Partial anonymised conversation history of a20141024.1

This is a collection of the documented statements collected in the case file of a20141024.1.

The statements are edited / anonymised as:

Meassurement was:

Disclaimer:

Original Dispute

> Hello,
> please terminate my account and send me a confirmation of termination.
> Thank you very much
> Bruno

further parts of the Support ticket

Support: answers C, please respond if you do not want to have the account closed

> Hello [...]
> 
> > please terminate my account
> 
> We received a deletion request for your CAcert account dated 2014-10-07.
> If this does not represent your wish, please respond within 14 days
> (deadline set  . To: 2014-10-23). Otherwise this case will be acted upon
> automatically and lead to the closure of your account.
> 
> If you want to delete your account because you have lost the access to
> it, an alternative may be to try to recover your account. In this case
> your assurance points, assurance state, domains, and certificates would
> be retained. For more information see. [1]
> 
> The process for the deletion of an account is laid out in the precedent
> arbitration case a20111128.3 [2].
> 
> [1] http://wiki.cacert.org/FAQ/LostPasswordOrAccount
> [2] http://wiki.cacert.org/Arbitrations/a20111128.3
> 
> -- 
> Kind Regards
> Werner D[...]

Note from Support at 2014-10-24

Dear arbitrators,

the member is assurer and gave an assurance:

[assurance details]

Note from Support at 2014-10-24

open

pre Arbitration action

iCM: notified C about case

Dear Bruno,

a dispute filing has been received, the Arbitration case number is:
a20141024.1. It is about the termination of your assurer account.

You can find the current state of this arbitration case at:
https://wiki.cacert.org/Arbitrations/a20141024.1

The search for a Case Manager and Arbitrator is still open.

Given  the current backlog of arbitration cases, this might take some
time. If  you consider your case as urgent please notify me so I can try
to prioritize your case.

As the next step a Case Manager or Arbitrator will contact you with a
initial mailing as soon he gets appointed to this case.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: take care

Dear Arbitrators,

I'll take care of the following cases as Arbitrator, if nobody objects.
Martin Gummi has volunteered to be the Case Manager. Sebastian also had
volunteered, previously, if he shows activity again, I would like to ask
him, to take over the Case Manager role, as previously discussed with Magu.

The cases are:
http://wiki.cacert.org/Arbitrations/a20140929.1
http://wiki.cacert.org/Arbitrations/a20140930.1
http://wiki.cacert.org/Arbitrations/a20141002.1
http://wiki.cacert.org/Arbitrations/a20141011.1
http://wiki.cacert.org/Arbitrations/a20141024.1

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: init mail

Discovery / activity prior to ruling

A: mail to support to clarify account details

Dear Support,

I am the Arbitrator of Arbitration case a20141024.1 "terminate assurer
account Bruno".

To be able to handle the case, I need some more information about the
account of the claimant.
Only known information for Arbitration:
name: Bruno
email address: [...]
[a number] assurance given [time frame]

Please be so kind and tell me the following:
- complete name of the claimant
- primary email address if this is not the one provided
- status of certificates
- CCA status

Thank you.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Support: gives account details

A: repeated mail to C

Dear Bruno,

I am the Arbitrator of the CAcert arbitration case to close your account
(a20141024.1). In this context I have addressed you with below mail.
However I did not see an answer.

It would be in the interest of your assurees, if you could send us the
CAP forms of your assurances. Else it would be good to get a
confirmation that you will keep them safely and destroy them correctly
after the 7 years you agreed to store them.

I will be at the FOSDEM next weekend. If you are also there, that may be
an option to hand over the CAP forms.


Also it would be good if you confirm the request to close your account.
Please do so before 2015-02-08.

However, if you do not answer by then, I will assume, that you have no
interest in CAcert any more and will address support to close your account.


On 07.12.2014 22:29, Eva Stöwe wrote:
[full quote of init mail]

A: informed the internal Auditor about the intention to install the new process

Dear Benedikt,

in the context of the discussion of a20141231.1 (no automatic revoke of
assurances in the context of delete account cases) you have mentioned
that you have some privacy issues, however you forgot about them, later.

Currently, I am working on a new precedents case for delete account
cases based on that ruling. I plan to do the ruling "in the near future"
(within quite few days, maybe tomorrow). However I want to give you a
chance to remember and mention your point by going through the process
that I am defining. It can be found at:

https://wiki.cacert.org/Arbitrations/a20141024.1

The planned ruling will allow for non-major changes to the process up to
3 months afterwards. So even if you are not able to respond before the
ruling, I hope that your issues are not as big, that they cannot be
integrated later - if they are not even resolved, anyway.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Ruling

Dear Bruno, dear Support,

as the Arbitrator of the CAcert Arbitration case a20141024.1 -
"terminate assurer account Bruno" [1] I hereby come to the following ruling:

The delete account process for assurer and non-assurer accounts should
be changed as described in the process definition part of the discovery
of this case file. This process replaces all delete account processes
defined in previous precedents cases for delete account cases that are
handled by Support, including a20111128.3[2] and a20140713.1[3].

The main reason for the new process are recent changes of the CAcert
Community Agreement[4] and the ruling given in a20141231.1[5].

Support should take care that all Support-Engineers are aware of the new
process. It would be appreciated if the relevant process descriptions in
the support area would be updated, accordingly.

If issues arise with the process within three months after the ruling,
the process may be updated by the Arbitrator of this case, or the Case
Manager or a Support-Engineer if they have the confirmation of the
Arbitrator to do so, as long as the core elements stay the same.
Substantial changes should be noted in the case log.

The account of the claimant should be closed as requested by the
claimant. The new process should be used. Even as some steps were
already done by Arbitration, Support should start with step 1.

Frankenthal, 2015-04-13


@Support here the details for the account of the claimant:

[full name, email address of claimant]

[1] https://wiki.cacert.org/Arbitrations/a20141024.1
[2] https://wiki.cacert.org/Arbitrations/a20111128.3
[3] https://wiki.cacert.org/Arbitrations/a20140713.1
[4] https://www.cacert.org/policy/CAcertCommunityAgreement.html
[5] https://wiki.cacert.org/Arbitrations/a20141231.1

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: informs board and arbitration team about ruling

Dear fellow Arbitrators, dear board, dear Benedikt,

I hereby want to inform you, that I just gave a new precedents ruling
regarding delete account cases in the case a20141024.1 -
"terminate assurer account Bruno".

The reasoning as well as the new process can be found in the case file:
https://wiki.cacert.org/Arbitrations/a20141024.1

The major change is that even assurer accounts can now be closed by
support without the need to go through arbitration in most cases.

The reason for this is that in another case it was already ruled, that
assurances may not have to be revoked when the CAP forms are no longer
available. The claimant of that case was Benedikt. The reasoning here
can be found at:
https://wiki.cacert.org/Arbitrations/a20141231.1

@board: It would be good if you would organise some help to ensure that
the new process will be explained where now the former process is
described. This probably will take some time.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Execution

Support: response to ruling: "I disagree with your decision [...]. It is not well thought and therefore not applicable."

Hello Eva Stöwe,

I disagree with your decision in the arbitration case a20141024.1. It is not well thought and therefore not applicable.

In "Process Definition" you wrote:

> optional: proposal to block the account
> if this is added the wording has to be clear that it is 
> optional and no requirement for the closure of the account 

and later

> In the context of the process defined here, an account 
> may only be blocked with the explicit agreement of the 
> affected user.

There is no such option. Either there is not any reason or it is mandatory.

If no certificates exist or all certificates are expired or revoked more than 3 month ago, I can immediately delete the account, so there is no "meantime" and therefore no need to block the account at all. 

If there are certificates not yet revoked and not expired more than 3 month ago, I have to wait till these 3 month are over. During this time no change to the account should be possible neither by the owner of the account nor by anyone else. Since the member regards her account as abandoned and doesn't care much about it, it is in the interest of the member herself, that no one can change the account. Therefore I regard it as mandatory to block the account in the meantime. If the member changes her decision and wants to keep her account, it is very easy to unblock it, but this is a distinct decision and well documented.

> If the user was an assurer and did not confirm 
> the point about the CAP forms 

This is not quite correct. If a member has assurer status, is irrelevant. Important is, if there are given assurances. 

> Currently there is no way for Support-Engineer to know for sure 
> that a user is not involved in an arbitration case, so this check 
> cannot be done in a clearly defined manner. 

Since a long time there has been the suggestion to create a data base of all pending arbitration cases and the persons affected, so Support could check if a member wanting to resign is involved in a running arbitration case. I hereby repeat this suggestion.

In "Note about step 5" you wrote:

> The first impulse from the Support-Engineer (and others) 
> is to at least revoke the assurances. 

This has never ever been the case. The revocation of assurances has never been part of the deletion of an account but has always been a totally independent process. If an account is deleted (really: anonymised) all name fields and the DoB are anonymised and all flags are deleted, except the blocking flag which is set. Additional email addresses and domains are deleted and all certificates revoked. But assurances received, assurances given, assurance points and experience points remain unchanged.

If any assurances shall be revoked, this requires an explicit and independent order. It is not part of an account delete process.

-- 
Kind Regards
Werner D[...]
CAcert support

A: some points should be clarified more in the process; could not find a point that would be blocking reason against the ruling

Dear Werner, dear Support,

On 16.04.2015 07:14, CAcert Support wrote:
> Hello Eva Stöwe,
> 
> I disagree with your decision in the arbitration case a20141024.1. It is not well thought and therefore not applicable.

please be a little bit more careful with your formulations, as you are
facing an Arbitration ruling, that was not done in the void, but after
consulting a lot of people over the time, including a prominent Support
team member. Not all communication that was done is documented in the
case file. There is no need for this also it would be quite hard to note
down every time that one touches a topic of a case about one is
thinking, as an Arbitrator. No other Arbitrator notes this down (as
communication with the CM is not mentioned in general, also).

The new process is not such different than the deprecated ones. But a
change was needed or at least sensible based on the ruling done in
a20141231.1 which was given because Benedikt asked for a change about
how assurances were treated when assurer were leaving CAcert. Also parts
of the deprecated process were not in accordance with the last changes
to the CCA.

But the core elements for Support were not changed. Actually for the
termination itself the new process points to the documentation of the
old process.

> In "Process Definition" you wrote:
> 
>> optional: proposal to block the account
>> if this is added the wording has to be clear that it is 
>> optional and no requirement for the closure of the account 
> 
> and later
> 
>> In the context of the process defined here, an account 
>> may only be blocked with the explicit agreement of the 
>> affected user.
> 
> There is no such option. Either there is not any reason or it is mandatory.

This answer is easily answered: There is no general reason to do this.

But IF and only if the user would like to have this, than there is a
reason to do so, which would be the request of the user.

This is in accordance with SP 8.1:
"Support Engineers do not have any inherent authority to take any
action, and they have to get authority on a case-by-case basis. The
authority required in each case must be guided by this policy or the
Security Manual or other clearly applicable document. If the Member's
authority is not in doubt, the Member can give that authority. If not,
the Arbitrator's authority must be sought."

In the case that the member asks/authorises it, or it seems that the
member agrees to it, the ruling allows you to block the account.

The option of the block is added, because not all members know about
this possibility and support is arguing in other contexts that a block
would be in the favour of the members. But this decision should be done
by the respective members, if there is no general need for it.

> If no certificates exist or all certificates are expired or revoked more than 3 month ago, I can immediately delete the account, so there is no "meantime" and therefore no need to block the account at all. 

In this case you do not need to mention the block in the case.

> If there are certificates not yet revoked and not expired more than 3 month ago, I have to wait till these 3 month are over. During this time no change to the account should be possible neither by the owner of the account nor by anyone else. Since the member regards her account as abandoned and doesn't care much about it, it is in the interest of the member herself, that no one can change the account. Therefore I regard it as mandatory to block the account in the meantime. If the member changes her decision and wants to keep her account, it is very easy to unblock it, but this is a distinct decision and well documented.

I cannot follow your argumentation. A block does a lot more than
preventing changes. It also prevents the members checking the contents
of the contents of their accounts, for example to check their done
assurances (f.e. to be able to give the requested confirmation regarding
the CAP forms) or something about old certificates which they also may
need to do in the grace time.

Also they ARE members during this time. We force them to be members. The
CCA tells us that we provide services to members. So we have to have a
good reason to deny our services while forcing them to keep their parts
of the membership up.

Also I do not see an issue if the user changes something in the account
during that time. The user may even have to do so based on the CCA.

It does not hurt, if the user removes email addresses or domains or even
switches the primary email address (if someone wants to quit CAcert,
there may be other changes in the communication means for the member).
Also there is no reason why the person may not get assurances or be
assured during that time.

I even see no reason why the member should not be able to issue
certificates. There have be really good reasons to deny this.

Sure the account cannot be closed in this case. But that is the ONLY
issue. Support has to check that all certificates are older than 3
months at the time when they do the closing of the account, anyway. If
there are new certificates the account cannot be closed. But in this
case it is easy to contact the member, if the wish to terminate the
membership was changed in the meantime. Which actually would be the best
outcome.

Support was not able to provide any arguments to provide a general
argument for a block beside of distrust in ALL our members that they
care about their accounts. If one asks to terminate an account one shows
that one cares about the account. Else one would just leave it be, as
probably most people who lose interest in CAcert do.

Btw, in the context of another case, Benedikt told me, that there is no
security reason that would ask for a general block of accounts, when
they are about to be closed.

I will adjust the process description so that the account explicitly has
to be checked again before the closure of the account by the
Support-Engineer.

>> If the user was an assurer and did not confirm 
>> the point about the CAP forms 
> 
> This is not quite correct. If a member has assurer status, is irrelevant. Important is, if there are given assurances. 

I can change the wording to "active assurer".

>> Currently there is no way for Support-Engineer to know for sure 
>> that a user is not involved in an arbitration case, so this check 
>> cannot be done in a clearly defined manner. 
> 
> Since a long time there has been the suggestion to create a data base of all pending arbitration cases and the persons affected, so Support could check if a member wanting to resign is involved in a running arbitration case. I hereby repeat this suggestion.

We know about this. It may be part of the new software, there were
requests. If not it may be that a small software project from Magu and
my could help, but currently we are not working on this.

But as it is not present, we have to work without such a tool.

> In "Note about step 5" you wrote:
> 
>> The first impulse from the Support-Engineer (and others) 
>> is to at least revoke the assurances. 
> 
> This has never ever been the case. The revocation of assurances has never been part of the deletion of an account but has always been a totally independent process. If an account is deleted (really: anonymised) all name fields and the DoB are anonymised and all flags are deleted, except the blocking flag which is set. Additional email addresses and domains are deleted and all certificates revoked. But assurances received, assurances given, assurance points and experience points remain unchanged.

You are wrong. It was the main issue in assurer account cases and of the
parts Arbitration did with such cases. Until recently it was documented
to be as I described above.

It may be that you never realised this form what you did in Support, but
those cases were not handled by Support.

> If any assurances shall be revoked, this requires an explicit and independent order. It is not part of an account delete process.

Correct. This was changed by the ruling. The delete account process for
deletion of accounts by Support does not include any revocation of any
assurance. As found in a20141231.1 was found there is no reason to do
so, even if active assurer request to terminate their accounts.

I did not see that you addressed any major issues, as your first lines
implied.

The wording for step 5 will be changed by me (or may be changed by the CM).

However I have another addition/clarification that I want to add. It is
about special roles that the member had, like OA, TTP-Assurer or
something with special access rights. If something like this is found
this would prevent a direct execution of the process. I make this clear,
as well.

