* Case Number: a20130810.1 * Status: running * Claimants: MarcusMaengel (SE) * Respondents: CAcert * Case Manager: MartinGummi * Arbitrator: UlrichSchroeter * Date of arbitration start: 2013-08-10 * Date of ruling: 201Y-MM-DD * Case closed: 201Y-MM-DD * Complaint: sending notifications to members with prim lavabit email addr while isp is closing down * Relief: TBD Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: MarcusMaengel (C), Case: a20130810.1 == History Log == . 2013-08-10 (issue.c.o) case [s20130810.33] . 2013-08-10 (A): added to wiki, MartinGummi accepted to become (CM) . 2013-08-10 (A): (C) accepted CCA/DRP in dispute filing . 2013-08-10 (A): sent init mailing to (C), (CM) . 2013-08-10 (A): request to Software-Assessors to build 2 sql queries that a. identify members with lavabit.* email addresses configured as primary email addresses b. to identify members under a. that have addtl. alternate email addresses that can use to switch their primary email account. Both queries are considered to count only. . 2013-08-10 (A): also asking the (Critical team) members for a sql query proposal . 2013-08-11 (A): sent test ping email to postmaster@ of domain in question . 2013-08-11 (A): received notification: "Delayed Mail (still being retried)" for delivery to postmaster@lavabit . 2013-08-11 (PR): blogpost published [[http://blog.cacert.org/2013/08/members-with-lavabit-email-accounts-remember-to-change-address/|members-with-lavabit-email-accounts-remember-to-change-address]] . 2013-08-11 (A): sending request to (Software-Assessors) + (Critical team) members with updated sql queries with request to confirm / further deployment of sql queries . 2013-08-11 (Wytze): response with sql query #1 updated . 2013-08-13 (A): response to (Software-Assessors) + (Critical team) with explanation about sql queries requested . 2013-08-13 (SA): deployment of sql queries required for intermediate ruling #1 within [[Software/Assessment/20130813-S-A-MiniTOP|Software-Assessment project team meeting 2013-08-13]], results documented in minutes . 2013-08-15 (A): sharing thoughts to an invited group of active CAcert members about the impact of publishing results of current arbitration case . 2013-08-15 (Member): one member responded, sharing thoughts about the impact current case may have and which protection mechanisms CAcert has . 2013-08-15 (A): intermediate ruling #1, sent to (C), (Critical team) with exec request, (Board), (CM) . 2013-08-16 (A): received final NDR for test ping email to postmaster@ of domain in question . 2013-08-16 (Critical team): sends intermediate ruling #1 exec report to (A), (Critical team), (C), (Support), (Board), (CM) . 2013-08-16 (A): intermediate ruling #2, sent to (C), (Software-Assessment), (Board), (Support), (CM) . 2013-08-25 (Board): discussed intermediate ruling #2 proposal text . 2013-08-26 (A): forward email sent to board (intermediate ruling #2) to (PR) following (Boards) decision to forward this to (PR) . 2013-08-26 (PR) further question . 2013-08-26 (A) response to (PR) furthers question . 2013-08-26 (PR) response, request for further details . 2013-08-26 (PR) response#2, request for further details . 2014-05-11 (CM): asks A about progress in this case == Original Dispute == {{{ ---- Forwarded message from "INOPIAE (Marcus)" --- From: "INOPIAE (Marcus)" To: CAcert Support ReplyTo: inopiae@cacert.org Subject: Ermergency Dispute USers with Lavabit.com email address Date: 2013-08-10 13:19:57 > Dear Arbitrators, > > we have more than 100 user that have a lavbit.com email. > I would like to inform them via mail that the need to change their > primary email address if it shows a lavabit account. > > > In a first step I would like to get the allowance to send a mail to one > of the users that can be found in the admin view. > If it bounces there will be no chance to send out the mailing as I > persume that all then all mail will bounce as well. > In this case there will be no mailing. > > In the other case I need the allowance to send out a mailing to all > users that can be found with following SQL-statement: > Select email from email where email like "%@lavabit.