- Case Number: a20140624.1
- Status: closed
- Claimant: Marcus M (as representant of Support)
- Respondent1: Martin B
- Respondent2: Peter S
initial Case Manager: EvaStöwe
Case Manager: SebastianKüppers
- Date of arbitration start: 2014-11-09
- Date of ruling: 2014-11-18
- Case closed: 2014-12-22
- Complaint: assurance of different accounts of same person
- Relief: TBD
Before: Arbitrator Eva Stöwe (A), Respondents: Martin B (R1), Perter S (R2), Claimant: Marcus M (C) (as representant of Support), Case: a20140624.1
- 2014-06-24 (issue.c.o): case [s20140623.75]
- 2014-06-25 (iCM): asks C as support member if closure of account part of the case ticket could be handled by support, now (AE would remain a member and under CCA and DRP because of second account)
- 2014-06-25 (iCM): added to wiki, request for CM / A
- 2014-06-25 (iCM): notifies C, R1, R2, AE about case
- 2014-06-25 (iCM): asks internal auditor for an estimation if another issue in the related support case should lead to a second arbitration case
- 2014-06-26 (C as Support member): sees no problem to handle closure of account part of ticket by support
- 2014-06-27 (iCM): split closure of account ticket from the case and moved it back to support to be handled there
2014-06-27 (intenal Auditor): sees potential privacy breach and potential abuse of power in the related support case, opened incident i20140625.1
- 2014-06-28 (iCM): informs internal Auditor about link to the contents of the last mail (including the anonymised mail exchange found in the support ticket) - link in 2. mail
2014-07-12 (intermal Auditor): filed a dispute in the case a20140712.1 regarding the activities found in the support ticket
- 2014-07-19 (iCM): informed R1, R2 and AE about existence of related case a20140712.1, because they may be affected
- 2014-07-26 (iCM): repeats request for CM / A
- 2014-11-09 (A): I'll take this case as A, CM will be CM
- 2014-11-09 (A): init mail send to C, R1, R2
- 2014-11-18 (A): send ruling to C, R1, R2, AE, Assurance Officer, CM
- 2014-11-18 (A): notified internal Auditor about ruling
- 2014-11-18 (A): added note about ruling to history of a20140712.1
- 2014-12-22 (A): closed case
Link to Arbitration case a20140624.1 (Private Part), Access for (CM) + (A) only
EOT Private Part
Dear arbiration, I would like to clarify if the assurer [R1] was allowed to assurer [a member] twice or not as support is unsure what to do. Since until than I move this support case to arbitration.
Parts in  anonymised.
R2 included by iCM, as he acted in the same way as R1 and had the same role as R1 in the support case that caused this dispute. It would be random and unfair treatment to include one and leave the other out.
Facts about the current case known from the support ticket
directly relevant to answer the dispute about assurances of multiple accounts of same person
The following facts are known by the support ticked that was handed over to Arbitration to be handled in this case:
- The assuree (AE) created two accounts. The second account was created because he did not want all his name parts to appear in the certificates. The intention was to switch over to the second account when it was assured well enough.
- The first ticket was a request to get the first account removed, so that only the second account remains
- This was refused to do by Support until the case was handed over to Arbitration
- The ticket was split by the iCM so that the closure of the account could be done independently from this case, as there is nothing known to prevent the closure and it only helps to clean up the issue of multiple accounts
- The first ticket was a request to get the first account removed, so that only the second account remains
- The assuree asked two assurer who previously had assured the first account to assure the second account
- both assurer R1 and R2 did so, with a second assurance and a second CAP form
- both assurer R2 and R2 were informed about the intention of AE to switch over to the new account and to close the first one
discussion about different name parts in the accounts
There was also a discussion within the support ticket if the usage of the names within the second account is correct. As the dispute does not touch this part of the support ticket it should not be discussed and decided in this case. It should be noted that another Arbitrator who was asked about the issue by support already answered, that the usage of the names in the second account seem to be allowed by our policies. This finding seems to be correct. But neither this comment nor the answer of the other Arbitrator are binding as there currently is no arbitration case filed.
orders given by support, this may also be relevant for related case a20140712.1
The following orders were given by Support based on the argument, that the assurances for the second account were not allowed (and maybe to learn about the correct name of the assuree):
- The Assuree (AE) was asked to state what names are exactly written in his official documents.
- This should later be confirmed by the assurer and if there remain questions another assurance would be required by an experienced assurer maybe with the addition that a birth certificate should be used.
- The Assuree (AE) was ordered that until the case was solved, AE should not do anything with both accounts especially he should not get another assurance or issue another certificate.
- R1 and R2 (the assurer) were ordered to pay more attention when they assure someone and to refuse an assurance if in doubt
- R1 and R2 (the assurer) were ordered to look up the data found in the official documents and entered in the CAP forms for the assurances in question.
All three persons answered support with the information about the names so this information is part of the support ticket of this case.
(This are translations as the support ticket was done in German)
Arguments presented in the support ticket regarding the assurances of multiple accounts of a person
The following arguments were presented in the support ticket. All of them are translations from German to English. The translations were done by the Arbitrator of this case who is a native German speaker.