Please execute the ruling with the clarifications that were made. You
did not make clear what would prevent to do so. If you have further
questions, the naturally should be addressed, as well.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Support: implies that the claimants account was already checked, so account was terminated, uses deprecated precedents case

Hello Eva Stöwe,

> Dear Bruno, dear Support,

I cannot see Bruno in the CC list.

> The account of the claimant should be closed as requested by the
> claimant. The new process should be used. Even as some steps were
> already done by Arbitration, Support should start with step 1.

-------------------------------------

Hello [full name of claimant],

Eva Stöwe  schrieb:

> The account of the claimant should be closed as requested by the
> claimant. The new process should be used. Even as some steps were
> already done by Arbitration, Support should start with step 1.

I imply that you agreed with the arbitrator how the CAP form of your assurance shall be
treated.

I executed this request to delete your account following the
ruling of the precedent case a20111128.3 [1] with some modifications
according to the new precedence case a20141024.1 [2].

The account is now deleted and CCA [3] is terminated on 2015-04-16.

[1] http://wiki.cacert.org/Arbitrations/a20111128.3
[2] https://wiki.cacert.org/Arbitrations/a20141024.1
[3] http://www.cacert.org/policy/CAcertCommunityAgreement.php
    CAcert Community Agreement

-- 
Kind Regards
Werner D[...]
CAcert support

A: Informs Suppot about wrong execution, asks for explanation

Dear Werner, dear Support,

I removed Bruno from my last email, as it only about issues relevant for
Support (and maybe of interest for members who want to leave in the
future). The interest of Bruno is only to leave CAcert with as less fuss
as possible. Please respect this.


>> The account of the claimant should be closed as requested by the
>> claimant. The new process should be used. Even as some steps were
>> already done by Arbitration, Support should start with step 1.
> 
> I imply that you agreed with the arbitrator how the CAP form of your assurance shall be
> treated.

No, this was not done, as you could see by reading the ruling. This was
your job to do. The ruling told you to go through the whole new process
without skipping anything.

> I executed this request to delete your account following the
> ruling of the precedent case a20111128.3 [1] with some modifications
> according to the new precedence case a20141024.1 [2].

Please explain, how you did this so fast when you did not know the
answer to above question. You would have needed at least 3*2 weeks to do
so, without an explicit answer from the claimant.

This definitely needs some explanation on your side, else I will have to
address your team lead or even board and maybe even consider some even
more drastic steps, if you did not follow a process authorised by an
Arbitrator to terminate a membership.

If you had issues to understand the ruling, you should have asked and
not made assumptions.

Please provide your explanation before Sunday 2015-04-19.

I know that this deadline is short, but as there is the danger that more
cases are treated incorrect, this should be clarified directly.


As it seems that Bruno considers himself to NOT be a member any more,
because you told him that his membership was terminated (even if it was
not done correctly), please do not involve him in this discussion,
again. He has the right to not get any mails from CAcert, now, if this
is not explicitly needed (which probably would need the authority of an
Arbitrator).

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Support: stats that the Arbitrator is not able to give such rulings, does not believe anything the Arbitrator says, further discussion about block

Hello Eva Stöwe,

> but after consulting a lot of people over the time, 

There I am not convinced. I the past you showed several times that you are now aware how Support usually works and what proceeding is appropriate.

> including a prominent Support team member. 

Who was it? Since several years Marcus and me are the only support engineers doing practical work, and therefore have the experience how things usually run and what proceedings are most appropriate. But Marcus didn't discuss this topic with me.

>>> optional: proposal to block the account

> This answer is easily answered: There is no general reason to do this.

See below.

> I cannot follow your argumentation. A block does a lot more than
> preventing changes. It also prevents the members checking the contents
> of the contents of their accounts, 

I do not see any need for this. If a member asks to delete her account, she clearly shows that she does not want to use her account any more. Besides that, if there are no assurances given, there is a deadline of 2 weeks, with assurances this is usually longer. This time should be more than enough to do all residual work, if any. And it can be extended if needed.

If there are no certificates running, I delete the account immediately after confirmation or after the deadline is over. So there is no room for more lookup in the account. Why should I treat an account with running certificates differently in this regard? The immediate deletion is replaced by the blocking of the account. And a blocking is no drastic measure, it can be reversed at any time if needed.

> for example to check their done assurances (f.e. to be able to give 
> the requested confirmation regarding the CAP forms)

In this phase there is not yet a final decision to execute the deletion. So this does not apply.

> Also they ARE members during this time. 

This is no issue. If there would have been no more certificates running the account would have been already deleted. I don't see any reason to treat cases differently in this regard if certificates are still running.

> We force them to be members. 

The only reason is to submit them to arbitration if it would show up that they misused certificates.

> It does not hurt, if the user removes email addresses or domains or even
> switches the primary email address

Indeed. They would be deleted anyway. 

> Also there is no reason why the person may not get assurances or be
> assured during that time.

What is the difference between "get assurances" and "be assured"? I don't see it.

Besides that, it doesn't make any sense to get or give assurances if the account will be removed in a few days. And if an assurance would be given, the question would arise how to handle that CAP form. This looks totally absurd to me. So this would be a valid reason to block that account.

> I even see no reason why the member should not be able to issue
> certificates. 

There are very valid reasons. If a member wants to close her account, it doesn't make any sense to issue new certificates. This would start a new waiting period till the account can be closed. Maybe this could never happen. During the deadline the member can decide if she wants her account deleted or if she wants to keep using her account. But if the decision is made, it should be final. Besides that, even if the member would change her decision, it would be easy to reverse a blocking.

> Sure the account cannot be closed in this case. But that is the ONLY
> issue. 

It is the deciding issue. True, there can be a second chance, but normally a decision should be final.

> Support has to check that all certificates are older than 3
> months at the time when they do the closing of the account, anyway. 

True. But if everything can change easily during the process, we will never come to an end. CAcert has very limited resources, so you should not waste them.

> If there are new certificates the account cannot be closed. 

This could be endless. So this cannot be. In the regular process a member hat enough chances to decide what she wants, so there must be a final point.

> Support was not able to provide any arguments

This I heavily deny.

> Benedikt told me, that there is no security reason that would ask 
> for a general block of accounts, when they are about to be closed.

I see a reason. If a member want her account closed, in most cases she cares less about her account, so it is more likely that the account is captured without detection.

> I will adjust the process description so that the account explicitly has
> to be checked again before the closure of the account by the
> Support-Engineer.

This is standard anyway.

>> If a member has assurer status, is irrelevant. Important is, if there are given assurances. 

> I can change the wording to "active assurer".

Where and how is that defined? Better refer to the essential facts.

>>> The first impulse from the Support-Engineer (and others) 
>>> is to at least revoke the assurances. 

>> This has never ever been the case. The revocation of assurances 
>> has never been part of the deletion of an account but has always 
>> been a totally independent process. 

> You are wrong. 

Look closer what I have written. The details are important.

> It was the main issue in assurer account cases and of the
> parts Arbitration did with such cases. 

This could be in the area of Arbitration but not in the area of Support. I cannot remember any account delete case that was accompanied by revocations of assurances. Marcus, can you remember?

> Until recently it was documented to be as I described above.

Can you tell me where it has been documented?

> It may be that you never realised this form what you did in Support, but
> those cases were not handled by Support.

Who else can delete an account? Was this done by the critical admins? This would be very unusual.

>> If any assurances shall be revoked, this requires an explicit and independent order. It is not part of an account delete process.

> Correct. 

Why did you deny before?

> This was changed by the ruling. 

For Support it has always been so. I cannot remember anything else. Marcus, do you?

> I did not see that you addressed any major issues, as your first lines
> implied.

It is not me to decide if it is "mayor". But I regard the issues important enough to explicitly handle them.

> However I have another addition/clarification that I want to add. It is
> about special roles that the member had, like OA, TTP-Assurer or
> something with special access rights. If something like this is found
> this would prevent a direct execution of the process. I make this clear,
> as well.

I regard this evident anyway. If I remember right, this is documented somewhere. But I didn't search for it.

> Please execute the ruling with the clarifications that were made. You
> did not make clear what would prevent to do so. 

In this very case most points above didn't apply, so I executed it.

> If you have further questions, the naturally should be addressed, as well.

Indeed, I stumbled over another issue. 

Normally closing an account implies terminating the binding by CCA. This is at least true if there are no assurances given and all certificates are expired or revoked. Certificates are no issue, since I normally (always?) wait for their expiration or revocation. If it is safeguarded that all CAP forms are transferred to a reliable person or are securely destroyed, the CCA can be terminated immediately with the closing of the account as well. But what about a member that does not respond, or CAP forms that are missing, that is the fate of CAP forms is uncertain? If it is decided that the account can or shall be closed, can I terminate the CCA binding for that account at the same time? Or is a special treatment required?

And what about a member with several CAcert accounts, where some accounts are closed and at least one account remains? At the moment, I declare the CCA binding terminated for the closed accounts and still valid for the remaining account(s). Is that correct or do you suggest another proceeding?

-- 
Kind Regards
Werner D[...]
CAcert support

A: provides references, reasonings, informs about authorisation based on policies, explains decisions

Hello,

>> but after consulting a lot of people over the time, 
> 
> There I am not convinced. I the past you showed several times that you are now aware how Support usually works and what proceeding is appropriate.

actually there is no need that you are convinced about this. However it
is documented in the case file, that I consulted with Marcus about the
concrete process, more than once. You also can see, that I added a
clarification to one point because of his input.

If I remember correctly, I also shortly addressed the issue with Joost
at the Fosdem, but I may be wrong, as I spoke with so many people there
and I do not remember each conversation in any detail. (I remember other
details about that conversation.)

Anyway, in theory, it is not relevant that the Arbitrator knows how
Support works in this case, as Arbitration is defining how Support has
to work regarding the termination of accounts. The CCA asks exactly for
this. I was one who fought to get the termination out of the direct
hands of the Arbitrators, because I believe that regular cases can be
handled by Support, quite well. However other insisted that the process
for this is defined by an Arbitration ruling - and not by Support.

However, as I said, I did involve people who are quite familiar with
support processes.

>> including a prominent Support team member. 
> 
> Who was it? Since several years Marcus and me are the only support engineers doing practical work, and therefore have the experience how things usually run and what proceedings are most appropriate. But Marcus didn't discuss this topic with me.

It is not under my power how and what Marcus communicates with you, at
least in normal situations. He went over the text of the process at
least twice.

>>>> optional: proposal to block the account
> 
>> This answer is easily answered: There is no general reason to do this.
> 
> See below.
> 
>> I cannot follow your argumentation. A block does a lot more than
>> preventing changes. It also prevents the members checking the contents
>> of the contents of their accounts, 
> 
> I do not see any need for this. 

Actually it does not matter if you see the need or not. Maybe there is a
reason why PolG did not want to let Support decide on the process.

>If a member asks to delete her account, she clearly shows that she does
not want to use her account any more.

That may or may not be the case. But that does not say that the person
does want to give up control over it as long as the person may be
responsible for elements inside of that account.

You need a reason for blocking an account. That either has to be a
request or at least clear acceptance by the user or an Arbitration
decision. Such an Arbitration decision has to be based on a good reason.
This probably has to be either a privacy or a security reason. Neither
is the case here.

> If there are no certificates running, I delete the account immediately after confirmation or after the deadline is over. So there is no room for more lookup in the account.

In this case there would not be a block of the account, anyway, so this
is not the case that we are discussiong.

> Why should I treat an account with running certificates differently in this regard? The immediate deletion is replaced by the blocking of the account. And a blocking is no drastic measure, it can be reversed at any time if needed.

Certificates can be revoked independently of a block. One reason may be
that the member wants to check what the Support-Engineer did and if all
certificates were revoked.

As you should know, there WERE people who only decided that they wanted
to quit just because they felt that they were treated by Support in a
manner that they lost any trust in them. There were more than one of
such cases that we had to handle at Arbitration. Such cases could occur
in the future, as well.

You may or may not think that a block of an account is drastic or not,
just because it is only a click on your side. But if there is no need
for a support activity, it should not be done. The SP is quite clear in
this regard.

>> for example to check their done assurances (f.e. to be able to give 
>> the requested confirmation regarding the CAP forms)
> 
> In this phase there is not yet a final decision to execute the deletion. So this does not apply.

That does not have to be the case. The assurer can just have given the
confirmation that the CAP forms will be treated as requested, as soon as
possible. But there can be a delay, for example if the CAP forms are
stored at another place. We saw such cases. If certificates have to be
removed, there would be plenty of time to do so, just while waiting for
the 3 months to expire. But the member would have a good reason to check
the list of done assurances, again during that time.

>> Also they ARE members during this time. 
> 
> This is no issue. If there would have been no more certificates running the account would have been already deleted. I don't see any reason to treat cases differently in this regard if certificates are still running.

You try to force people to give up the control over their accounts
without reason in some cases while not doing so in others. By this they
would clearly be treated differently.

>> We force them to be members. 
> 
> The only reason is to submit them to arbitration if it would show up that they misused certificates.

Yes, we force them to continue the R/L/O for some time. If we do so, we
should continue to offer our part of the deal, as well.

>> It does not hurt, if the user removes email addresses or domains or even
>> switches the primary email address
> 
> Indeed. They would be deleted anyway. 

Yes, but this may take some time. Maybe the member wants to get them out
of the account, earlier. As they are allowed to do while being a member.

It is unreasonable that one should be able to do so at any time but
would not be able to do so just because one has asked to get everything
deleted.

>> Also there is no reason why the person may not get assurances or be
>> assured during that time.
> 
> What is the difference between "get assurances" and "be assured"? I don't see it.

I meant "give assurances".

> Besides that, it doesn't make any sense to get or give assurances if the account will be removed in a few days. And if an assurance would be given, the question would arise how to handle that CAP form. This looks totally absurd to me. So this would be a valid reason to block that account.

There may be someone who may need that assurance. Just because the
person does not have an interest in CAcert themselves, does not mean
that they would not help someone, if asked.

The CAP forms would be treated as all the other CAP forms. Assurer does
not get untrustworthy just because they declare that they want to leave
CAcert or at least that they want to close an account.

It may be even quite sensible to help to get someone else to assurer
status so that there would be enough assurer in an area, when one wants
to retire.

>> I even see no reason why the member should not be able to issue
>> certificates. 
> 
> There are very valid reasons. If a member wants to close her account, it doesn't make any sense to issue new certificates. This would start a new waiting period till the account can be closed. Maybe this could never happen. During the deadline the member can decide if she wants her account deleted or if she wants to keep using her account. But if the decision is made, it should be final. 

No. I definitely ruled, that that decision can be changed at any moment
until the account is closed. It is in CAcerts interest that people stay,
so we should not deny them this.



> Besides that, even if the member would change her decision, it would be easy to reverse a blocking.

Yes, but that is no reason for the block.

>> Sure the account cannot be closed in this case. But that is the ONLY
>> issue. 
> 
> It is the deciding issue. True, there can be a second chance, but normally a decision should be final.

No. I ruled otherwise, as I just wrote, above.

>> Support has to check that all certificates are older than 3
>> months at the time when they do the closing of the account, anyway. 
> 
> True. But if everything can change easily during the process, we will never come to an end. CAcert has very limited resources, so you should not waste them.

This check is a mandatory check, anyway. (I have to document it in the
process, more clearly). If something is mandatory, there is no waste in
resources.

>> If there are new certificates the account cannot be closed. 
> 
> This could be endless. So this cannot be. In the regular process a member hat enough chances to decide what she wants, so there must be a final point.

It is unlikely that it will change all the time. But if that occurs you
could hand this over to Arbitration who would find a solution for that
case. That is how we solve things in CAcert.