%" and deleted = > NULL > The text of the mailing is discussed at the moment with board. > > There will be a blog post in any case. > > I accept CCA. > > Marcus Mängel > > CARS > > -- > mit freundlichen Gruessen / best regards > Marcus Maengel > CAcert Assurer, CAcert Organisation Assurer, CAcert Support Team Member > CAcert Organisations Assurance Officer > CAcert.org - Free Certificates > E-Mail: inopiae@cacert.org > > > ---- End forwarded message --- }}} == Discovery (Private Part) == * '''Link to Arbitration case [[Arbitrations/priv/a20130810.1|a20130810.1 (Private Part)]]''' <> ==== EOT Private Part ==== <> == Discovery & Deliberations == * Lavabit closing down * [[http://www.heise.de/newsticker/meldung/Lavabit-E-Mail-Anbieter-von-Edward-Snowden-schliesst-und-protestiert-1932723.html]] ".. has been shut down ..." 09.08.2013 09:12 * [[http://www.ghacks.net/2013/07/14/lavabit-is-probably-the-most-secure-private-email-service-right-now/]] Update: Lavabit has shut down. July 14, 2013 * [[http://lavabit.com/]] I have been forced to make a difficult decision: ... by shutting down Lavabit. * The announcements found (see above) says, that the shutdown has passed 3 weeks ago * So it becomes vague, that despite the fact the announcement of immideate shut down has been made mid of July 2013, now 3 weeks later the services are still online. * The given count of potential members involved that have a primary email address from lavabit is an estimated value (that requires verification) * Using a lavabit email address as primary email address means, that if the member doesn't change his primary email address to a working email address the member runs into a CCA 3.5 violation [1] ("You are responsible for keeping your email account in good working order and able to receive emails from CAcert.") * Informing the members with a lavabit email address that is set as primary email address or this is the only one email address associated with the members CAcert account is an addtl. service to our members who are probably still running into a CCA 3.5 violation [1] problem. * It can be assumed, that those members who have heard, that their ISP immideatly closes down the services are busy while recovering their email services and they do not think about their CAcert account, that the old email address is linked as primary email address. * CCA 2.5 Security [1] says, that every member is responsible for his own security, but also The Principles [2] says x. Training , x. Our Focus is Our Community, x. Security and x. Ambassador to the World - we've identified the potential problem running into CCA 3.5 violation, so we want to inform our members like we informed our members about the Thawte shutdown back in 2009 [3] and other announcements. This is good to go for a mailing especialy to prevent CCA 3.5 violations. * lavabit used TLD's that probably offers also email addresses identified: * com * org * net . probably others * telnet test connection times out {{{ telnet mx.lavabit.com 25 connection failed }}} * The role of a postmaster alias [[http://en.wikipedia.org/wiki/Postmaster_%28computing%29|postmaster (wiki)]] * references: [[http://tools.ietf.org/html/rfc5321|rfc-5321]], [[http://tools.ietf.org/html/rfc822|rfc-822]] {{{ Sent: 2013-08-11 08:51 Dear Postmaster @ lavabit.com, Regarding Arbitration case a20130810.1 https://wiki.cacert.org/Arbitrations/a20130810.1 We've received a dispute to send a mailing to potential ex-@lavabit.com users. According to the announcement at http://lavabit.com/ that the mail service has been shutdown I try this way to identify a real shutdown of the email services @lavabit According to RFC standards, at least a domain requires the postmaster@ address for a site. If this address cannot be reached, no user can be reached. If you receive this email, ignore it, or reply to this email. In case of a NDR I'm informed about the next step in our Arbitration case. }}} * 2013-08-11 13:35 - delivery delayed notification rcvd {{{ The mail system : lost connection with lavabit.com[72.249.41.52] while receiving the initial server greeting }}} * the next thing that is of interest in this case is the '''critical''' relation of members who did loose their primary email address * ''What does this mean: critical ?'' * '''critical''' in relation to existing member accounts means, that we have to check topics that affects WoT, thats why we referencing in CCA 3.3 Termination [1] every '''Termination by a member''' [4] to Arbitration a. existing, valid certificates ('''Relying Party Statement''' problem) x1) a. had given assurances (securing the CAP forms) . x1) reliance is secured via arbitration. a leaving member or a member who no longer can be contacted can no longer be brought into arbitration (see also CPS Table 4.5.2 [5]) * To identify members with a primary email address who gots lost (termination by ISP) can be easily discovered with a sql adhoc query. First its enough to get an idea how many cases we talk about, so first query has to count only: * SQL query #1 {{{ select count(email) from users where `email` like "%@lavabit.