Arguments for "assuring of multiple accounts is forbidden"
A. Support 2014-06-24 11:50:59
There were only three months between the assurances for each of the assurer, so everybody should remember them and nobody can argument that they forgot the previous assurance.
This argument does not answer the question if the assurances were allowed or not, at all. But even if it would be relevant. experience shows the contrary. The Arbitrator has observed multiple senior assurer (including herself) who could often enough not remember if they had assured someone even at the same day. This is quite common when assurances are done at a bigger event. They definitely would not have remembered this three months later.
B. Support 2014-06-24 13:26:26
The meaning of an assurance is (beside others) to state that the identity of one person was verified by another person. This can only be done once, independent of how many CAcert accounts someone has.
While it is true that the meaning of the assurance is to verify the identity of a person by another person, nothing could be found with a search through our policies to verify the part that this could only be done once.
On the contrary, there are multiple processes known where it is currently allowed to perform multiple assurances from one person over another for the same account.
This includes the following:
- the current co-audit process if the co-auditor or candidate previously have assured each other in a normal assurance
- password reset assurances, with someone who already had assured the person
- name changes based on assurances, with someone who already had assured the person
The Arbitrator of this case was part of each of those in person, at least once. At least one of each category were arranged by a support team member, so all of them were acceptable from the point of view of support.
Currently only one of those assurances is entered in the system. But there were cases where one assurance had to be revoked and later was replaced with a new assurance between the same persons, which was entered in the system.
So there are multiple situations, where it is allowed if not even intended that one person assures another more than once.
There is even a current discussion if the software could allow for the renewal of an assurance between the same persons. The policies would allow for this.
The only thing that is fixed is how many points one person may award to a name of another person. It does is not stated how often those points may be entered / set as long as at any given time the maximum points one can award per name is not exceeded.
See: Assurance Policy (AP) 4.3.
The above quote from the support member is one form the Assurance Handbook. This refers to an arbitration case a20090510.3. While this sentence actually appears there, later on it is presented in more detail as:
An assurer can only assure a CAcert member once, with a single account, not with multiple accounts.
However, the Arbitrator of this case did not give a reference what policy was used as a basis for that finding. This was also not the core part of the dispute he had to answer. The question of said arbitration case was how often someone with multiple accounts may assure someone else (or own accounts), which is the other way round. So the part about "independent of how many CAcert accounts someone has" was written with the case in mind that the assurer uses multiple accounts fo assure one account of the assuree. By doing so someonecould easily award more assurance points to a name than the allowed maximum.
As it was pointed out above, we know a lot of processes which contradict this statement, that an assurer can assure another member only once.
C. Support 2014-06-24 18:48:52
All are references to Assurance Handbook (AH)
"Although there is no rule that forbids having two or more accounts, it is not recommended, since it can cause problems."
While the recommendation is against having multiple accounts, the relevant part of this quote is that it is not forbidden to have multiple accounts. By this one member is allowed to have multiple accounts. (Even if not recommended. But as the assuree AE tried to solve the issue by the request to get one account deleted the involved persons tried to honour this recommendation, as well.)
"Since an Assurer can only assure another member (a person) only once, it is forbidden for an assurer to assure a single person and register that assurance with more than one account."
This does not match the case as each registered assurance was done separately.
This reference was the main argument the support team member presented against the assurances of multiple accounts of the same person with different assurances.
"Therefore, since having multiple assurer accounts is not required, it is strongly advised not to allow them."
This quote does not apply, here. Nobody was found to have multiple assurer accounts in this case. The assuree (AE) did not plan to be able to assure with both accounts. He requested to get one of them deleted before either of them reached 100 points.
"Ruling: An assurer cannot meet himself/herself face-2-face. Therefore all assurances by Respondent of accounts of the Respondent are invalid and must be revoked incl. revocation of experience points."
This quote does not apply, here. The only person with more than one account was not an assurer and could not have assured himself with either account.
Only C.1. is apply-able in this case and it tells us that multiple accounts are allowed to have, but not recommended.
Arguments for "assuring of multiple accounts is allowed"
All arguments presented here relate to the case that each assurance is done separately. Some of them may relate to the fact that the assuree was not an assurer with any of his accounts.
E. R1 (Martin B) 2014-06-24 17:44:30
Quotes Assurance Handbook
"It is not forbidden to have multiple accounts", even "It is not forbidden to have multiple assurer accounts"
This corresponds to C.1 and was found to be true.
F. R2 (Peter S) 2014-06-24 21:39:54
Refers to Assurance Handbook
According to this it is forbidden that an assurer who has multiple accounts uses them to assure someone multiple times on the same account, as this would lead to the assurer being able to assign more than the allowed maximum points. Also, assurer are not allowed to assure their own accounts. As multiple accounts are allowed, I cannot see a reason to not assure someone on their accounts, as it is the same person.
Nothing in the policies or related documents could be found to contradict this assumption.
G. arbitrator who was asked by support to give his opinion 2014-06-28 21:16:26
He described that he was involved in some recent discussion on related issues. And states:
it does not contradict our polices to create multiple accounts, as long as the entered information is correct. Based on what you quoted in your mail (date of birth was not present, but I assume that it matches), I would say that the data in both accounts is acceptable.