Anyway. Currently PGP signatures are treated likewise. They do not
expire for one year and cannot be revoked. A WoT-certificate is only
valid for 6 months. So there could be plenty of time to issue such a
certificate, use it and wait the 3 months until the grace time for the
PGP signature is over.

>> Support was not able to provide any arguments
> 
> This I heavily deny.

I did not see a reason beside "I do not want this", "Some
Support-known-only-processes-that-we-will-not-describe prevents this",
"I want a final decision". "it can easily be undone" and "I want to
block when I revoke certificates". Non of them tells me why there is a
need for a block.

Without such a need we should not block. We should not put all our
members who happen to tell us that they want to terminate the
membership, early, under suspicion.

>> Benedikt told me, that there is no security reason that would ask 
>> for a general block of accounts, when they are about to be closed.
> 
> I see a reason. If a member want her account closed, in most cases she cares less about her account, so it is more likely that the account is captured without detection.

How do you know this?

So just because you believe - contrary to the Auditor and the Arbitrator
and other people I consulted - that people change how they protect their
credentials when they decide to quit a service? Especially if they know
that this could lead to a lot of fuss, because they accepted to pay 1000
Euro if they do so?

And you believe that this is the case for ALL our members? Everybody who
has agreed to the CCA?

There is a lot room for doubt, here.

>>>> The first impulse from the Support-Engineer (and others) 
>>>> is to at least revoke the assurances. 
> 
>>> This has never ever been the case. The revocation of assurances 
>>> has never been part of the deletion of an account but has always 
>>> been a totally independent process. 
> 
>> You are wrong. 
> 
> Look closer what I have written. The details are important.

I have read it clearly. The consideration about revocation of assurances
was part of the delete account process right from the beginning. It took
a lot of cases until the process was handed over to support and it took
until the last few rulings, until the revocation of given assurances
stopped being a part of it. It also was documented like this in the
Arbitration area.

>> It was the main issue in assurer account cases and of the
>> parts Arbitration did with such cases. 
> 
> This could be in the area of Arbitration but not in the area of Support.

Correct. And this was part of Arbitration until this ruling.

> I cannot remember any account delete case that was accompanied by revocations of assurances. 

There was. It is listed in a20141231.1. I went to every delete account
case of assurer for my last two rulings in this area.

>> Until recently it was documented to be as I described above.
> 
> Can you tell me where it has been documented?

Check which pages I updated at 2015-04-14 in the Wiki. Everything else
is unchanged, as far as I know.

>> It may be that you never realised this form what you did in Support, but
>> those cases were not handled by Support.
> 
> Who else can delete an account? Was this done by the critical admins? This would be very unusual.

The things done by Support in those cases were only a - relatively minor
- part of the whole process. The relevant things that were needed to
check and to think about were a lot more.

>>> If any assurances shall be revoked, this requires an explicit and independent order. It is not part of an account delete process.
> 
>> Correct. 
> 
> Why did you deny before?

I did not deny this.

>> This was changed by the ruling. 
> 
> For Support it has always been so. I cannot remember anything else. Marcus, do you?

That may be the case, but the change is, that the complete delete
account process for assurer is now done by Support without involving
Arbitration at all. At least as long as nothing else is special.

>> I did not see that you addressed any major issues, as your first lines
>> implied.
> 
> It is not me to decide if it is "mayor". But I regard the issues important enough to explicitly handle them.

Yes, as I said, I will update some parts of the process description in
the ruling. I already anticipated that there would be some need for
this, that is why I decided to allow such changes for 3 months. (I again
coordinated this with Magu and Marcus.)

>> However I have another addition/clarification that I want to add. It is
>> about special roles that the member had, like OA, TTP-Assurer or
>> something with special access rights. If something like this is found
>> this would prevent a direct execution of the process. I make this clear,
>> as well.
> 
> I regard this evident anyway. If I remember right, this is documented somewhere. But I didn't search for it.

It is not documented in the new process and this is the only one that
remains at the moment, so it has to be added, there.

>> Please execute the ruling with the clarifications that were made. You
>> did not make clear what would prevent to do so. 
> 
> In this very case most points above didn't apply, so I executed it.

The request for execution was the request to keep to the new process. As
far as I could see, you did not do so. But I already commented this.

>> If you have further questions, the naturally should be addressed, as well.
> 
> Indeed, I stumbled over another issue. 
> 
> Normally closing an account implies terminating the binding by CCA. This is at least true if there are no assurances given and all certificates are expired or revoked. Certificates are no issue, since I normally (always?) wait for their expiration or revocation. If it is safeguarded that all CAP forms are transferred to a reliable person or are securely destroyed, the CCA can be terminated immediately with the closing of the account as well. But what about a member that does not respond, or CAP forms that are missing, that is the fate of CAP forms is uncertain? If it is decided that the account can or shall be closed, can I terminate the CCA binding for that account at the same time? Or is a special treatment required?

I tried to answer this quite elaborately in the case file.

As the ruling of a20141231.1 states, the status of the CAP forms should
not be relevant to keep the assurances. We try to learn about the status
and again to get a confirmation that AP will be honoured.

However the assurer would be bound to honour it regardless of the
membership, as the agreement to do so was done (and documented) during
the assurance, independently from the decision to be or not to be a member.

The core essence is that the assurances do not have any effect on the
termination of the CCA. Please read both case files, if you need more
explanation.

> And what about a member with several CAcert accounts, where some accounts are closed and at least one account remains? At the moment, I declare the CCA binding terminated for the closed accounts and still valid for the remaining account(s). Is that correct or do you suggest another proceeding?

As we do not know about any other accounts this is correct. The
termination formulation should probably be something like "As long as
there are no other accounts, the CCA is terminated at, ..." Or "if the
member has/you have any other accounts the CCA will not be terminated".

I tried to allow you to design the formulations you use, yourself, as I
do not think that it is optimal to always use some predefined words.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: speaks Marcus (after sevral attempts to get in contact on that day, mostly about private things - A told Marcus, that A would like to discuss things regarding this case, but Marcus had no time)

Support: answers handling of the execution: ruling was not clear, guessed things, found it would not make sense to do the full process, thought to be doing the execution correctly

Hello Eva Stöwe,

>> I imply that you agreed with the arbitrator how the CAP form of your assurance shall be
>> treated.
 
> No, this was not done, as you could see by reading the ruling. 

By reading your ruling I had the opposite impression.

> This was your job to do. 

This you didn't clearly tell.

> The ruling told you to go through the whole new process 
> without skipping anything.

True. But there you wrote:

>>> With regard to the ruling given in a20141231.1 the account 
>>> can be closed, even as the claimant did not respond. 

This told me that it is evident in this very case there is nothing known to you that hinders the closure of this account, in particular you are satisfied with the treatment of the CAP form. So I regarded this item as settled and checked everything else you cannot see easily. And since everything else seemed okay, I closed the account according to your order.

And further you wrote:

>>> Cases that are comparable to this one could be handled by Support, 
>>> if an according process is defined in a precedents ruling. 
>>> This should be done in this case. 

This means to me, that most you wrote in this decision refers to future cases and this decision is a precedent decision.

In "Process Definition" you wrote:

>>> favoured option by CAcert that the user hands over the CAP forms 
>>> to another assurer defined by an Arbitrator 

and 

>>> information that if CAP forms have to change hands, the case will have to be handled by Arbitration 

which implies that arbitration is involved in most of this cases.

Therefore it doesn't make any sense that you processed the case, ordered me to close the account and a minute later I have to transfer the case back to you. So it was obvious to me that this was already done by you. 

>> I executed this request to delete your account following the
>> ruling of the precedent case a20111128.3 [1] with some modifications
>> according to the new precedence case a20141024.1 [2].

> Please explain, how you did this so fast when you did not know the
> answer to above question. 

As I explained above it was obvious to me that you already have processed that.

> You would have needed at least 3*2 weeks to do
> so, without an explicit answer from the claimant.

True. But since I didn't process the case from the start but you ordered the account to be closed, I implied that this already was done.

> This definitely needs some explanation on your side, 

Are you satisfied with my explanation?

> else I will have to address your team lead or even board and maybe 
> even consider some even more drastic steps, if you did not follow 
> a process authorised by an Arbitrator to terminate a membership.

Do as you deem appropriate.

But regard, if you give me not well defined and ambiguous orders, you cannot expect a correct execution. I did my best to correctly execute your order.

> If you had issues to understand the ruling, you should have asked and
> not made assumptions.

There have not been simple assumptions but I was convinced to to the right.

> As it seems that Bruno considers himself to NOT be a member any more,
> because you told him that his membership was terminated (even if it was
> not done correctly), please do not involve him in this discussion,
> again. He has the right to not get any mails from CAcert, now, if this
> is not explicitly needed (which probably would need the authority of an
> Arbitrator).

I will do so and assume all following communication with Bruno will be done by you, as long as you do not give me another order.

-- 
Kind Regards
Werner D[...]

A: explains ruling again, this part hardly could be written less obscure, if something was unclear the Arbitrator should be asked about the meaning, also the answer would have been obvious by checking the case file

Dear Werner, dear Support,

please read the ruling carefully. The order in the ruling is important,
as well. Especially as one sentence may point to the sentence before or
after them.

The last paragraph addressed what should be done to the account of the
claimant:

"The account of the claimant should be closed as requested by the
claimant. The new process should be used. Even as some steps were
already done by Arbitration, Support should start with step 1."

It clearly states that Everything from the process should be done by
you, starting at the beginning, regardless of what was done by
Arbitration, before.

I told you to use the process. You ALWAYS have to use the defined
process. ONLY if you get told by an Arbitrator to skip something you
may/should do so.

The SP tells you that you are not allowed to do anything else. For
CCA-termination cases also the CCA tells you that you are not allowed to
do anything else.

This was clearly not the case here.

On 17.04.2015 10:59, CAcert Support wrote:
> Hello Eva Stöwe,
> 
>>> I imply that you agreed with the arbitrator how the CAP form of your assurance shall be
>>> treated.
>  
>> No, this was not done, as you could see by reading the ruling. 
> 
> By reading your ruling I had the opposite impression.
> 
>> This was your job to do. 
> 
> This you didn't clearly tell.

I did. I told you to use the new process.

>> The ruling told you to go through the whole new process 
>> without skipping anything.
> 
> True. But there you wrote:
> 
>>>> With regard to the ruling given in a20141231.1 the account 
>>>> can be closed, even as the claimant did not respond. 
> 
> This told me that it is evident in this very case there is nothing known to you that hinders the closure of this account, in particular you are satisfied with the treatment of the CAP form. So I regarded this item as settled and checked everything else you cannot see easily. And since everything else seemed okay, I closed the account according to your order.

No than I would have stated exactly this. On the contrary I told you to
do everything that is defined in the process, regardless of what was
done by Arbitration.

Even as I did not allow this, but if you would have wanted to rely on
the activity of the Arbitrator you should have checked the history log
of the case-file OR the discovery part of the case file, OR the part
that you just cited above. All tell you that the user die not respond
regarding the CAP forms. There is no room to come to your assumption
that this was otherwise.

> And further you wrote:
> 
>>>> Cases that are comparable to this one could be handled by Support, 
>>>> if an according process is defined in a precedents ruling. 
>>>> This should be done in this case. 
> 
> This means to me, that most you wrote in this decision refers to future cases and this decision is a precedent decision.
> 
> In "Process Definition" you wrote:
> 
>>>> favoured option by CAcert that the user hands over the CAP forms 
>>>> to another assurer defined by an Arbitrator 
> 
> and 
> 
>>>> information that if CAP forms have to change hands, the case will have to be handled by Arbitration 
> 
> which implies that arbitration is involved in most of this cases.
> 
> Therefore it doesn't make any sense that you processed the case, ordered me to close the account and a minute later I have to transfer the case back to you. So it was obvious to me that this was already done by you. 

I regarded it as quite unlikely that the person would answer, now. But
even there would have been an answer, this would have to be hanlded by
Arbitration, the AP does not allow for anything else, as I have also
described in the case file.

You should have executed the process as described. One of the reasons is
so that we can as soon as possible - during the 3 month I gave us - see,
if the process is working and to adjust problematic points.

For this we need to have this done completely.

But even if this was not obvious for you, there was nothing to allow you
to derivative from the defined process.

>>> I executed this request to delete your account following the
>>> ruling of the precedent case a20111128.3 [1] with some modifications
>>> according to the new precedence case a20141024.1 [2].
> 
>> Please explain, how you did this so fast when you did not know the
>> answer to above question. 
> 
> As I explained above it was obvious to me that you already have processed that.

It is not relevant what you seem to be obvious, if the ruling tells you
what to do.

>> You would have needed at least 3*2 weeks to do
>> so, without an explicit answer from the claimant.
> 
> True. But since I didn't process the case from the start but you ordered the account to be closed, I implied that this already was done.

So you did not use the process starting at step 1, as the ruling told
you to do.

>> This definitely needs some explanation on your side, 
> 
> Are you satisfied with my explanation?

I am satisfied so far that I am now sure that you did not execute the
ruling. On the contrary you did something that was against SP and
against CCA.

I fear that I now will have to take action to prevent something like
this, in the future.

>> else I will have to address your team lead or even board and maybe 
>> even consider some even more drastic steps, if you did not follow 
>> a process authorised by an Arbitrator to terminate a membership.
> 
> Do as you deem appropriate.
> 
> But regard, if you give me not well defined and ambiguous orders, you cannot expect a correct execution. I did my best to correctly execute your order.

I do not think that it can be written clearer than what I wrote. I told
you which process should be used and that you should start at the
beginning, regardless of what was done by Arbitration.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Friday evening: A speaks to Marcus, informs him about her views and that she sees a need to order a re-training with a support-block so far for acting supporter

A: ordes re-traing for acting support team member, and block support access until it is done

Dear SEs, dear board,

I regret to have to do this, but in this case it looks like the only
sensible thing to do for the moment. As the Arbitrator of a20141024.1 I
have to ask you to do the following things.

1. Please remove the access rights from Werner D[...] to
- the Support console
- the OTRS
for the time being.

This is not meant to be permanent. But I fear it is necessary to ensure
that support activity in critical areas are done correctly, especially
that the ruling of a20141024.1 is executed correctly.

Regrettably, I had to witness that Werner seriously failed to execute
the  Arbitration ruling of this case. It was not the first time, that
rulings were not executed by him exactly, however at other times it was
less dramatic. Also it is clear that he did some other activities
without the required authorisation, recently, as well, like:
- looking up a members account without either the authorisation from the
member nor the authorisation from Arbitration
- posting information from the account on a public mailing list, also
without any authorisation.
While those activities are not handled in this case, they influence my
weighting of the situation.

Currently I have to fear, that it cannot be ensured that support
activity (especially those for delete account cases) is done with the
authorisation required by SP, but even worse that the CCA is terminated
correctly in those cases as defined in the CCA, if Werner is handling
the according cases.

2. Please also:
Organise a re-training of Werner about
- required authorisations to do something as a Support Engineer starting
with the SP
- how to handle delete account cases with special respect to the ruling
in a20141024.1
- how to handle Arbitration rulings, especially if some points are
unexpected or unclear.

3. Please document the training.

As soon as either board or the Arbitrator of this case (or a follow up
case for this point) is convinced based on the documentation, that the
retraining was successfully done, the access to the Support console and
the OTRS should be given back, as long as neither board nor the support
team lead decide differently.

I hope this will only take some days.

I have consulted the President of CAcert Inc. before writing this.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Support: explains his view of authorisations including "for a Support member there are no restrictions to view sensitive data" and stating that an Arbitrator does not have the right to give rulings to change the delete account processe- without referencing (or responding to references of) policies

Hello Eva Stöwe,

> However it is documented in the case file, that I consulted with 
> Marcus about the concrete process, more than once. 