%" and deleted = '0000-00-00 00:00:00'; }}} * For the disputed request, to contact such affected members, we require an alternate address, as the first tests showed up, that @lavabit email addresses can no longer be contacted. Alternate addresses we probably can evaluate from the members account set as secondary email addresses. So sql query #1 has to be enhanced with the question, who of the members found under sql query #1 have also a secondary email address configured, that we can use in a mailing? So we come over to a SQL query #2. Here also the count in the first step is of interest, so we can decide, if we have to send notifications for upto 5 members (-> manualy Support action) or to 100 members (-> scripted mailing) * SQL query #2: {{{ SELECT count(email.email) FROM email inner join users on email.memid=users.id where users.email like '%@lavabit.%' and users.deleted='0000-00-00 00:00:00' and email.deleted='0000-00-00 00:00:00' and users.email != email.email group by email.memid; }}} * To answer the question how many '''critical''' cases are affected, we have to enhance SQL queries #1 and #2 * count of active, not yet expired and not revoked certs per identified member (this includes client certs and server certs) > 0 ? * count of assurances given > 0 per identified member ? * 2013-08-13 [[Software/Assessment/20130813-S-A-MiniTOP|Software-Assessment project team meeting 2013-08-13]] sql queries deployment by Michael Taenzer a. SQL query 1: how many users we have that have a lavabit email address as primary email address? {{{ select count(users.id) from users where users.email like "%@lavabit.%" and users.deleted = 0; }}} a. SQL query 2: how many of the members found under sql query #1 have an addtl. secondary email address we can use to contact the users by email them or using in a scripted mailing? {{{ select count(distinct email.memid) from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%'; }}} a. SQL query 3: how many of all members (according to sql query 1) with lavabit as primary email address falls under the category '''critical''' while having active certs or did gave assurances? {{{ select count(*) from ( select notary.from as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0 union distinct select emailcerts.memid as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid where emailcerts.expire > NOW() and revoked = 0 union distinct select domains.memid as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid where domaincerts.expire > NOW() and domaincerts.revoked = 0 ) as critical_users; }}} a. SQL query 4: how many of the members (according to sql query 2) with lavabit as primary email address, but having addtl. other secondary email address(es) falls under the category '''critical''' while having active certs or did gave assurances? {{{ select count(*) from ( select notary.from as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0 union distinct select emailcerts.memid as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid where emailcerts.expire > NOW() and revoked = 0 union distinct select domains.memid as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid where domaincerts.expire > NOW() and domaincerts.revoked = 0 ) as critical_users; }}} * Two more published articles * [[http://www.computerwoche.de/a/lavabit-gruender-zur-schliessung-verpflichtet,2544385|Computerwoche 'Lavabit-Gründer zur Schließung "verpflichtet"']] (in German) - gives some indication that lavabit closing down was forced ordered by authorities * [[https://silentcircle.wordpress.com/2013/08/09/to-our-customers/|Email provider "Silent Mail" (silentcircle) also announces closing down]] . [1] [[http://www.cacert.org/policy/CAcertCommunityAgreement.php|CAcert Community Agreement]] . [2] [[http://svn.cacert.org/CAcert/principles.html|Principles of the Community]] . [3] [[http://blog.cacert.org/2009/10/thawte-web-of-trust-shutting-down/|Thawte Web of Trust Shutting