This was found to be true with C.1.
in general it also does not violate our policies to get assurances for those multiple accounts. However there may be the problem that if someone assures a lot of accounts by this, the assurer could get more than the earned experience points. But if it is only about two accounts this is probably not the main reason.
it is naturally forbidden to assure someone with more than one account, as this violates the Assurance Policy (maximum of points a single person may give).
This is true, as already hinted above, but does not apply to this case.
Summarised we have the simplified rule: It is ok to create multiple accounts and to get them assured, as long as the information is correct. But only one of those accounts should be used to assure others.
The first part strengthens again what already was stated.
The second part is not the focus of this case as the assuree had not assured anybody with any of his accounts. However it may also be ok if any person is only assured by one of the assurer accounts at any given time, even as this is not recommended to do. This issue would need to be clarified within another arbitration case, if someone tries to do this.
This makes it somewhat difficult for support and partly also for arbitration. But we could not derive something more strict from the policies.
This is also the conclusion that has to be given based on the policies and the arguments presented.
H. Finding of internal Auditor in i20140625.1
The internal Auditor also gave a statement regarding the case as he is familiar with an anonymised version of the support ticket:
Finding 4: There is no rule in CAcert, that one assurer cannot assure an assuree several times.
While he later states that this point has to be verified in this case, it is also an independent finding that comes to the same conclusion, that our policies does not forbid the assurance of multiple accounts from one assuree in general.
Summary on above arguments
- Multiple (assurer) accounts from one person are allowed (but not recommended).
- There are processes defined that allow for more than one assurance from one person over another as long as this does not lead to one person awarding one name in an account more points than their allowed maximum of points.
- Each such assurance has to be done with a separate assurance. As each assurance only includes one primary email address that is related to one account it cannot be done otherwise.
- This should not be done to push the experience points from one person
- If such an assurance only is done singularly this cannot be seen.
- As this kind of assurance would lead to all the questions of this case which have to be considered, of the answer had to be looked up, the experience of such an assurance would be at least comparable to a normal assurance.
- The assurance in this case have definitely lead to a lot of additional experience on the side of the assurer. Including research within the AP and the AH, discussion on support level and finally to be involved in an Arbitration case. The 2 additional experience points have to be considered to be well earned.
The only question that was not addressed in detail so far is that the points awarded to the names do not exceed the allowed maximum as this is the only clear requirement stated in the AP with relevance to this case.
The idea behind this is to have the need to get assurances from different assurer to gain the 50 or 100 assurance points. This is not contradicted by awarding up to the maximum of the allowed assurance points separately for two names in two accounts. Even if they are originally the same name. Non of the assurances of one person was given on top of another assurance from the same person.
The respondents of this case did not violate a policy by assuring both accounts of the assuree with separate assurances.
The only action for support to proceed in this case should be to complete the account deletion as requested by the assuree, if this is not already done.
Any order or warning given by support in this case, based on the assumption that the assurances were not allowed, are invalid and obsolete. They should not be executed from any side.
We do not recommend to use multiple accounts but it is allowed to have them. As long as each name in each account is only assured by one assurer up to the maximal number of points that the assurer may award and as long as the assurance process is followed for each assurance separately and nobody assures accounts of themselves, the AP is honoured. In this case the assurance points state the correct confidence level for each name, which is exactly how the Assurance Policy wants assurance points to be interpreted.
However, to assure multiple accounts of the same person may not be used to excessively push the experience points of an assurer. A single occurrence of an assurance of a secondary account of an assuree cannot be seen as such a push. On the contrary, this probably leads to additional experience and training on the side of the assurer, even as this should not be the core intention of such an assurance.
As multiple accounts are not recommended, and while multiple assurances are found to be allowed, an assurer of multiple accounts from the same person should nonetheless be advised to consider the reasons why the assuree requests an additional assurance, if this is spotted.
The assurance officer should update the Assurance Handbook accordingly. If this is not done within a reasonable time frame, this may instead be done by the Arbitrator, the Case Manager or another person authorised to do so by the Arbitrator of this case.
- 2014-11-18 (A): send ruling to C, R1, R2, AE, Assurance Officer, CM
- 2014-11-19 (Support): closed account from AE
- 2014-11-19 (AO): refused to update Assurance Handbook, because: all quesitons regarding multiple accounts were already answered by the previous cases and the quote in the AH and that the current ruling is just another wording about what was in the AH
- 2014-11-20 (A): disagrees with OA: the points in the AH were obviously not clear enough, else Support would not have filed this dispute to clarify those points, also it was found that the old cases only answerd the question about assurer with multiple accounts but not if about assurees with multiple accounts, asks AO
- 2014-11-20 (R1): the AH was clear enough for R1, but this case and discussion with other assurer showed that not all read the AH in the same manner. Also the question about multiple accounts on the side of the assuree is not covered in the AH.
- 2014-12-22 (A): updated the AH, as there was no further response from the AO or an update to the AH.
- 2014-12-22 (A): informs participants about execution and closing of case