This looks strange to me, since usually Marcus and me are close related and Marcus will discuss all essential matters with me.

> Anyway, in theory, it is not relevant that the Arbitrator knows how
> Support works in this case, 

You very well said "in theory". But practise is quite different. You can only give sensible orders to Support, if you know what Support people can see and do, what they need to look up and need to do and how things have to be done to work properly. 

A striking example: In your mail to board, you complained about me:

> Also it is clear that he did some other activities without the required 
> authorisation, recently, as well, like:

> - looking up a members account without either the authorisation from the
> member nor the authorisation from Arbitration

To look up an account, I don't need an explicit authorisation. It is inherent to the work of Support that I must look up the members account in nearly or really all Support cases. In fact I need a justification, but this is done by the member asking Support to do something.

Another point is to do actions. There I need an authorisation, either by an arbitrator, a precedence case, a policy or by the user. And in the last case, if there is any doubt about the wishes of the user, I ask one additional time to be sure.

And don't forget, all Support people have an Arbitrated Background Check, that means they are verified that they are reliable and can handle sensitive data. And as far as I know, no arbitrator has an ABC. So a Support member is certified to handle sensitive data, an arbitrator is not certified. So, strictly speaking, for a Support member there are no restrictions to view sensitive data, for an arbitrator very well.

Just some examples.

For most or all actions I need to know the main email address of the account, which is the name of the account. But many users write with secondary email addresses or email addresses not related to CAcert. So I need to look up the account to verify its main email address.

If a member asks for the code signing flag, I have to look up the account before I can set this flag. And to set the flag, I have to look up in the account if he is an assurer.

If a member asks for a password reset, I have to look up the account to tell her which options are applicable for her and what I would discourage. A little help to the five secret question is often successful, but for that I have to look up the main email address and then look up the answer tries. If someone got assurance points, to create a second account and delete the first one, is no good idea, since the assurance points would be lost. And to
finally reset the password, I have to look up the account anyway.

If a user has problems with adding email addresses or domains or creating and maintaining certificates, I have to look up what email addresses and domains are correctly assigned to the account and which are maybe pending. Then I have to look up valid, expired and revoked certificates to tell him what is matter and what best to do.

If a member wants her account closed, the first step again is to check the main email address, then if she has given assurances and if there are certificates not yet expired or revoked three months ago. 

Or if an assurance shall be revoked, I have to check both or all accounts for their status and ask or inform all related parties.

Even if a member has issues with her name entries, I have to look up her account to look what matters.

I cannot imagine any Support case where it is not required to look up the according accounts.

> as Arbitration is defining how Support has to work regarding the termination of accounts. 

There I have to oppose. This a single arbitrator should not decide but this shall be agreed with all arbitrators, Support people and maybe other parties concerned.

> The CCA asks exactly for this. 

Show me that place.

> I was one who fought to get the termination out of the direct
> hands of the Arbitrators, because I believe that regular cases can be
> handled by Support, quite well. However other insisted that the process
> for this is defined by an Arbitration ruling - and not by Support.

You yourself named cases where Support cannot act by itself but an arbitration decision is required, mainly transferring CAP forms to another reliable person.

> However, as I said, I did involve people who are quite familiar with
> support processes.

You should have told in your first mail that it was Marcus and not hide him by 
"a prominent Support team member"

> It is not under my power how and what Marcus communicates with you, at
> least in normal situations. He went over the text of the process at
> least twice.

You will know that Marcus is usually very busy while I have more time and can check things more thoroughly. So it would have been a good idea to ask me as well. 

> Actually it does not matter if you see the need or not. 

Are you always so high-handed? Regard, I do most practical work, still before Marcus. So it would have been a good idea to tell me you plans in good time and ask me for comments, and not to condescend towards Support in this way.

> Maybe there is a reason why PolG did not want to let 
> Support decide on the process.

What is "PolG"? And what part do you mean?

And regard, CAcert can only work if all people cooperate well and truthfully and not work against each other. And more, no one has unlimited power. There has to be a balance of power among the different parts of CAcert, not only legislation, jurisdiction and executive. 

You clearly seem to seize too much power you really don't have.

>> If a member asks to delete her account, she clearly shows that she 
>> does not want to use her account any more.

> That may or may not be the case. 

True. But therefore I ask back and only if she conforms or the deadline expires, I delete the account. And indeed, I get seldom a confirmation. In most cases the deadline expires. This clearly shows that most people are no longer interested in their accounts. In the over all process there are more than enough opportunities to cancel a delete request, so there is no need to exaggerate there.

> But that does not say that the person does want to give up control 
> over it as long as the person may be responsible for elements inside 
> of that account.

This is a very theoretical view. As told, it is very easy to unblock an account, so I see no real restriction that a member has to asks Support to unblock the account. I cannot remember if that happened at all.

> You need a reason for blocking an account. 

No, just the opposite. In the precedent case a20111128.3 it is mandatory to block an account waiting for deletion. If you want to change that, you have to ask Uli Schroeter that he declares this precedent case invalid. You can extend an existing precedent case by a new precedence case, but you cannot declare an old precedent case invalid without the consent of the original arbitrator. So, not I need an reason for blocking, since this is mandated by that precedent case, but you need a reason to change that.

> That either has to be ... an Arbitration decision. 

Such a decision exists in the precedent case a20111128.3.

> Such an Arbitration decision has to be based on a good reason.

Ask Uli why he decided so.

>> If there are no certificates running, I delete the account immediately 
>> after confirmation or after the deadline is over. Why should I treat an 
>> account with running certificates differently in this regard? The 
>> immediate deletion is replaced by the blocking of the account. And a 
>> blocking is no drastic measure, it can be reversed at any time if needed.

> One reason may be that the member wants to check what the Support-Engineer 
> did and if all certificates were revoked.

Then the member can ask. And if a member cannot trust Support, something is severely wrong anyway.

> As you should know, there WERE people who only decided that they wanted
> to quit just because they felt that they were treated by Support in a
> manner that they lost any trust in them. 

Can you give me an example where such a request came up and the allegation could be affirmed?

> There were more than one of such cases that we had to handle at Arbitration. 

Then tell me those cases.

> But if there is no need for a support activity, it should not be done. 

Uli decided that there is such a need.

>> This is no issue. If there would have been no more certificates running the account would 
>> have been already deleted. I don't see any reason to treat cases differently in this regard 
>> if certificates are still running.
 
> You try to force people to give up the control over their accounts
> without reason in some cases 

This is not me but Uli in his precedent decision.

>> Indeed. They would be deleted anyway. 

> Yes, but this may take some time. Maybe the member wants to get them out
> of the account, earlier. 

Then she can use a domain dispute and email dispute to immediately transfer domains and email addresses from the old account to the new one.

> There may be someone who may need that assurance. Just because the
> person does not have an interest in CAcert themselves, does not mean
> that they would not help someone, if asked.

This is extremely unrealistic and affected. If a member wants her account closed, normally she is no longer interested in CAcert and doesn't care about her account and everything else. And if there are exceptions, there are enough ways do handle them, so you can put away such extreme cases, they lead to nothing. 

>> There are very valid reasons. If a member wants to close her account, 
>> it doesn't make any sense to issue new certificates. This would start a 
>> new waiting period till the account can be closed. Maybe this could never 
>> happen. During the deadline the member can decide if she wants her account 
>> deleted or if she wants to keep using her account. 
>> But if the decision is made, it should be final.
 
And as told, there are enough exceptions and workarounds.

> No. I definitely ruled, that that decision can be changed at any moment
> until the account is closed. 

True. A lock can be released easily. This is more than enough.

> It is in CAcerts interest that people stay,
> so we should not deny them this.

As told, there are more than enough options to keep an account. So there is no reason to create one more place. With such an attitude a faithful cooperation between you and Support is no longer possible. With that you put a spoke in our wheel and that I will not tolerate.

> Yes, but that is no reason for the block.

Uli ordered that and if you want to change this, you have to ask Uli.

> No. I ruled otherwise, as I just wrote, above.

This is very biased and egomaniacal. So I challenge it.

>> True. But if everything can change easily during the process, we will never come to an 
>> end. CAcert has very limited resources, so you should not waste them.

> This check is a mandatory check, anyway. 

True. But this is normally a formality since nothing changes.

> If something is mandatory, there is no waste in resources.

That depends on who declares it mandatory.

> It is unlikely that it will change all the time. 

Why then harp on it? 

> But if that occurs you could hand this over to Arbitration who would find 
> a solution for that case. That is how we solve things in CAcert.

You pretend to move work from arbitration to Support, but here you do the opposite without a real reason.

> Non of them tells me why there is a need for a block.

But Ulis precedent case mandates it.

> I have read it clearly. The consideration about revocation of assurances
> was part of the delete account process right from the beginning. 

I am many years in Support and I cannot remember any case where as part of an account delete case, assurances have been revoked.

> It took a lot of cases until the process was handed over to support 

Who else if not Support deleted those accounts? Of course ordered by arbitration.

> and it took until the last few rulings, until the revocation of given 
> assurances stopped being a part of it. 

As far as I know this has never been the case. I searched all relevant documents and didn't find it anywhere.

> It also was documented like this in the Arbitration area.

I protest against this since not all was allowed for you to decide without explicit agreement.

> Correct. And this was part of Arbitration until this ruling.

No. As I told:

>> I cannot remember any account delete case that was accompanied by revocations of 
>> assurances. 
 
> There was. It is listed in a20141231.1. 

No, this is just the opposite. It was a general remark that normally assurances shall not be revoked during an account delete process. But I asked explicitly for a single arbitration cases where an arbitrator ordered to revoke assurances alongside the deletion of an account. 

That you couldn't show me.

> I went to every delete account
> case of assurer for my last two rulings in this area.

You several times told not to revoke assurances when deleting an account. But I asked for arbitration decisions where there have been an order to revoke assurances alongside the deletion of an account. 

> Check which pages I updated at 2015-04-14 in the Wiki. Everything else
> is unchanged, as far as I know.

You should give me clear information and not riddles and insinuations.

>> Who else can delete an account? Was this done by the critical admins? This would be very 
>> unusual.

> The things done by Support in those cases were only a - relatively minor
> - part of the whole process. 

But nevertheless there should be traces to check. Tell me them.

> The relevant things that were needed to
> check and to think about were a lot more.

But even in this cases there must be an order from arbitration to Suppport to delete an account and to revoke assurances. That I am looking for.

>>>> If any assurances shall be revoked, this requires an explicit and independent order. 
>>>> It is not part of an account delete process.

>>> Correct. 

>> Why did you deny before?

> I did not deny this.

You very well stated that in earlier times it was common to revoke assurances when deleting an account. And this is _NOT_ correct.

> but the change is, that the complete delete account process 
> for assurer is now done by Support without involving Arbitration 
> at all. At least as long as nothing else is special.

From my point of view this is not true. The most common case will be that CAP forms are transferred to a reliable person assigned by an arbitrator. And there an arbitrator is still involved.

>> If it is decided that the account can or shall be closed, can I 
>> terminate the CCA binding for that account at the same time? 
>> Or is a special treatment required?

You applied many words but you didn't answer my question. So again: "If I delete an account, is the binding of CCA for this account always terminated at the same time? Or are there cases where the binding of CCA is terminated earlier or later?

> As the ruling of a20141231.1 states, the status of the CAP forms should
> not be relevant to keep the assurances. 

I didn't ask for CAP forms, I asked for CCA.

> However the assurer would be bound to honour it regardless of the
> membership, as the agreement to do so was done (and documented) during
> the assurance, independently from the decision to be or not to be a
> member.

I do not understand any word.

> The core essence is that the assurances do not have any effect on the
> termination of the CCA. 

Does that mean that the CCA is always terminates at the same time the account is deleted? Then tell it so in clear word and don't hide it in a bunch of other words.

> Please read both case files, if you need more explanation.

Usually they are more obfuscating than helpful.

And some more complaints about me in Boad-Private:

> Regrettably, I had to witness that Werner seriously failed to execute
> the  Arbitration ruling of this case. It was not the first time, that
> rulings were not executed by him exactly,

As I told you in my previous mail, If you give me confusing orders, you cannot expect that I do what you think but I do what you write. 

> - posting information from the account on a public mailing list, 
> also without any authorisation.

You know very well that this was a mistake and I immediately corrected it as far as possible. So it is more than unfair to mention it here,

-- 
Kind Regards
Werner D[...]
CAcert support

A: tries to contact Marcus

A: answers to last mail, explaining reasonings, and policies, giving references

Hello Werner and others,

this will probably be my last answer in this context, as long as no
further process elements or other parts of the ruling of a20141024.1 are
touched. This and only this is the reason has to be the focus of this
mail exchange.

I also do not understand why you
a) added board to this conversation
b) added them without either informing us about this

>> However it is documented in the case file, that I consulted with 
>> Marcus about the concrete process, more than once. 
> 
> This looks strange to me, since usually Marcus and me are close related and Marcus will discuss all essential matters with me.

I doubt that the communication within the Support team is of relevance,
here. As every other team you should organise your communication
yourself, without the help of Arbitration.

Please stop to imply that I lie about speaking with others, especially
without giving a reason. It just is annoying to everybody who has to
read it and probably lets you look silly. To lie about such easy to
check things would be senseless. In this case there even exists a pad
that Marcus, Magu and I used to discuss the process.


I was tempted not to answer most of your mail. But as I ordered a
re-training I fear I should not shy away to answer your questions as
they could be used as part of that training.

>> Anyway, in theory, it is not relevant that the Arbitrator knows how
>> Support works in this case, 
> 
> You very well said "in theory". But practise is quite different. You can only give sensible orders to Support, if you know what Support people can see and do, what they need to look up and need to do and how things have to be done to work properly. 

I definitely know what support can see and do. You can find a lot of
tests done by me in the bug-tracker, only few of them do not involve the
support console.

I also know what one needs to look up and do for delete account cases,
especially for assurance accounts. I did this as Arbitrator.

PolG did entrust Arbitration with this task. They only allow others than
Arbitration to do this, if Arbitration defines what should be done.

If you do not like this, you have to ask PolG for a change of the CCA.
But, I was quite alone in PolG when I asked to allow others than
Arbitration to close accounts. PolG obviously thinks that Arbitration
knows best about what needs to be looked up and done to work properly.

> A striking example: In your mail to board, you complained about me:
> 
>> Also it is clear that he did some other activities without the required 
>> authorisation, recently, as well, like:
> 
>> - looking up a members account without either the authorisation from the
>> member nor the authorisation from Arbitration
> 
> To look up an account, I don't need an explicit authorisation.

Yes, you do. There even is another Arbitration case (a20140815.1)
against you, where the internal Auditor complains that you did something
like this without authorisation. As already said, SP 8.1 tells you
exactly this, quite clearly (see below, again).

> It is inherent to the work of Support that I must look up the members account in nearly or really all Support cases. 

There was no support case. It was a public question. But even if you
need to do so in the majority of cases, you are not allowed to do it,
when it is not needed to answer the support request.

> In fact I need a justification, but this is done by the member asking Support to do something.

Which has to be more than just a question on a public mailing list.

> Another point is to do actions. 

No. It is the same for everything that you do with the support console.
You have no inherent right to do anything, without authorisation.

> And don't forget, all Support people have an Arbitrated Background Check, that means they are verified that they are reliable and can handle sensitive data. And as far as I know, no arbitrator has an ABC. So a Support member is
> certified to handle sensitive data, an arbitrator is not certified. So,
> strictly speaking, for a Support member there are no restrictions to
> view sensitive data, for an arbitrator very well.