Down]] . [4] [[FAQ/HowToTerminate|FAQ: How to Terminate]] . [5] [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p4.5|Table 4.5.2. Statements of Reliance]] . [6] [[http://www.computerwoche.de/a/lavabit-gruender-zur-schliessung-verpflichtet,2544385|Computerwoche 'Lavabit-Gründer zur Schließung "verpflichtet"']] (in German) . [7] [[https://silentcircle.wordpress.com/2013/08/09/to-our-customers/|Email provider "Silent Mail" (silentcircle) also announces closing down]] == Intermediate Ruling #1 == So therefor I come to following intermediate ruling #1 1. The first question in dispute filing {{{ "In a first step I would like to get the allowance to send a mail to one of the users that can be found in the admin view." }}} . has been checked by sending a test email to the postmaster of the affected domain according to RFC's rfc-5321 and rfc-822 that revealed by receiving a NDR, that the domain no longer accepts any emails. . So therefor I reject request #1 from dispute filing. 1. Claimants request #2 requires some deeper inspection, to investigate the impact in CAcert's WoT that is caused by the reported closing down of an email service provider. Here the found potential '''critical''' impact is of special interest to arbitration: * the next thing that is of interest in this case is the '''critical''' relation of members who did loose their primary email address * ''What does this mean: critical ?'' * '''critical''' in relation to existing member accounts means, that we have to check topics that affects WoT, thats why we referencing in CCA 3.3 Termination [1] every '''Termination by a member''' [4] to Arbitration a. '''existing, valid certificates''' (Relying Party Statement problem) x1) a. had '''given assurances''' (securing the CAP forms) * This impact can be counted with a couple of Adhoc SQL queries. These SQL queries have been deployed in the Software-Assessment project team meeting dated 2013-08-13 and also can be found in the minutes. The SQL queries have been deployed by a nominated Software-Assessor Michael Taenzer and checked by myself against a local copy of the developers testserver image * Critical team shall execute following 4 Adhoc SQL queries to answer 4 questions: 1. SQL query 1: how many users we have that have a lavabit email address as primary email address? {{{ select count(users.id) from users where users.email like "%@lavabit.%" and users.deleted = 0; }}} 1. SQL query 2: how many of the members found under sql query #1 have an addtl. secondary email address we can use to contact the users by email them or using in a scripted mailing? {{{ select count(distinct email.memid) from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%'; }}} 1. SQL query 3: how many of all members (according to sql query 1) with lavabit as primary email address falls under the category '''critical''' while having active certs or did gave assurances? {{{ select count(*) from ( select notary.from as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0 union distinct select emailcerts.memid as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid where emailcerts.expire > NOW() and revoked = 0 union distinct select domains.memid as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid where domaincerts.expire > NOW() and domaincerts.revoked = 0 ) as critical_users; }}} 1. SQL query 4: how many of the members (according to sql query 2) with lavabit as primary email address, but having addtl. other secondary email address(es) falls under the category '''critical''' while having active certs or did gave assurances? {{{ select count(*) from ( select notary.from as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0 union distinct select emailcerts.memid as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid where emailcerts.expire > NOW() and revoked = 0 union distinct select domains.memid as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid where domaincerts.expire > NOW() and domaincerts.revoked = 0 ) as critical_users; }}} 1. As this case discloses a clash in practice between CCA obligation (to keep his own primary email address in good working order) and the information given to each member: Arbitration uses the members primary email address to contact members, we're trying to assist our members to bring them back into a safe status for their accounts. . We know, we currently have an exception, that members