Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: Bas D (C) Stefan Kooman (C2), Case: a20120528.1

History Log

Original Dispute, Discovery (Private Part)

EOT Private Part


Intermediate ruling #1

I order that one access engineer and one critical adminstrator are allowed to access the BIT facilities to fix the actual signer problem.

Ruling given by telephone by Arbitrator UlrichSchroeter, forwarded via email by Marcus Maengel as ICM 2012-05-28

Berlin, 2012-05-28

Discovery II


I will follow the the questions to answer from arbitration case a20090810.4

1. Was emergency access justified?

There have been several reports of a malfunction of the signer already, when the request for emergency access to the system was filed as a dispute.

Reestablishing one of CAcert's core services clearly justifies access to the system according to Security Policy 2.3.4. Emergency Access

2. What was the cause of Outage / didn't any changes have been cause of the outages?

Wytze have published an analysis what have led to the outages here: 2012-05-28 Emergency Visit BIT report "investigate and fix broken signer service"

There is no doubt what caused the dysfunction of signing service.

3. Have updates correctly been processed dual control etc etc.?

Dual control of the actions performed has been performed by Wytze as critical systems engineer, Mendel as second critical systems engineer and Stefan as access engineer. Wytze have published all his actions here:

and Mendel and Stefan confirmed them to the Arbitrator by request.

According to the Security Manual 2.3.2 updates to the signer may require the presence of two critical system administrators. All actions applied to the signer where rather simple administrative tasks (reboot the server, fix harddisk error, time setting) and only touched temporary data for a failed request which will be resubmitted by the web server to the signer. Therefore dual control beeing established by an access engineer and two critical system engineer was sufficient.

All changes made to the WebDB server have been in compliance with the Security Manual.

4. Where all procedures followed correct?

All actions that have been performed on 2012-05-28 by Stefan, Wytze and Mendel have been in full compliance with the CAcert procedures.

5. Intermediate Ruling

The intermediate ruling #1 dated 2012-05-28 that I gave via mobile, written into an email and to the arbitration file by Support-Engineer Marcus Maengel on behalf of me (as I had no internet access) I hereby confirm as the intermediate ruling that I gave.

Frankfurt/Main, 2012-05-31


Similiar Cases


Emergency access to CAcert critical systems


Emergency access to CAcert critical systems

Arbitrations/a20120528.1 (last edited 2012-05-31 22:05:15 by UlrichSchroeter)