The policies (especially the SP) disagree. Anyway it is of no relevance
in this discussion or in regard of the delete account process. Also we
have ABCed Arbitrators and I also went through that process, even as the
case is not ruled, yet and it was found that the ABC process has to be
adjusted. (Btw, as the ABC is done by Arbitration it is a little bit
circular to apply it to Arbitrators, even as I think we should do it.)

> Just some examples.
> 
> For most or all actions I need to know the main email address of the account, which is the name of the account. But many users write with secondary email addresses or email addresses not related to CAcert. So I need to look up the account to verify its main email address.

The SP is quite clear, that you need to verify that you have the
authorisation of the correct user (or an Arbitrator) BEFORE you do anything:

"8.1. Authority

The software interface gives features to Support Engineer. Access to the
special features is under tight control. Additions to the team are
subject to Board approval, and the software features are under CCS. See
§3.4.2.

Support Engineers do not have any inherent authority to take any action,
and they have to get authority on a case-by-case basis. The authority
required in each case must be guided by this policy or the Security
Manual or other clearly applicable document. If the Member's authority
is not in doubt, the Member can give that authority. If not, the
Arbitrator's authority must be sought.

Support Engineers are responsible to follow the policies and practices."

The SM repeats this.

I will not address every single of your examples. If the user request
that support does something to their account, you already have that
authorisation to access their accounts. As long as this is not the case,
there is no authorisation from the user.

Most of your examples are of this kind, but:

> Or if an assurance shall be revoked, I have to check both or all accounts for their status and ask or inform all related parties.

Only if this is part of the process defined by an Arbitrator. Else you
do not have the authorisation to access the accounts of the other parties.

> I cannot imagine any Support case where it is not required to look up the according accounts.

I can. At least on the public support list, there are a lot of questions
that can be answered without looking into any account. I guess that you
are getting such requests, as well.

>> as Arbitration is defining how Support has to work regarding the termination of accounts. 
> 
> There I have to oppose. This a single arbitrator should not decide but this shall be agreed with all arbitrators, Support people and maybe other parties concerned.
> 
>> The CCA asks exactly for this. 
> 
> Show me that place.

As a Support team member you should be informed about the basic elements
of our policies so I am wondering, why you do not know this. Especially
as the previous processes were also defined by an Arbitration ruling
from one Arbitrator.

CCA 3.3 Termination

"The CAcert Community Agreement is terminated

    based on a Policy Group decision following (PoP => COD1). This
terminates the Agreement with every member.
    with a ruling of the Arbitrator or the completion of a termination
process defined by an Arbitrator ruling (DRP => COD7).
    by the end of existence of a member (i.e. death in the case of
individuals).

A member may declare the wish to resign from CAcert at any time by
writing to support AT cacert.org. This triggers a process for
termination of this agreement with the member."

It is "a termination process defined by an Arbitration ruling". A ruling
is always given by one ("the") Arbitrator.

Btw: I did consult a lot of people before I did this ruling. Most of
this was mentioned in the preceding case a20141231.1. There also was a
discussion initiated by me on the Arbitration mailing list.

For completion, beside of that discussion I spoke with 3 other
Arbitrators (including Uli), I spoke with the former and current
Auditor, I spoke with Marcus and if I remember correctly I touched this
issue with Joost, not sure about that. I mentioned this topic on the
software telco, to get the view from "outsiders" of the process, I
discussed it with Dirk who is our president. And even if it is a while
ago I exchanged a lot of mails about the previous process with you,
where you complained about issues with the old process.

While I did not involve everybody in every step, I think I asked enough
people to be able to see what is needed to do a ruling to hand over
tasks to Support that I previously did as an Arbitrator (or was deeply
involved in as an active CM), multiple times.

>> I was one who fought to get the termination out of the direct
>> hands of the Arbitrators, because I believe that regular cases can be
>> handled by Support, quite well. However other insisted that the process
>> for this is defined by an Arbitration ruling - and not by Support.
> 
> You yourself named cases where Support cannot act by itself but an arbitration decision is required, mainly transferring CAP forms to another reliable person.

Yes, sure the AP requires this, but where is your point?

>> However, as I said, I did involve people who are quite familiar with
>> support processes.
> 
> You should have told in your first mail that it was Marcus and not hide him by 
> "a prominent Support team member"

It should not matter with which support team member I spoke.

>> It is not under my power how and what Marcus communicates with you, at
>> least in normal situations. He went over the text of the process at
>> least twice.
> 
> You will know that Marcus is usually very busy while I have more time and can check things more thoroughly. So it would have been a good idea to ask me as well. 

I think Marcus is well informed about everything related to support and
does quite thorough work and research.

The DRP allows me to chose my communication as I think it to be best for
the case. I do not need to have your approval for how I do this.

Anyway I more than once have exchanged mails with you about the previous
account delete process. You did explain your points, quite elaborate. So
I already had your point of view and it was taken into consideration for
that ruling, as well.

For example because of your points I did un-fix the exact wording but
allowed you to write it yourself. And I especially got rid of the
"init"-mail.

>> Maybe there is a reason why PolG did not want to let 
>> Support decide on the process.
> 
> What is "PolG"? And what part do you mean?
> 
> And regard, CAcert can only work if all people cooperate well and truthfully and not work against each other. And more, no one has unlimited power. There has to be a balance of power among the different parts of CAcert, not only legislation, jurisdiction and executive. 
> 
> You clearly seem to seize too much power you really don't have.
> 

>> You need a reason for blocking an account. 
> 
> No, just the opposite. In the precedent case a20111128.3 it is mandatory to block an account waiting for deletion. If you want to change that, you have to ask Uli Schroeter that he declares this precedent case invalid. You can extend an existing precedent case by a new precedence case, but you cannot declare an old precedent case invalid without the consent of the original arbitrator. So, not I need an reason for blocking, since this is mandated by that precedent case, but you need a reason to change that.

Wrong, he did not do so in that case. You can read it, there is nothing
present about blocking an account. Even more, if you look up the support
page for account deletion, you will find, that there is a note that the
blocking of an account has to be clarified with arbitration.

Anyway. I just replaced that precedents ruling with the current one. As
I could not find a reasoning for a general block, anywhere, even while
looking through all delete account cases, I cannot address possible
reasons from such a ruling, as there just no exists. Cases where someone
was assuring themselves with two accounts or assuring others with two
accounts are not general but very special delete account cases. Only in
such a case I could find something that addressed the block.

>> No. I definitely ruled, that that decision can be changed at any moment
>> until the account is closed. 
> 
> True. A lock can be released easily. This is more than enough.

No. If someone changes the mind that they want to stay a member, or at
least want to stay a member for a given time, this is only in our
interest, so there is no reason to deny them this, just because one
Support-Engineer does not like the idea.

>> It is in CAcerts interest that people stay,
>> so we should not deny them this.
> 
> As told, there are more than enough options to keep an account. So there is no reason to create one more place. With such an attitude a faithful cooperation between you and Support is no longer possible. With that you put a spoke in our wheel and that I will not tolerate.

I cannot follow your argumentation, here.

>> Yes, but that is no reason for the block.
> 
> Uli ordered that and if you want to change this, you have to ask Uli.

No.

1. Uli did not order this.
2. I at least touched that topic with him, even if we did not go far.
3. I ruled otherwise after nobody could give me an appropriate reason
for a block.

>> No. I ruled otherwise, as I just wrote, above.
> 
> This is very biased and egomaniacal. So I challenge it.

When I give you a lot of reasons that are in accordance with our
policies, I doubt that this is "egomaniacal". However an argumentation
that is based on "I do not want to have this", may be.

>>> True. But if everything can change easily during the process, we will never come to an 
>>> end. CAcert has very limited resources, so you should not waste them.
> 
>> This check is a mandatory check, anyway. 
> 
> True. But this is normally a formality since nothing changes.
> 
>> If something is mandatory, there is no waste in resources.
> 
> That depends on who declares it mandatory.

Well, no. But actually the Arbitrator declares it to be mandatory. As
the CCA explicitly gives this authority to the Arbitrator it is the
relevant opinion.

Anyway, as far as I understand it, we agree that it is mandatory, so
there is no reason to discuss who of us declares it to be mandatory.

>> I have read it clearly. The consideration about revocation of assurances
>> was part of the delete account process right from the beginning. 
> 
> I am many years in Support and I cannot remember any case where as part of an account delete case, assurances have been revoked.

So maybe this is why we do not rely on the memory of persons, but
archive our decisions, where everybody has access to them.

>> It took a lot of cases until the process was handed over to support 
> 
> Who else if not Support deleted those accounts? Of course ordered by arbitration.

Exactly. The checks were done by Arbitration and the steps to do by
support were defined by Arbitration.

>> and it took until the last few rulings, until the revocation of given 
>> assurances stopped being a part of it. 
> 
> As far as I know this has never been the case. I searched all relevant documents and didn't find it anywhere.

It seems like you did not go to the case that I told you to mention that
case. It is listed like: " a20100907.1 revoked because of no CAPs" in
a20141231.1.

I already did the research. I did document it. I do not think that
I have to go through it once more just because you either do not want to
or are not able to do it yourself. Especially as you probably would not
believe me, anyway.

>> It also was documented like this in the Arbitration area.
> 
> I protest against this since not all was allowed for you to decide without explicit agreement.

Even if I do not understand what you try to tell us with this sentence,
it is not up to you to decide what and how things are presented in the
arbitration area of the wiki. The last discussion on the arbitration ML
ended with Ted telling me that I should change stuff like this.

Btw: The DRO is part of this conversation. He is also involved in this
case and the ruling was coordinated with him, as well. He happens to be
the CM of this case.

>> Correct. And this was part of Arbitration until this ruling.
> 
> No. As I told:
> 
>>> I cannot remember any account delete case that was accompanied by revocations of 
>>> assurances. 
>  
>> There was. It is listed in a20141231.1. 
> 
> No, this is just the opposite. It was a general remark that normally assurances shall not be revoked during an account delete process. But I asked explicitly for a single arbitration cases where an arbitrator ordered to revoke assurances alongside the deletion of an account. 
>
> That you couldn't show me.

As I wrote above it was LISTED in that case and I just gave you the
number of that case.

>> Check which pages I updated at 2015-04-14 in the Wiki. Everything else
>> is unchanged, as far as I know.
> 
> You should give me clear information and not riddles and insinuations.

You wanted to have all changes, I pointed you to a complete set of those
changes. By following my directions you could be sure to actually hit
all changes. There is no other way to do it. If you are not able to
handle the Wiki like this, maybe you should ask the Wiki-Admins for a
training, as I think it is needed to be able to work with the Wiki, for
the job of an SE.

>>> Who else can delete an account? Was this done by the critical admins? This would be very 
>>> unusual.
> 
>> The things done by Support in those cases were only a - relatively minor
>> - part of the whole process. 
> 
> But nevertheless there should be traces to check. Tell me them.
> 
>> The relevant things that were needed to
>> check and to think about were a lot more.
> 
> But even in this cases there must be an order from arbitration to Suppport to delete an account and to revoke assurances. That I am looking for.

I guess they were. But as the current form to document cases was not
done right from the beginning I cannot give you the details. You have to
address the according Arbitrators for that. However I am not sure if
they will answer you without a good reason as they decided to keep those
parts private and not to disclose it in the case file. As this is
allowed by the DRP as long as the rulings are published, this has
to be accepted, in general.

>>>>> If any assurances shall be revoked, this requires an explicit and independent order. 
>>>>> It is not part of an account delete process.
> 
>>>> Correct. 
> 
>>> Why did you deny before?
> 
>> I did not deny this.
> 
> You very well stated that in earlier times it was common to revoke assurances when deleting an account. And this is _NOT_ correct.

No. I stated that it was considered to be needed to revoke assurances if
the CAP forms could not be collected. This was done once. The other
cases where the CAP forms could not be collected were just left open and
unfinished. At least until relatively recently, where Magu and I tested
some other ways. I already did some rulings (and if I remember correctly
Magu or Mario followed one of them, but I did not check this, maybe it
was something else) where the CAP forms were not collected even as the
assurances were not 7 years old.

>> but the change is, that the complete delete account process 
>> for assurer is now done by Support without involving Arbitration 
>> at all. At least as long as nothing else is special.
> 
> From my point of view this is not true. The most common case will be that CAP forms are transferred to a reliable person assigned by an arbitrator. And there an arbitrator is still involved.

No. By experience I can tell you that this is not the most common case.
The cases were the CAP forms were handed over are quite seldom. Here
again, I direct you to the list of related cases at the end of a20141231.1.

>>> If it is decided that the account can or shall be closed, can I 
>>> terminate the CCA binding for that account at the same time? 
>>> Or is a special treatment required?
> 
> You applied many words but you didn't answer my question. So again: "If I delete an account, is the binding of CCA for this account always terminated at the same time? Or are there cases where the binding of CCA is terminated earlier or later?

I already answered this. If you do not understand the answer to that
question, please rephrase your question so that I may be able to answer
it better.

>> As the ruling of a20141231.1 states, the status of the CAP forms should
>> not be relevant to keep the assurances. 
> 
> I didn't ask for CAP forms, I asked for CCA.
> 
>> However the assurer would be bound to honour it regardless of the
>> membership, as the agreement to do so was done (and documented) during
>> the assurance, independently from the decision to be or not to be a
>> member.
> 
> I do not understand any word.

I fear I cannot help you there. There were a lot of simple words which
you normally seem to understand.

But rephrased: An assurer is bound to handle CAP forms correctly not
only because of any CAcert membership, but also because of the statement
given to the assuree during the assurance to do this correctly. This is
independent from the membership and untouched by the termination of the
membership.

>> The core essence is that the assurances do not have any effect on the
>> termination of the CCA. 
> 
> Does that mean that the CCA is always terminates at the same time the account is deleted? Then tell it so in clear word and don't hide it in a bunch of other words.

If there is no other account, yes. That was part of my explanation AND
of the process that I defined. But that was NOT what you asked.

>> Please read both case files, if you need more explanation.
> 
> Usually they are more obfuscating than helpful.

I was told otherwise, by a lot of other people. Actually some of my
cases are actually used by multiple persons to explain core elements
like how to handle CAP forms.

> And some more complaints about me in Boad-Private:
> 
>> Regrettably, I had to witness that Werner seriously failed to execute
>> the  Arbitration ruling of this case. It was not the first time, that
>> rulings were not executed by him exactly,
>
> As I told you in my previous mail, If you give me confusing orders, you cannot expect that I do what you think but I do what you write. 

It cannot see any confusing element. "Even as some steps were already
done by Arbitration, Support should start with step 1." is quite clearly
written.

But you did not do what I wrote. If you would have done, what I had
written you would not have jumped to any assumptions but just would
have followed each step of the process. You did not do so.

Btw: It was not a mail to board-private it was a mail to the support
team. Board was only added because I allowed them to use their authority
at two points: to either allow the access or to deny it after the
re-training was done, even if the Arbitrator thinks otherwise - in both
directions. (Actually by what I wrote they got the final word.)

>> - posting information from the account on a public mailing list, 
>> also without any authorisation.
> 
> You know very well that this was a mistake and I immediately corrected it as far as possible. So it is more than unfair to mention it here,

I am not aware that you corrected it. Else there would be an arbitration
case to ask for the deletion of that mail, or at least to give the ok
for such an deletion, afterwards. As you did in previous cases.

Also I doubt that one can access an account by accident, if you would
not have done this, you never would have been able to post anything,
incorrectly.