may violate CCA 3.5 status, but this running case shall bring them back to have their accounts in a good working order. So here we following the principles that our focus is a functional community, we don't want to blame these members for that situation and we want to assist these members to get their account back into a good working order. A blog post still have been published and a mailing probably follows, once we have the results of the Adhoc SQL queries. . So the current status of such affected member accounts I declare as a temporarly exemption. . Its expected, that a clearance of the status can be executed until final ruling of this running case. 1. The question, if the SQL queries results can be published I come to the following ruling: * The proposed results of the 4 SQL queries are counts only similar to statistical data we still have published on our main website. So at this point we have no disclosure of any personal identifyable informations but the results will give us a measure how deep the impact of the lavabit closing down to CAcert's WoT is * Speculative expectations, what happens if we once publish the counted results and the possibility, that agencies will send CAcert a "Legal process (subpoenas, etc) delivered by an external court of 'competent jurisdiction.'". Such processing has to undergo CAcert's arbitration review according to DRP so it becomes unlikely that CAcert has to deal with follow-up actions that are described in the published articles [6] + [7] * So there is nothing that prevents publishing of the SQL query results requested under top 2 Frankfurt/Main, 2013-08-15 == Discovery II == * 2013-08-15 (Critical team): sends intermediate ruling #1 exec report to (A), (Critical team), (C), (Support), (Board), (CM) 1. SQL query 1: how many users we have that have a lavabit email address as primary email address? * => '''77''' 1. SQL query 2: how many of the members found under sql query #1 have an addtl. secondary email address we can use to contact the users by email them or using in a scripted mailing? * => '''12''' 1. SQL query 3: how many of all members (according to sql query 1) with lavabit as primary email address falls under the category '''critical''' while having active certs or did gave assurances? * => '''14''' 1. SQL query 4: how many of the members (according to sql query 2) with lavabit as primary email address, but having addtl. other secondary email address(es) falls under the category '''critical''' while having active certs or did gave assurances? * => '''3''' == Intermediate ruling #2 == * The 4 SQL queries revealed, that we can contact 12 (approx 15%) out of 77 members, to notify them about their problem running into a CCA violation. * The question either to order (Support) to contact the identified users or to start a scripted mailing similar to the events scripted mailings, I come to the conclusion, to prefer the scripted mailing solution, as this solution doesn't require to internaly disclose a list of email addresses to use for the mailing. As less people know about such this list, as less CAcert personal can be threatened. * So therefor I request from Software-Assessment to deploy a mailing script similar to the events mailing script using the still existing SQL queries out of intermediate ruling #1 so critical team can later execute the script to notify the affected members that can be contacted through a secondary email address defined in their members account. * I propose to the involved teams, to use an enhanced text for the scripted mailing text in relation to the [[http://blog.cacert.org/2013/08/members-with-lavabit-email-accounts-remember-to-change-address/|blog post text published 2013-08-10]] a. with a detailed explanation of the CCA 3.5 violation problem (-> CCA 3.5 violation explained) -and- a. detailed explanation of the "'''critical relation''' to our WoT services" used by 3 (out of 14) of the members we try to contact. A core explanation still exist under [[Arbitrations/a20130810.1#DiscoveryDeliberations|Discovery & Deliberations]] . so that members gets explained, why we use this unusual way to contact our members. Why we use a secondary email address instead of a primary email address as stated by our own policies. Especialy a common wide spread warning exist: ||<#ff8080> Don't react on email requests regarding your bank or credit card account. Don't click