 2 weeks
    • the removal process for an Org-Admin is 3 months in duration if certs are still active (!)

  2. removal of Org-Admin is to handle by an Org-Assurer
  3. termination of an Org to be ruled by an Arbitrator
  4. removal of Org is to handle by an Org-Assurer

Arbitration is the fallback option if procedures, policys leaves an undefined state for an issue. Your Org-Admin removal request is such a case. So I must also request your patience until all the preliminaries steps have been passed, that allows to start with execution orders in this case.

Frankfurt/Main, 2012-01-25

Discovery II

Intermediate Ruling #2

By following Delete my Account Arbitration cases procedures, that Arbitration has deployed over the last 2 years lists 2 topics as critical:

  1. Assurances given
  2. Certificates issued

In an OA case, assurances given isn't handled like in the individual assurance process, so there are no CAP forms to recover. So only b. applies to this case.

Issued certificates risk is, that something may go wrong with one issued certificate. With the unique serial number of a cert, the link to an account is given. Once the party agreed to Arbitration, arbitration is our weapon to catch such an issue. Arbitration takes this topic seriously and defines a 3 months hold time if the last certificate expires or had been revoked. This delay is a saving time, to await if a late dispute will be filed regarding one certificate that is subject to the delete my account case.

In Discovery II, there are Org client certs and Org server certs identified to be either active, expired or revoked. The latest expire date counts for the CCA termination date not to be before the calculated date. See also CCA termination date calculation

  1. Org client certs
    • latest expire date: 2010-09-05
  2. Org server certs
    • latest expire date: 2011-12-12
  3. highest expire date: 2011-12-12
  4. CCA termination not before highest expire date 2011-12-12 + 3 months, that is: 2012-03-11

A CCA termination date for a Org-Admin removal and also for a Organisation removal relates to the same date in this case as certificates were involved and arbitration has to take into account this issue with the hold delay time of 3 months after the last certificate expired.

The question that is still open that is, if the Organisation still keeps the member account, and only the last Org-Admin link gets removed or if its also an Organisation account removal request. One sidenote was given by (Lambert) in one of the pre-arbitration case email communications "It also includes removing the org as a member since there is no one available". The original request "I no longer work at (org) can you remove the org account of (org) from my account. (org) has no assuers that can take over." doesn't implies an Organisation account removal. CAcert membership can be seen as a lifetime membership. This doesn't directly relates or means that every service needs to be used everytime by the members. So there might be breaks possible were an account enters a hold state to become one or two years later reactivated, if the services needs to be used again. So this might relates also to the running case. Because (C) requests the Org-Admin removal from his account this doesn't disqualify the Organisation to continue their membership and until a new Org-Admin is found the Organisation account enters the "orphaned" state and cannot use any Organisation account related services. But this doesn't mean someone cannot be a member.

The question that needs to be answered in the next discovery step is, if the Organisation wants to continue their membership or if the Organisation wants their account deleted. Here I will follow the Delete my Account Arbitration cases procedures to continue with this case. An Organisation contact is listed in the Organisation account who needs to be contacted in this issue.

The Org-Admin removal request cannot be fulfilled before the CCA termination date calculated, that is: 2012-03-11 because the Org-Admin removal process probably also removes all links of the old certs to the Organisation account. As long there is no documentation over Organisation accounts, Certs issued, there related Org-Admin links and what happens if the last Org-Admin gets removed, as long there is no procedural documentation regarding Org-Admin removal requests, the save processing with a hold delay time is the only process path we may rely on, that no links becomes broken to the Organisation account, before the hold delay time expires.

Org-Admin removals can be only processed by Org-Assurers. Processing of Org-Admins from Organisation accounts is prevented by system restrictions. So therefor Org-Admin removal requests have to be processed by Organisation Assurers.

A CCA termination and removal of the Organisation account needs to be confirmed first by further discovery and investigations.

An Org-Assurer should remove the Org-Admin link of (C) after 2012-03-11, but not before this date.

One more question I've tried to discover is/was the Organisations account state, as the Org account was created before around 2008 the OAP comes in effect so the question araises if the handling of this organisation is out of the range of the OAP scope. But, as there were also Org certs issued after February 2009 were CCA comes into effect, the boundary of CCA and OAP also effects the active old organisations. Using services w/o CAcert Community Agreement is impossible at least since mid of 2009 so therefor the Organisation entered the CCA aggreed state at least by the latest issued certs and the full Delete my Account Arbitration cases procedures applies to this case.

In the "current" OAP question I've received a confirmation by Ian who monitors the Policy repository and keeps track on the old and WIP policies. The found discrepancy between the OAP revisions in the policy repository and in the SVN shall be solved. The SVN OAP html revision shall be updated with an uptodate header and shall replace the OAP (php) revision on policy repository on main website to be processed by the critical team or the Software-Assessors sending an update to the critical team. All links and references to http://www.cacert.org/policy/OrganisationAssurancePolicy.php shall be updated with the replaced revision link: http://www.cacert.org/policy/OrganisationAssurancePolicy.html. Current policy listing script can handle both extensions. OAO shall correct the wiki documentations regarding "current OAP" and OAP links in OAP subpolicies in the SVN.

Frankfurt/Main, 2012-01-29

Discovery III

Intermediate Ruling #3

Frankfurt/Main, 2012-04-18

Ruling

Frankfurt/Main, 2012-05-02

Execution

Similiar Cases

a20110407.1

Please remove <domain> from my Organisational Domains


Arbitrations/a20120121.1 (last edited 2012-05-05 13:49:49 by UlrichSchroeter)