But one way or the other, I do think that it is fair to mention
truthfully, what influences my orders. And the fact that you did do
those things without clear authorisation and not only once, was what
threw the balance to convince me, that there was no way around the steps
that I ordered. Sadly, the answers you just gave in this mail, tell me
even more that those steps have to be taken.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Support: does not know about "PolG" or termination point in CCA, does not accept CCA 3.3, PolG do not know what they do, Support should look into accounts when people ask questions on public-support-list, the interpretation of the SP that Support needs an authorisation before handling cases is wrong, makes Arbitrator responsible for things the internal Auditor did [stopped thorrow reading there]

Hello Eva Stöwe,

> I also do not understand why you
> a) added board to this conversation

I took over your CC list of this case.

> To lie about such easy to check things would be senseless. 

Tell me exactly what you regard as a lie, else it is you who would be a liar.

> I also know what one needs to look up and do for delete account cases,
> especially for assurance accounts. I did this as Arbitrator.

But obviously you do not have a real idea how Support work is done over all, else you wouldn't have told that to look up account data of the requester and other members would require an explicit authorisation. I indeed need a justification but no explicit authorisation. The authorisation is inherent to Support work, since in all Support cases related to personal conditions (I cannot remember exceptions) to give the correct advise and do the correct action I need to know the account data of the requester and in many cases the data of other members too. Just today I had a case of name change after marriage where one named assurer didn't have assurer status, which I found out looking up the account of the named assurer.

> PolG did entrust Arbitration with this task. 

What policy do you mean with "PolG"? Don't use abbreviations without explanation.

> They only allow others than Arbitration to do this, if Arbitration 
> defines what should be done.

Then this policy needs to be challenged, since it interferes with decent Support work.

> If you do not like this, you have to ask PolG for a change of the CCA.

What part of the CCA do you mean?

Do you mean with "PolG" the policy group? This is no fixed group but a random conglomerate of people which composition always changes.

> But, I was quite alone in PolG 

So it was mainly you yourself who rushed it through.

> when I asked to allow others than Arbitration to close accounts.

It is practise since a long time that nearly all close account cases are handled by Support without involvement of arbitration, only few cases have been transferred to arbitration. What is new are very few cases that shall be handled by Support as well since now.

> PolG obviously thinks that Arbitration knows best about 
> what needs to be looked up and done to work properly.

Then there are no experts in policy group.

>> To look up an account, I don't need an explicit authorisation.

> Yes, you do. 

Then a decent Support work is completely impossible, see above and below.

> There even is another Arbitration case (a20140815.1) against you, where 
> the internal Auditor complains that you did something like this without 
> authorisation. 

Obviously this was triggered by you. But it was never processed, since there is not any meat.

> As already said, SP 8.1 tells you exactly this, quite clearly

Obviously you do not know what is written in SP 8.1. There I read:

>> Support Engineers do not have any inherent authority to take any action

That is what I told. For an action I need an authorisation, but not for a look up. And this is reflected by the Support Console software. For an action I have to enter the ticket number, so it can be traced, for a lookup it is not required.

> you are not allowed to do it, when it is not needed to answer the support request.

As I showed you, in all cases besides general questions it is needed to look up one or more accounts to correctly and decently answer the support request.

>> In fact I need a justification, but this is done by the member asking Support to do something.

> Which has to be more than just a question on a public mailing list.

Even there are may cases where it requires to look up the account to give more than a superficial answer. If I can give her a sufficing answer, I will do. If the member or me would be required to disclose confidential data, I refer her to the private address support@cacert.org.

>> And don't forget, all Support people have an Arbitrated Background 
>> Check. So, strictly speaking, for a Support member there are no 
>> restrictions to view sensitive data, for an arbitrator very well.

> The policies (especially the SP) disagree. 

Show me the place. If you mean 8.1, see above.

> Also we have ABCed Arbitrators 

Indeed, Ted is ABCed as software assessor. That I overlooked.

> and I also went through that process, even as the
> case is not ruled

There must be a reason for it.

> The SP is quite clear, that you need to verify that you have the
> authorisation of the correct user (or an Arbitrator) BEFORE you do
> anything:

Then every decent support work would be impossible. SP is much older than you are in CAcert. You obviously misinterpret SP, see above.

> If the user request that support does something to their account, you 
> already have that authorisation to access their accounts. As long as 
> this is not the case, there is no authorisation from the user.

See the example above with the namer change. To correctly process the request, I had to check two other accounts as well. But from the two assurers I had no explicit authorisation, yet it was requisite and justified to check their accounts.

>> Or if an assurance shall be revoked, I have to check both or all accounts for their status and ask or inform all related parties.
 
> Only if this is part of the process defined by an Arbitrator. Else you
> do not have the authorisation to access the accounts of the other
> parties.

Obviously you do not know the existing precedent cases. Look at https://wiki.cacert.org/Support/Handbook/PrecedentCases/a20100210.2

And it is inherent, if an assurance is revoked, there are always two accounts concerned, the one of the assurer and the one of the assuree. Obviously you do not know how CAcert works.

>> I cannot imagine any Support case where it is not required to look up the according accounts.
 
> I can. At least on the public support list, there are a lot of questions
> that can be answered without looking into any account. I guess that you
> are getting such requests, as well.

You are right. These very general requests do not require to look up an account and there is no justification. But as soon as personal conditions are concerned, a lookup is indicated or required. 

>> This a single arbitrator should not decide but this shall be agreed with all arbitrators, Support people and maybe other parties concerned.

If you deny this, you obviously you do not know what team work is.

> CCA 3.3 Termination

This is not what is asked.

> Btw: I did consult a lot of people before I did this ruling. Most of
> this was mentioned in the preceding case a20141231.1. There also was a
> discussion initiated by me on the Arbitration mailing list.

If you do a single decision, this is okay. But if you change general regulations in essential parts, you should thoroughly coordinate it with all parties involved. That you obviously did not do. To ask some details and to ask some people is not sufficient.

>> You yourself named cases where Support cannot act by itself but an arbitration decision is required, mainly transferring CAP forms to another reliable person.

> Yes, sure the AP requires this, but where is your point?

It doesn't make any sense to transfer a case from arbitration to Support where it is required to transfer the case back to arbitration a minute later. Instead all work arbitration needs to do shall be done before.

> For example because of your points I did un-fix the exact wording but
> allowed you to write it yourself. And I especially got rid of the
> "init"-mail.

I will wait till this matter is settled finally and then I will adapt the standard mails as far as needed. For cases encompassed by a20111128.3 there is no need to change anything besides combining it with other cases. And all other cases are so seldom that a manual processing is sufficient for the time being.

>> No, just the opposite. In the precedent case a20111128.3 it is mandatory 
>> to block an account waiting for deletion. 

> Wrong, he did not do so in that case. 

Of whom are you talking? Of Uli?

> You can read it, there is nothing present about blocking an account. 

In the arbitration case you are true. But regard https://wiki.cacert.org/Support/Handbook/PrecedentCases/a20111128.3 which is essentially determined by Uli though written by Marcus. There the blocking is required.

> Even more, if you look up the support page for account deletion, you will find, that there is a note that the
> blocking of an account has to be clarified with arbitration.

Of what version are you talking? There have a lot in the past. At least in https://wiki.cacert.org/Support/Handbook/PrecedentCases/a20111128.3 I cannot find it and in some older versions neither.

> Anyway. I just replaced that precedents ruling with the current one. 

I am not sure if you are entitled to do this change.

>> A lock can be released easily. This is more than enough.

> No. If someone changes the mind that they want to stay a member, or at
> least want to stay a member for a given time, this is only in our
> interest, so there is no reason to deny them this, just because one
> Support-Engineer does not like the idea.

I cannot see your problem. There is not any denial. If a member requests the block released, this is done. Period. So a block is no real hindrance. But it is a safeguard against malicious changes of the account while no one really cares about it.

> 1. Uli did not order this.

Ask him.

>> I am many years in Support and I cannot remember any case where as part of an account delete case, assurances have been revoked.

> So maybe this is why we do not rely on the memory of persons, but
> archive our decisions, where everybody has access to them.

I asked you to show me such decisions but you didn't show me any. So I assume there is none.

>> Who else if not Support deleted those accounts? Of course ordered by arbitration.
 
> The checks were done by Arbitration and the steps to do by
> support were defined by Arbitration.

I didn't ask who ordered them but who executed them. If it would have been Support I should know.

> It seems like you did not go to the case that I told you to mention that
> case. It is listed like: " a20100907.1 revoked because of no CAPs" in
> a20141231.1.

In a20141231.1 this was not mentioned explicitly but only referred in "Related Cases". And at the time case a20100907.1 was running, I was not active as SE. That case is very bizarre, so I regard it not as a decent example. Besides that, the assurances given were revoked long after the first partial anonymisation and the final anonymisation is still pending. So this is just the opposite of an example where assurances were revoked alongside an account deletion.

> As I wrote above it was LISTED in that case 

It was not pointed out but buried at an inconsiderable place.

> I stated that it was considered to be needed to revoke 
> assurances if the CAP forms could not be collected. 

This could make sense. But those cases are very rare. You stated that it was common to revoke assurances while deleting an account. And this is definitively not true.

>> You applied many words but you didn't answer my question. 
>> So again: "If I delete an account, is the binding of CCA for this 
>> account always terminated at the same time? Or are there cases 
>> where the binding of CCA is terminated earlier or later?

> I already answered this. 

No. At least not in a clear and obvious way. You told a lot but not what I asked.

> If you do not understand the answer to that question, please 
> rephrase your question so that I may be able to answer it better.

This I did above but you still didn't answer it here. This I regard as maliciousness.

> An assurer is bound to handle CAP forms correctly not only because of 
> any CAcert membership, but also because of the statement given to the 
> assuree during the assurance to do this correctly. 

This looks too general to me to create a sufficient legal obligation.

> This is independent from the membership and untouched by the 
> termination of the membership.

I doubt that you can rely on that.

>> Does that mean that the CCA is always terminates at the same time 
>> the account is deleted? Then tell it so in clear word and don't 
>> hide it in a bunch of other words.

> If there is no other account, yes. 

At lest that.

> That was part of my explanation AND of the process that I defined. 

It was not in a way I could understand and I am sure I am not the only one. You should not use legalese.

> But that was NOT what you asked.

It was exactly what I asked. I should know.

> It cannot see any confusing element. "Even as some steps were already
> done by Arbitration, Support should start with step 1." is quite clearly
> written.

Nearly but not quite. As I told, other parts of your mail do not match to that. Before all, it would not make any sense if I would have to transfer the case immediately back to you. So it was obvious to me that the steps arbitration usually does, are done. If I start from the beginning, it is clear that I have to ask what happens with the CAP forms. And even with the new rules, arbitration would be involved in most cases. But if the case is already at arbitration and then Support is ordered to close the account, I can rely this is settled. Else it would create a ping-pong, as I wrote before.

> But you did not do what I wrote. 

I did my best to follow it.

> If you would have done, what I had written you would not have jumped to any assumptions but just would
> have followed each step of the process. You did not do so.

See above.

>> You know very well that this was a mistake and I immediately corrected it as far as possible. So it is more than unfair to mention it here,

> I am not aware that you corrected it. 

Then you should better inform you.

> Else there would be an arbitration case

This has been, initiated by me myself.

> to ask for the deletion of that mail, 

I immediately cared for the deletion of that mail. So this was not needed.

> or at least to give the ok

This was done.

> And the fact that you did do those things without clear authorisation 
> and not only once, 

The opposite is true. You have shown at several times that you do not know what actions are standard and perfectly okay and what requires a special authorisation. I remember a case, I am not sure if it was you or Benedikt, where I asked something from the critical admins and was accused to have done something illegal without the required authorisation, where Wytze clearly showed that everything was in best order.

-- 
Kind Regards
Werner D[...]
CAcert support

A: complains before board about new dispute, because it interferes with a running case

Hello board,

I just got the information about a dispute filed by the vice president
to counter the order I gave in a20141024.1.

As the order was given as a safety reason to ensure that termination to
the CCA is done correctly, I cannot accept any interference or delay,
here. There is no right to interfere in a running case, even not by board.

So please execute the order.

I do not mind, that it is checked, later.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

President: acknowledgs that there was a lot of work preceding this ruling; the ruling has to be executed correctly, please see CCA; it was not done here; there were a lot further activities by the SE with comparable issues, so a re-training of was quite overdue, especially when this person handles most support cases and the acting support-tl was asked ot do it informally multiple times; the focus of the order from 2015-04-19 is the re-training, not the block, which also can be removed by board according to the order, if necessary; Arbitration is needed to check that support acts according to policies; Audit will nail us down if we allow people to continue to act against policies; an Arbitrato has to give according orders to fix issues, nobody should be excluded from this because of being extremly active; an Arbitrator mostly has reasons; if in doubt one should ask and talk first, "don't place the next Arbitration case again by showing that CAcert (furthermore CAcert board member in this case) does not accept a ruling done by Arbitration"

Hello,

Welcome to a new episode of your series "Thank you for wasting my time"
... this time in the main role: "Juergen B[...]" ...

What happened before?

There were policys created ... there were rulings given ... there were
privacy-issues ... and escalations ...

In this epsiode you'll now see the fight between support, arbitration
and board ... please enjoy the todays episode ...

> I also do not understand why you
> a) added board to this conversation
> b) added them without either informing us about this

Well ... since I did not get the email by Juergen i can only answer to
Evas email ... ;-(

>> This looks strange to me, since usually Marcus and me are close related and Marcus will discuss all essential matters with me.
> I doubt that the communication within the Support team is of relevance,
> here. As every other team you should organise your communication
> yourself, without the help of Arbitration.

The new (changed) ruling for delete account-cases is a long-running
topic, which was discussed more then one time between several parties at
least on (and since) fosdem. If it is really essential to Support,
Marcus should have discussed this with Werner.

> I was tempted not to answer most of your mail. But as I ordered a
> re-training I fear I should not shy away to answer your questions as
> they could be used as part of that training.

According to the emails, phonecalls AND behaviour i saw by Support even
I asked some time ago, how we can handle this case. The answer FOR me
was "retraining" ... especially in privay issues.

E.g. If somebody asks on a public mailinglist, why there is more than
one certificate, the answer may be public "Because there MAY to be more
certificates in your account. Maybe you created then during the time".

The public answer is NOT to be "I check your account, you have 11
certifcates in it".

You may now tell me, that this was only once. As far as I know there are
some Arbitration-cases with alike issues. And since i follow the public
mailing-list I saw more then one time such a behaviour.

According to the delete account cases there is ruling, which has to be
followed (at least we all accepted the CCA). If anybody is in doubt in
this case please read the CCA again ... Thank you.

As far as i know the latest "Delete Account"-Case was not handled
accordingt to the new "Delete-Account-Cases"-Ruling ... and therefore
the CCA cannot be terminated in this case ... which still bounds the
member (who wants to leave) to the CCA.

Especially for this ruling AND the privacy issues a retraing was ruled
by Arbitration.

You may now notice, that this "hits" the most active support team
member. Correct. And exactly that's why the retraining is necessary as
fast as possible.

Small remark:

(At least I) had more then one discussion with Marcus about a
"more-or-less"-retraining, but either this does not happen or it had no
effect. This could (aehm ... no ... better: should) happen for every
team member regardless of the team itself. Otherwise teamlead cannot
guarantee the proper knowledge of his teammembers.

... and even for me (as a TL for board) I have to talk (=retraining) to
one or more boardmembers about acting and reacting to mails written by
single persons (independing of their job).

Back to the current episode itself:

The target of arbitration in this special case is NOT to knock out the
support member. The goal is a proper retraining.