on links in such emails. Such emails often used for pishing. || . I've also received an idea from a community member, if we should make an offer to the effected users for an email address on our non-critical email infrastructure services. That I forward to board to consider. From Arbitration side, there is nothing that prevents such an offer (see also deliberations that results in section 4 of intermediate ruling #1) Frankfurt/Main, 2013-08-16 == Discovery III == * 2013-08-25 (Board): discussed intermediate ruling #2 proposal text * transcript from [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/201308025|Board meeting 2013-08-25]] {{{ (23:20:07) WernerDworak: 2.6 Proposal for enhanced notification text a20130810.1 intermediate ruling #2 (23:20:43) WernerDworak: Who will something about it? (23:20:55) WernerDworak: tell (23:24:43) NEOatNHNG: u601: can you explain what the board should decide here? (23:25:03) WernerDworak: I don't see anythin to 2.6. Who created that topic? (23:26:43) WernerDworak: I see nothing. So I go on to 2.7 (23:27:01) u60: from arbitration side, the notification to lavabit users is acceptable ... but the text that was used for the blog post misses some reasons given why CAcert acts not policy conform in sending mailings to secondary email addresses, that requires some expanations in the mailing text (23:27:44) WernerDworak: Who will tell something to it? (23:28:06) u60: so therefor .. the intermediate ruling includes the proposal for board ? PR ? to enhance the mailing text (23:29:07) u60: the question to board is, if Board follows the arbitration intermediate ruling proposal .. or decides otherwise (23:29:09) NEOatNHNG: can you not just ask alexander to enhance the text with the information that you think is missing? (23:29:40) WernerDworak: I second neo (23:30:17) u60: alex isn't in the meeting .. inopiae ? (23:30:19) WernerDworak: This can be done at a lower leve, board is not neede for it (23:30:34) INOPIAE: no alex here (23:31:07) u60: can you talk with alex ... and boards result about their rethinking ? (23:32:14) NEOatNHNG: uli you know what information is missing, if this goes via another middle man the information that reaches our PR officer certainly won't get better (23:32:48) WernerDworak: Uli , write to alex. Period (23:33:07) u60: yup. topic finished. (23:35:27) NEOatNHNG: about the proposal for email addresses for people not involved with CAcert: this would mean we become an email provider and we already have enough stuff to do. There are some decent providers out there to host your mails (although I can't give a guarantee) https://posteo.de/ looks nice for example (23:35:48) NEOatNHNG: CAcert should concentrate on getting our own stuff done }}} * 2013-08-26 (A): forward email sent to board (intermediate ruling #2) to (PR) following (Boards) decision to forward this to (PR) {{{ -----Original Message----- From: ulrich@cacert.org [mailto:ulrich@cacert.org] Sent: Monday, August 26, 2013 3:12 AM To: 'pr@cacert.org' Cc: 'Martin Gummi'; 'arbitration-archives@cacert.org' Subject: FW: Intermediate Ruling #2 following Exec Report of intermediate ruling #1: Arbitration case a20130810.1 - [] Ermergency Dispute USers with Lavabit.com email address Dear PR team, board decided in todays board meeting, that PR shall do the job, to enhance the mailing script text ... (see attachment: a20130810-1-lavabit-email.txt) https://wiki.cacert.org/Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/201308025 agenda item 2.6 following Arbitration case a20130810.1 intermediate ruling #2 https://wiki.cacert.org/Arbitrations/a20130810.1 board meeting 2013-08-25 transcript: [section: agenda topic 2.6 from board meeting, see above] [attachments: a20130810-1-lavabit-mail.php.txt, a20130810-1-lavabit-email.txt] }}} * 2013-08-26 (PR) further question {{{ [translation from German] can you please write me again exactly what is required - I do not understand... There're exist still an email attachments. What is with this? Is it only "but the text that was used for the blog post misses some reasons given why CAcert acts emergency policy conform in sending mailings to secondary email addresses, that requires some explanations in the mailing text"? If so, where do you want this (new?) explanation inserted? }}} * 2013-08-26 (A) response to (PR) furthers question {{{ [translation from German] please open the designated