- Case Number: a20140607.1
- Status: closed
- Claimant: CAcert Support
- Respondent: CAcert
initial Case Manager: EvaStöwe
Case Manager: PietStarreveld
- Date of arbitration start: 2016-06-21
- Date of ruling: 2016-06-22
- Case closed: 2016-06-23
- Complaint: Request for account so CAcert support can test special scenario on the productive system
- Relief: Allow CAcert support an account on productive system for test scenarious
Before: EvaStöwe arbitrator (A), Respondent: CAcert (R), Claimant: CAcert Support (C), Case: a20140607.1
Note: in the original version the claimant was named to be Marcus M (as Support-Team-Member), as he had sent the dispute. This was clarified by an initial arbitration decision.
- 2014-06-07 (issue.c.o): case [s20140607.38]
- 2014-07-06 (iCM): added to wiki, request for CM / A
- 2014-07-06 (iCM): send notification to C
- 2014-07-26 (iCM): repeats request for CM / A
2016-06-21 (CM): pick up case and select EvaStöwe as A
- 2016-06-21 (A): init mailing
- 2016-06-22 (A): ruling
- 2016-06-23 (CM): close case
Link to Arbitration case a20140607.1 (Private Part), Access for (CM) + (A) only
EOT Private Part
Hi arbitrators, I suggest that support can have a personal account and an organisational account so that support is able to test patch fixes in the productive environment. For these accounts should be the following procedures installed: The accounts are clearly marked as test accounts. Each action on these accounts needs to be recorded. If possible all certificates on these accounts should be revoked as soon as possible.
Initial Arbitrator decision about parties in this case
This case was filed by Marcus M, but this clearly seems to be a case purely for support team, which Marcus has left. So as Arbitrator of that case I decide that the claimant of this case is CAcert (Support) and not Marcus.
Both Marcus M and support were informed about this in the init mail by the Arbitrator.
In general one does not do testing on productive servers and one does not have test-data on prodcutive servers. But to answer the request we probably have to check if there are some arguments against this general rule.
For once we should take care that our RA and CA are not comprised. If something like this would ever be allowed it would have to be well documentend. But for this such an account would have to be allowed, first.
I. Regular situation based on our policies:
The CAcert Community Agreement (CCA) states in 0.1 point 2:
"Member" means you, a registered participant within CAcert's Community, with an account on the website and the facility to request certificates. Members may be individuals ("natural persons") or organisations ("legal persons").
and in 1.1:
Your agreement is given by but not limited to [...] your request on the website to join the Community and create an account, [...]
The combination of this leads to: By creating an account one requests to become a member of CAcert's community. But only individuals or organisations may be members. So only they may request an account.
"Support" is not an individual and also is not an organisation, so may not become a member. And by Support may not create an account on the productive Server.
II. About the need for an exception
a) "special situations"
It is not the job of support to "test patch fixes in the productive environment" as requested:
It is not the job of support to test patch fixes at all. That is part of software area. To monitor the productive server is the job of critical team. Support engineers are not allowed to be critical team members according to Security Policy 3.4.2. and 9.1.2., as those jobs are exclusive.
b) regarding regular situations:
CAcert Inc is an organisation member of CAcert community and has an organisation account. If necessary support members could become an organisation administrator for that account.
Also every member of the support team has to be a member and by this has an account. Even more support engineers perform actions on accounts of other members via their own account.
Even if a special account would be allowed to the productive server it could not be used to "test special scenarios" because no assurance could be done via this account no email address or domain could be added to that account no certificate could be issued from that account. At least not without specific exceptions from arbitration.
Any member is allowed to create secondary accounts (even as CAcert does not encourage it). As long as the member does not assure other members with more than one account this is accepted. With such an account it would be possible to add addresses or domains or to issue certificates and even to be assured or to assure (as long as there is no assurance over the same member in another account). Such an account woud be much more useful to test things than the account which support was requesting.
For anything else it is also possible to build a test-system with the configuration of the productive system, if the existing test systems are not sufficient.
There is no need for the request and even if there were, there are already better alternatives within what is already allowed.
1. The CAcert Community Agreement  only allows individuals and organisations to have an account. 2. For allowing an exception via arbitration authority, some explicit and dire need would have to be presented as any exception clearly has the potential to compromise both the RA and the CA. 3. No need for an exception to allow an account for support, could be found. On the contrary such an account would be less useful than other alternatives: a) Support as claimant mentioned the need to use such an account to create special situations to "test patch fixes in the productive environment". It is not the job of support to test patches or to monitor the productive system. We have other teams for this. The membership to those teams is exclusive to support membership according to the Security Policy. b) Test patches are meant to be tested sufficiently on testing servers, where there are no limitations. c) For any "normal" check that a support engineer may need to do, the support engineer could use own accounts. If necessary a support engineer could also ask the according authorities to become an organisation administrator for the organisation account of CAcert. With those accounts certificates and assurances can be issued and done. d) If the requested account would be allowed no such activity could be done without specific arbitration decision. 4. If and only if someone comes up with a specific need for such an account, this can be granted in a specific case with specific controls by a specific arbitration decision. 5. The general request for an account for support is rejected. Eva Stöwe - 2016-06-22
- 2016-06-22 (A): ruling