Since it may take some time to revoke the access rights to OTRS and/or
Support console, it may be that the retraining takes place first. If
then arbitration is slow, still plans to keep the support member
"knocked out" there is explicitely a second way calling board to enable
the full state (OTRS/Support-Access) for the support-member again.
(However: I expect a quick answer from Arbitration as soon as the
retraining is done and documented ... at least faster than a
board-decision ... ;-) ).

(... and board-decision does not mean, that a single boardmember agrees
that the retraining was sufficent).

Some additional words about working together with Arbitration:

The very big plus CAcert has against other projects and even companies
is Arbitration. If there is anything running against policies EVERYBODY
can call Support and Arbitration (in the named cases even the member
with the certificates or the member leaving CAcert) and ask, why support
does not handle according to policies, manuals and rulings.

Furthermore audit will nail us to our policies etc.

Therefore it's not only a possibility for Arbitration to order a
retraining ... it's a MUST for Arbitration to order a retraining if
neccessary: We have to follow the Policies, we have to follow OUR OWN
ruleset ... and WE have to ensure this ... for our members, for us ...
and for audit.

... and ... since nobody should have a special positive or negative
status to or against Arbitration it can't be that violations against our
OWN policies or rulings will not be handled because "Oh ... this is our
most active supporter/valuable team-member/... we need glace gloves to
handle him". There should be no difference if it's a assuree since 2
minutes or CAcert president.

To finish this email:

(Not only in this case) Arbitration has it's reasons to order a
retraining (and to lock the access until the retraining is done).

If in doubt, please TALK together, please ASK ... and don't place the
next Arbitration case again by showing that CAcert (furthermore CAcert
board member in this case) does not accept a ruling done by Arbitration.

Kind regards,

Dirk A[...]

PS: There may by typos etc. in this text. Since I run out of time now i
will not re-read it ...

A: again asks Support team to block access to support-tools for acting supporter and to do the re-training

Dear Support,

I again saw that Werner handled delete account cases.

Please execute the order, below. If you like it or not, it is a current
order of an Arbitrator and it is regarded to be urgent. If it would not
have been urgent it would not have to be handled like this, but the
possible damage that is done by not following this order is too high.
Without the re-training I have heavy reasons to fear that the
termination of the CCA is not done correctly.

Even if the order may be incorrect this only can be reverted by an
appeal according to the DRP (and not by a dispute by a single
board-member).

IF you have questions in regard of the order, you can ask them. I
already tried to contact Marcus since last Thursday about all this and
he was informed about the fact that I saw the need to order the block
and the re-training since Friday (I have a witness for this).

On 19.04.2015 16:22, Eva Stöwe wrote:
[full quote of that mail]

Marcus: provides text proposal for delete account case(s)

Hallo Eva,

ich wollte den Mailtext für einen Mail zum Delete Account nach Precedent 
case a20141024.1 machen.

Der Account zeigt, das alle Zertifikate [a year] abgelaufen sind.

Hier ist der Text für die Mail an den USer:

on the course of deleting your account following the precedent case 
a20141024.1 [1] I found that you gave assurance in the past.
[numbers of some assurances per year].

As assurer you might remember that you need to keep the CAP forms for 
these assurance in a save manner for 7 years and destroy them after that 
time in a secure manner.

So we need to split the actions into 2 parts

1. the assurance from [a year]

Please confirm that you destroyed the CAP form of the assurance of xyz, 
done in xyz on [a date] in a secure manner.
This statement needs to be signed with your CARS statement[2].

2. the assurances of
[some assurances listed]

For these assurances you can decide
a. wether you still want keep the CAP forms in a secure manner until the 
7 years are over. In this case you need to be reachable for CAcert if 
there are any questions about the assurances. After that time you have 
to destroy the CAP forms in a secure manner and give support@cacert.org 
a notice about it.
b. or if you want to hand the CAP forms to an assurer nominate by you or 
by arbitration. In this case the process needs to be handed over to 
arbitration.


I will block your account in the meantime for safety reasons, so nobody 
has access to your account. If you want to have access to it again 
please let me know.


Please answer to this mail until 2015-05-06

[1] http://wiki.cacert.org/Arbitrations/a20141024.1
[2] http://wiki.cacert.org/CARS


---

Ist die Mail in Deinem Sinne formuliert?

-- 
mit freundlichen Gruessen / best regards
Marcus M[...]

Michael: executed support block

Hello Eva,

On 19.04.2015 16:22, Eva Stöwe wrote:
> 1. Please remove the access rights from Werner [...] to
> - the Support console
> - the OTRS
> for the time being.
> 
> This is not meant to be permanent.

I have temporarily disabled the access to OTRS and unset the Admin flag
in the cacert.org admin interface. I sincerely hope that you know what
you're doing.

-- 
Regards,
Michael T[...]

A: thanks for support block, asks for ASAP re-training to remove block again

Hello,

thank you Michael.

I hope one of you now takes your time to do the re-training, as well, so
that those flags can be be re-set, soon (or at least as soon as
possible). As I said, I do not want to have this permanent.

Because of this, please also regard the re-training as urgent.

On 21.04.2015 22:29, Michael T[...] wrote:
[full quote of that mail]

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: addresses text proposal

Hallo Marcus,

(Ich habe mal wieder CM und Arb-Archive in CC genommen.)

danke für den Textvorschlag. Aber drei Teile entsprechen nicht dem Ruling:

> For these assurances you can decide
> a. wether you still want keep the CAP forms in a secure manner until the
> 7 years are over. In this case you need to be reachable for CAcert if
> there are any questions about the assurances. After that time you have
> to destroy the CAP forms in a secure manner and give support@cacert.org
> a notice about it.

Der Member muss NICHT erreichbar bleiben. (Begründung folgte der
Argumentation in a20141231.1 - außerdem gibt es schon vorausgehende
Entscheidungen in anderen Del-Ass-Acc-Cases die das ebenfalls nicht
verlangt haben.)

Was hier rein kann, ist eine Erklärung, dass es dann sein kann, dass wir
die Assurances revoken müssen, so sie von irgendwem hinterfragt/in Frage
gestellt werden.

> b. or if you want to hand the CAP forms to an assurer nominate by you or
> by arbitration. In this case the process needs to be handed over to
> arbitration.

Der Assurer kann nicht von dem Member "nominated" werden. Allerdings
kann der Assurer gerne Arbitration einen Vorschlag machen.

Auch wenn ich es liebend gern so hätte, wie Du es da schreibst, so steht
dem leider die AP entgegen, die eine konkrete Arbitration order
verlangt, wenn die CAP-Forms anderen zu Gesicht kommen.

Ich fände es gut, wenn hier noch etwas dazu käme, dass wir es bevorzugen
würden, wenn er sich zur Übergabe der CAP forms entscheidet.

> I will block your account in the meantime for safety reasons, so nobody
> has access to your account. If you want to have access to it again
> please let me know.

Bitte formuliere es so um, dass es klar wird, dass der Account nur mit
der Zustimmung (bzw. wenn der jenige nicht widerspricht) geblockt wird.
Z.B. etwas in der Richtung "If you do not tell us that you want to keep
your account open, until we finally can close your it, I will block your
account. By this nobody will have access to your account by normal
means, this will release you from your obligations in this regard. (kann
sicher besser formuliert werden) If you want to gain access to it again
later, please let me know, as this step is optional and meant to be in
your interest."

Allerdings macht der Teil denke ich relativ wenig Sinn, wenn der Account
ansonsten gleich geschlossen werden kann. Was ja der Fall wäre, wenn er
sagt, dass er weiter selbst auf die CAP forms aufpassen möchte. Aber für
den Fall, dass er die CAP-Forms abgeben möchte, macht das natürlich Sinn.

Bitte bedenkt, grade wenn es sich um Assurer handelt und man sie fragt,
wie, in wie weit sie irgendwas zu "allen" CAP forms garantieren können,
sollte man ihnen die Möglichkeit geben, genau dafür nochmal in den
Account zu schauen. Den schließlich fordern wir sie auf, dazu eine
konkrete Aussage zu machen. Es ist verständlich, wenn sie das selbst
checken möchten und sich da nicht auf das, was ein Supporter
zusammenfast allein verlassen wollen. (Nicht, weil man denen nicht
traut, sondern um eine gesicherte Aussage zu machen.) Es kann ja sein,
dass man z.B. die Ortsangaben einsehen möchte, um sich an bestimmte
Assurances zu erinnern.

Btw: Wenn ihr denkt, dass die Assurances in der Mail aufgelistet werden
sollen, überlasse ich das Euch. ABER bedenkt bitte, dass das
a) schnell sehr viele sein können, so dass im Zweifel spätere Dinge in
der Mail aufgrund der Länge der Liste nicht gelesen werden (vielleicht
würde da auch eine Umstellung helfen).
b) es sich höchst wahrscheinlich um eine unverschlüsselte Mail handelt
und wir in der AP zusagen, dass wir derartige Daten nicht herausgeben.

> Ist die Mail in Deinem Sinne formuliert?

Siehe meine Anmerkungen. Ansonsten: War schön kurz und freundlich /
persönlich gehalten, das gefällt mir.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: missed to check some points for text-proposa, should not answer mails in the middle of the night

Hallo,

ich sollte mitten in der Nacht keine Mails beantworten...

Wenn ich das richtig sehe, fehlen in dem Mailvorschlag noch einzelne
Punkte, die im Prozess vorgesehen sind. Ich werde mir das heute Abend
nochmal anschauen.

On 22.04.2015 03:29, Eva Stöwe wrote:
[full quote of that mail]
-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: learned from reliable source (not support) that there may be an issue with support being able to act if the SE is blocked because of un-availability of another SE for some time; some proposals how the block could be adjust to address the issue, if re-training could not successfully be finished, previousy; request to support to tell which sulution would be prefered; also: it seems that support is planning to do a way more for the re-training than asked in the order;

Hello,

maybe you will be surprised with parts of this mail, so you may want to
actually read it!

a) General
today I learned from a reliable source who is not involved in this case
so far, that most of the fuss that was started after my order for a
re-training from Werner was because of Marcus being not able to do
support work for a short period of time in the near future so that there
would be no active supporter for that time as long as Werner is blocked.

It would have been good to have been told about this, because then I
could have either done an adjusted version of the order or I could have
done something differently. You will find some suggestions how to adapt
to that situation, below.

But I have to ask why Marcus did not tell me about that issue when I
informed him that I was considering to give such a ruling. And why he
did not answer any of my calls prior and after my order, when he had
time to do Support work and to speak to other people. He also could have
written just a small note (he had time to write a text-proposal for the
new process).

I have an ear-witness to the talk that we had who can give a CARS about
the call that I had with Marcus. I have a person who can give a CARS
that I was trying to contact Marcus to coordinate the order with him to
prevent possible issues like this. I think a CARS from the President
should be trustworthy enough. If not we have quite other issues.

So: If someone is to blame that the order was given like this and not in
a version so that Support would not be short-handed, it is Marcus and
not me.

b) prefered solution
First: I do not know exactly when Marcus will not be available. But I
would prefer if the re-training could be done before this, so that there
would be no issue.

c) alternatives for if support could not be done at all during that
period of time without Werner being able to help:

1. a person who is not a member of the Support team could step in for
that time. This could be
- Dirk (volunteer) who already has an ABC for Support work or
- a person from triage.
As long as those persons would only answer general questions OR do easy
and good documented processes and the cases would be slightly monitored
by a support team member this could be done.

This would be comparable to a solution that the Auditor suggested for
the Software area and that was agreed to be installed even for critical
cases as long as an Arbitrator would control this (and there is some
real need). So I do not see an issue why this should not be applicable
in the support area, as well.

"Critical" cases that have no real urgency (this would probably include
delete account cases) probably could wait until either Marcus would be
back or Werner would have finished the training.

2. Werner could get back the access to the OTRS, so that he could answer
questions that would not require the access of accounts. He also could
prepare some other tasks.

Alternatively this could be done by a triage member as far as they do
not do this, anyway for that time.

In both cases another/a support team member should check some of those
cases afterwards to check that cases were probably done correctly.

3. Werner may even get back access to the support console, as long as he
would not do any delete account cases and other cases where questions
regarding support authority could arise. The rest of support would have
to ENSURE that he would stick completely to any process. While this is
required from any support engineer according to SP 8.1 and 8.2, anyway
it would be the task of the other support team members to check this,
somehow. (I would need a proposal how this could be done in a sensible
manner, to be able to agree to this alternative.)

All this would only be needed for the time until the training would be
finished. At lsenioreast if neither the Support team lead nor Board
declare that they think the block should continue afterwards.

d) Training
I have been told, that Support is trying to organise people to prepare
some privacy-training for Werner. While I appreciate the idea of such a
training, I have to state, that this is not part of what I have ordered.
I think the training I ordered would require a lot less to prepare and do.

I ordered a training about the following topics:
- required authorisations to do something as a Support Engineer starting
with the SP
- how to handle delete account cases with special respect to the ruling
in a20141024.1
- how to handle Arbitration rulings, especially if some points are
unexpected or unclear.


So only
- some policy-related documents (probably CCA, SP, SM, DRP, AP) about
the authorisation of a general member or a support team member would
have to be spoken through and verified that he understand and agrees to
them. As any support team member should know those policies, anyway,
this should be easy to do.
- The process of a20141024.1 should be gone through. As this is
comparable to the previous process in a lot of points, this probably
would also take not a long time.

When this is done the last point probably would already be covered. If
not it probably would not take long.

As far as I see it, this probably could be done within one evening
without preparation by any other support team member.

I doubt that the documentation of this would take extremely long,
either, especially if the training is done with some tools like a chat
or a pad which would document the training, directly.

If support would not have time for this, it could also be done by
somebody else, like Benedikt or Ian or other persons who are at general
familiar with those topics.


If YOU think that this would need a lot more time, than the need for a
re-training probably is a lot greater than I thought. (Again Dirk can
confirm that I was estimating it like this the whole time. Also I stated
in the order that I thought that it would hopefully only take some days.)


You also could combine it with a privacy or any other more complete
training based on the following incidents handled by the Auditor, if you
think that is appropriate:
https://wiki.cacert.org/Audit/Incidents/i20150219.1
https://wiki.cacert.org/Audit/Incidents/i20140814.1
https://wiki.cacert.org/Audit/Incidents/i20140628.1
https://wiki.cacert.org/Audit/Incidents/i20140625.1
https://wiki.cacert.org/Audit/Incidents/i20140325.1

If you think that it is needed I gave board and the support team lead
freedom to ask for such as well. But they are not part of the order. I
would prefer that such trainings would be done later, after access was
given back, as long as the requested training went well.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: repeats request to support to inform about possible issues with the support block; wonders if there actually is an issue

Hello Support,

please answer this mail.

If there is a pressing issue for the capacity to act for Support, as
long as Werner is blocked, I would assume that it is in your interest to
get this point adjusted. Such adjustments may need some time to get
organised, so if there is an urgent need, it should be addressed ASAP.

As I did not get an answer within two days, I start to wonder, if there
actually is no issue in this direction.

Also: It would be good to get a short feedback about the status
regarding the re-training. Was there some activity? What is your
estimate how long this may take?

Support: reports about re-training with partial documentation

Dear all,

today I did the required traing with Werner.

According to paragraph d we talked about the following topics:
- required authorisations to do something as a Support Engineer starting
with the SP
- how to handle delete account cases with special respect to the ruling
in a20141024.1
- how to handle Arbitration rulings, especially if some points are
unexpected or unclear.

We took about an hour to discuss the topics. We discussed the matter of 
authorisation as well as the matter of how to hanle precedent rulings 
and how tohandle unclear parts of a ruling.