attachment and replace section [ !!! further explanations !!! ] with a sufficient explanation why we act against our own rules in which we send emails to our users email addresses that isn't the primary email they've defined in their CAcert account... (would be properly considered even a CCA violation) and then there is another problem ... "Request... open your account... correct the infos'... is exactly a request where all people gets the warning in connection with phishing emails Ignore the email, delete the email! What distinguishes exactly this mail from a phishing email? => We don't send a login link (where a phishing email has supposedly a bad link)... Go to CAcert's homepage. Login to your account. Go to the submenu 'email accounts - view' and put in the first column the "default" setting on a "working" email account (-> no link.. raw-TXT email... evidence given that this email is no phishing email...) }}} * 2013-08-26 (PR) response, request for further details {{{ [translation from German] can you please send me the "named attachement"(?) as an email? I still didn't understand. I have an attachment with two texts to the users and one additional annex that contains the mail content. And if we don't send any phishing mail, where is the problem? What exactly is required / desired and why should that make PR or I? When I shall do it (chat excerpt names and asks explicitly me), why was the mail sent with personal content from the Board meeting to the PR account (distribution list), where also other people are addressed whot didn't attend the corresponding meeting (and I mean not Marcus)? It's worth almost again to file a dispute ;) Please write me now so explicitly, what is required! }}} * 2013-08-26 (PR) response#2, request for further details {{{ [translation from German] Well - previous mail was perhaps somewhat covered. This was not the case as it looks like. But I realy want a short and precise instructions what should be made. Responding directly into an email. Attachments might be attached. But at least then if something is included in an attachment that is referenced to, it must be both available and searchable! However, I have found some chat in the first mail and one Mail text. That I asked: what should be done? - The answer is still pending. So please – otherwise I or a colleague of mine (because the mail was unfortunately delivered to PR instead to me) unfortunately cannot act. }}} == Ruling == == Execution == == Similiar Cases == ||[[Arbitrations/a20090525.1|a20090525.1]] || Event officer request recurrent notification to assurers near the location of the following ATEs - Precedent Case || || [[Arbitrations/a20110608.1|a20110608.1]]|| Scripted Mailing to Organisation contacts || || [[Arbitrations/a20111128.3|a20111128.3]] || Delete Account cases which may be handled by SE - No Assurances given, no certs or certs expired - Precedents Case || || [[Arbitrations/a20111204.3|a20111204.3]] || Minor account data differences which may be handled by SE - Precedents Case || || [[Arbitrations/a20090424.1|a20090424.1]] || [[Arbitrations/a20090424.1|Ad hoc SQL query requested]] || || [[Arbitrations/a20090427.2|a20090427.2]] || [[Arbitrations/a20090427.2|Ad hoc SQL query requested]] || || [[Arbitrations/a20090518.2 |a20090518.2 ]] || [[Arbitrations/a20090518.2 |SQL: mail addresses of former assurers without the CATS passed]] || || [[Arbitrations/a20090810.3|a20090810.3]] || [[Arbitrations/a20090810.3|User requests a list of people who have more than 150 points]] || || [[Arbitrations/a20090902.1|a20090902.1]] || [[Arbitrations/a20090902.1|request list of OA]] || || [[Arbitrations/a20091221.1|a20091221.1]] || [[Arbitrations/a20091221.1|U18 query]] || || [[Arbitrations/a20100822.1|a20100822.1]] || [[Arbitrations/a20100822.1|SQL query]] || || [[Arbitrations/a20101114.1|a20101114.1]] || [[Arbitrations/a20101114.1|Addtl. adhoc interactive sql-query]] || || [[Arbitrations/a20110413.1|a20110413.1]] || [[Arbitrations/a20110413.1|How many users using sample pwd]] || || [[Arbitrations/a20130521.1|a20130521.1]] || [[Arbitrations/a20130521.1|Adhoc SQL query: Dispute to get some statisical data (U18)]] || || [[Arbitrations/a20110221.1|a20110221.1]] || [[Arbitrations/a20110221.1|PII and problematical sys settings on 1057 of 1074 deleted accounts cases still remains in database]] || ---- . CategoryArbitration . CategoryArbCaseOthers