At the end I ask Werner to write down the thing to do if answering an 
requst for support. Attached you find his result which will be moved to 
support handbook next week so we have a guideline for the future.

Best regards

Marcus M[...]

-------- Weitergeleitete Nachricht --------
Betreff:     Look up of a CAcert account
Datum:     Sun, 26 Apr 2015 20:06:28 +0200
Von:     Werner D[...]
An:     Marcus M[...]



Hello Marcus,

subsequent to our talk regarding data protection in CAcert some
considerations about the handling of accounts.

For any action of Support regarding an account or other assets of a
CAcert member, an explicit authorisation is required. This can be by a
policy or other official rule, by a single decision of an arbitrator, by
a precedent decision or by the request of the member concerned.

For the look up of account data by Support there is no explicit
authorisation required, this is inherent to the assignment of a Support
member. Yet in any case a valid reason for a look up, a justification,
is required. Such a justification is usually a Support request by a
member. Aside from very general questions, most requests from members
require the knowledge of their account data to give them a decent answer
or do the right action.

In many cases this will concern not only the account of the requesters
themselves but as well the accounts of other members too. If I revoke an
assurance, not only the assurer is concerned but the assuree as well. So
I have to look up both accounts to see what consequences the revocation
has and to verify the assurance number, the name, email address, the
date and location of both members.

Or if I shall change the name of a member (e.g. after marriage) I need
the confirmation of two assurers that the name change was official. If I
want to writer to the named persons, I have to look up their accounts to
verify their names and email addresses and to check if they are really
assurers at present.

For all this a single Support request by a member is sufficient for a
justification, but required as well.

For a request going to support@cacert.org everything is documented well
through the OTRS. Though we try to make our web interface as fool proof
as possible, there arrive many requests from members or prospective
members at cacert-support@lists.cacert.org, which go beyond a general
question and which would be better addressed to support@cacert.org. And
there is the question of how to handle those requests.

If it can be sufficiently handled with general advices without knowing
account details, the case can be handled completely in
cacert-support@lists.cacert.org.

On the other side, if sensitive data of the member and her account are
mandatory to give her the correct answer, or if even actions by Support
are required, it is indispensable to transfer the request to
support@cacert.org.

Yet there are several cases where no personal data in the narrower sense
are concerned, at least there is no need to ask or reveal them, so
generally they could be handled publicly in
cacert-support@lists.cacert.org. But if would I look up the account data
of this member, I could give her a better answer. That is, I would not
disclose any personal or otherwise sensitive data, of course. But I
could base my answer on an enhanced knowledge. Would such a look up be
warranted and appropriate?

Generally I would say yes, but there are voices that deny this. So, to
be on the safe side, it would be better not to do such lookups, and if
it seems appropriate, to transfer the request to support@cacert.org. In
this way there is no one that could draw conclusions from the answers
and there is no way to inadvertently disclose maybe sensitive data and
to discuss which data could be sensitive.

Therefore in the future I will strictly go this way.

Kind regards, Werner D[...]

[quote of mail from A at 23.04.2015]

-- 
mit freundlichen Gruessen / best regards
Marcus M[...]

A: thanks support for approach, but some points are neither not sufficient or not sufficently documented; repeats request to answer last mail; asks board members to indicate if re-training would probably be accepted by board

Hello,

thank you for this approach.

I see that there was some progress, which is great.

But the documentation does not show me, that the relevant elements were
learned. For two out of three points there was just a general statement
that they were touched but not how and nothing to indicate, if the
lesson was learned.


Board may come to another conclusion and grant back the access, now. But
from my point of view I am not convinced, that the training was done
successfully.

@board: It would be helpful, if some board-members would give a
statement, here, so that we can get an idea if it is likely that board
would be satisfied with the training AND would want to grand back the
access (for board those are two different decisions, while I do not deny
the access when either board or me is satisfied with the training).

It would be good to get that answer within days. ;-)


@support: as I cannot ask for giving Werner access back, directly,
please answer the questions from my last mail.


About the answers:

Even for the access of an account there is an authorisation required.
This will be naturally there for the account of a member when that
member is asking for something that can only be answered by looking at
the account of the member.

This is also not a problem if rulings from an Arbitrator are precisely
followed. Regardless if it is a single or a general (precedents) ruling.
Then there is the authority given by Arbitration. Same goes for
something in our policy documents.

But if there is not such authorisation - and in theory you have to be
able to state the authorisation for every step you do - than the request
from one member does  not lead to support being allowed to access the
account of another member. A member request itself only gives authority
to access their own account. For everything else there has to be another
source of authority.

Because SP8.1:
" The software interface gives features to Support Engineer. Access to
the special features is under tight control.[...]

Support Engineers do not have any inherent authority to take any action,
and they have to get authority on a case-by-case basis. [...]"

The following statements from Werner are thereby wrong:
"For the look up of account data by Support there is no explicit
authorisation required, this is inherent to the assignment of a Support
member. Yet in any case a valid reason for a look up, a justification,
is required. Such a justification is usually a Support request by a
member. [...]"

"In many cases this will concern not only the account of the requesters
themselves but as well the accounts of other members too. If I revoke an
assurance, not only the assurer is concerned but the assuree as well. So
I have to look up both accounts to see what consequences the revocation
has and to verify the assurance number, the name, email address, the
date and location of both members."

The first of those may be somehow acceptable if there would not have
been the second one (and a comparable third one).It looks like he seems
to believe that only a reason has to be there to look at an account. But
this is not the thing that the SP tells us. The SP requires for every
step that is done with the Support-Console to have a case-by-case
authorisation.

While this sounds academical, it actually makes a difference regarding
the account of other members than the one who has done the request. As
said before. The authorisation to access those have to be gained by
other means (like a process defined by Arbitration).

I appreciate that Werner declares that he will not access accounts based
on a request on cacert-support@lists.cacert.org, anymore. I will also
place a note in a20140712.1 and a20140815.1, so that the Arbitrator of
those cases can take it into account, as it may be related. (I just
assume, that that statement was signed and by this a CARS, if not,
please correct me.)

But regrettably, as far as I understand it, the documentation of the
part regarding cacert-support@lists.cacert.org implies, that the
authorisation for looking-up accounts is currently not internalised. The
change of the mail-address does not help to change the requirement for
the authorisation to access accounts.

So far for the first point of the training. I cannot evaluate the
success for the other two points, as I already stated above.

[quote of Marcus mail from 2015-04-26]

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

(a board member): informs A that at least two board members will consult on this topic within next 48h

Liebe Eva

Aus Datenschutzgründen kann ich dir nur andeutungsweise sagen, dass der
Präsident und der Sekretär sich im Zeitraum der kommenden 48 Stunden an
einem nicht genauer bezeichneten Ort zu einer Besprechung treffen. Es ist
daher anzunehmen, dass seitens des Vorstandes oder seiner Mitglieder kurz
darauf eine offizielle Antwort verlauten wird.

Freundliche Grüsse
Etienne

On Mon, 27 Apr 2015 22:35:28 +0200, Eva Stöwe 
wrote:

> @board: It would be helpful, if some board-members would give a
> statement, here, so that we can get an idea if it is likely that board
> would be satisfied with the training AND would want to grand back the
> access (for board those are two different decisions, while I do not deny
> the access when either board or me is satisfied with the training).
> 
> It would be good to get that answer within days. ;-)

A: thanks the board member for that approach

Hallo Etienne,

danke für die Nachricht. Wobei ihr beide alleine ja auch nichts
entscheiden könnt. Im Endeffekt könnt ihr nur sehen, wie Board wohl
NICHT entscheiden wird. ;-)

Nichts desto trotz halte ich es für sinnvoll, dass ihr das mal direkt
und im Gespräch angeht und begrüße den Ansatz sehr.

Mehr werde ich aber hier nicht kommentieren, da zumindest die hier
anstehenden Board-Entscheidungen [oder die Entscheidung nicht zu
entscheiden] unabhängig von meiner Entscheidung sein sollte. (Was nicht
heißt, dass man nicht aus ähnlichen Gründen zu dem gleichen Ergebnis
kommen kann.) Und auch nicht bedeutet, dass ich bei eventuellen Fragen
nicht zur Verfügung stehen würde.

Schönen Abend,
Eva

A: relayed board members information ot rest of board and support

Hello,

> @board: It would be helpful, if some board-members would give a
> statement, here, [...]

I was informed today by a board-member that there will be a discussion
between some board-members within the next 48h, probably on this topic.
So it looks like the status quo will have to be kept - at least until
support either presents another training, or answers my questions about
possible issues with support availability and how those could/may be fixed.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: additional answers to mail proposal

Hallo,

es tut mir leid, dass ich nicht früher dazu gekommen bin, mir das hier
nochmal genauer anzuschauen, aber auch ich bin nur eine Volunteer mit
begrenzter Zeit.

Anyway. Mir scheinen die folgenden Punkte in der Mail, neben den
Punkten, die ich angemerkt ebenfalls zu fehlen:
- information when delete request was received
- request to respond if the deletion of the account is not the wish of
the user, with the information that else the account will be closed
- short explanation of the delete process
- information that some risks, liabilities and obligations for the time
of the membership, may continue even when the membership has ended
- statement that the user may change any of the above decisions until
the account is deleted

Auf die CAP forms war ich ja schon eingegangen.

A: follow-up ruling to C, CM

Dear Bruno,

as the Arbitrator of the CAcert arbitration case a20141024.1 - terminate
assurer account Bruno I hereby give the following follow-up ruling:

As the CAcert Community Agreement was not correctly terminated by the
execution of the original ruling that I gave in this case I hereby
terminate the Agreement with the claimant of the case. The termination
date will be 2015-04-16, as the claimant was told it to be in a previous
mail from support.

Cologne, 20150-05-03

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: remainder to Support to inform about further re-trainings, if there is no respons regarding how to solve staff-shortage, there is probably no issue in this regard; question to board if they want to address the re-training, as they could let it pass as well

Dear Support, dear board,

I did not get a response from either of you for over a week.

Some activity of you implied that there were some urgency involved to
get those points sorted out.

@Support: Please give a short answer about your plans regarding further
re-training. As I did not get an answer for about two weeks that there
could be an issue with the performance of support (or anything else!)
based on my order, it has to be assumed that there is no such issue.

@board-members: at the not-board-meeting from Sunday I was informed
informally that we will hear from you Monday morning, latest. As your
positions may be quite relevant for Support I ask you to help us with
your answer, soon.

It would be good if we could get back to normal business, soon.

On 27.04.2015 22:35, Eva Stöwe wrote:
[quote of that mail]

President: board does not regard the re-training as successfull, other parts are missing or not documented, with detailes to some points; suggests telefon conference between president, A and the trainer

Hello,

Sorry for the delay of forwarding this email ...

I wrote this answer some days ago to board-private for discussion and
got no negative answers back in the last around 10 days. therefore
please see this as a consens of board.

(due to forwardin this email ">" marks my text, ">>" or ">>>" quotes
the text i received)

Kind regards,

Dirk A[...]
CAcert president

On 30.04.2015 15:35, Dirk A[...] wrote:
>> For any action of Support regarding an account or other assets of
>> a
>>> CAcert member, an explicit authorisation is required. This can
>>> be by a policy or other official rule, by a single decision of
>>> an arbitrator, by a precedent decision or by the request of the
>>> member concerned.
>>>
>>> For the look up of account data by Support there is no
>>> explicit authorisation required, this is inherent to the
>>> assignment of a Support member. Yet in any case a valid reason
>>> for a look up, a justification, is required. Such a
>>> justification is usually a Support request by a member. Aside
>>> from very general questions, most requests from members require
>>> the knowledge of their account data to give them a decent
>>> answer or do the right action.
> These two blocks are not consistent. In the first block an
> explicit authorisation is required, in the second block Werner
> wrote that this authorisation is automatically granted by the
> members question.
>
> In my eyes Support members do not have a
> "per-default-authorisation" for this, the user/arbitrator/...
> (according to SP) has to give the authorisation.
>
>>> In many cases this will concern not only the account of the
>>> requesters themselves but as well the accounts of other members
>>> too. If I revoke an assurance, not only the assurer is
>>> concerned but the assuree as well. So I have to look up both
>>> accounts to see what consequences the revocation has and to
>>> verify the assurance number, the name, email address, the date
>>> and location of both members.
> Wrong (in my eyes) ...
>
> If a assurance is to be revoked there is a precedent case (within
> around 24 hours) or an arbitrator has to take care (and grant
> permission).
>
> Revoking an assurance does not authorize Support to check the
> assurees account (data).
>
> Within the support console you can see all data of an assurance in
> one account (it's only once in the database). There is no need to
> check it from Assurees site.
>
>>> Or if I shall change the name of a member (e.g. after marriage)
>>> I need the confirmation of two assurers that the name change
>>> was official. If I want to writer to the named persons, I have
>>> to look up their accounts to verify their names and email
>>> addresses and to check if they are really assurers at present.
> Wrong (in my eyes) ...
>
> Since the assurance took place before (and was entered to the
> system), the data is from the time the assurer was an assurer. If
> he is still an assurer, is another case (and may be clarified by
> arbitration).
>
>>> Yet there are several cases where no personal data in the
>>> narrower sense are concerned, at least there is no need to ask
>>> or reveal them, so generally they could be handled publicly in
>>> cacert-support@lists.cacert.org. But if would I look up the
>>> account data of this member, I could give her a better answer.
>>>
> Correct ... but in this case the member can confirm (out of a
> public mailinglist by mailing to support@c.o) the authorisation to
> access the account data ... which prevents answering using private
> data on the mailinglist.
>
> Two other items I cannot see in Werners answer:
>
> Handling of precedent cases and/or rulings (especially if there
> are questions): If something is not clear, you should ask the
> arbitrator of the case for further explanations before handling it
> in the wrong way).
>
> Handling of delete-account cases. This process has to be clear so
> the termination is rock-solid. If the termination of CCA is not
> handled in the correct way it may be impossible to contact the
> member in case of an audit-incident.
>
> Since the last item seems to be complex it may be handled in a
> Telco with the arbitrator of this case to answer all questions
> within a short timeframe).
>
> Kind regards,
>
> Dirk A[...]

A: forwards answer from board to Support and explicitely to Support-TL, trainer and trainee, and CM: asks board to correct the interpretation if it is wrong: "not happy with the result of the re-training and currently does not plan to give back the access based on it"; asks support to outline the further training which should be soon (also in the interest of support)

Hello,

@ Werner:
please find the answer from board as a full quote at the end of this
mail, as it looks like you were not part of the recipients of their
answer, for whatever reason. But as it is feedback to your text, I think
you should be informed about it, as well.

@ board:
As far as I understand your feedback it seems that currently board is
not happy with the result of the re-training and currently does not plan
to give back the access based on it. If I interpret this wrong, please
say so.

@ Support:
It looks like another re-training is required or at least a better
documentation of the first approach, which is convincing to either board
or me.

Please outline when you plan to do this. And IF there is an issue on
your side in this context you should state it, as well. I have asked you
about both multiple times, now. I am not sure about you, but I want to
have the topic finished ASAP so that Werner will be able to get back to
work as SE ASAP.

As long as neither the TL nor board declare that they do not want to
give back the access even with a successful re-training it should be in
your interest to finish the training ASAP, as well. I have not seen
anything to indicate that the TL or board want to deny the access if the
re-training is successful.


Also: I do not mind to have a telco as Dirk has suggested.


On 11.05.2015 00:21, Dirk A[...] wrote:
[fullquote of that mail]

President: reminds A and trainer about telco that evening, trainer had warned that he may be late

Hallo,

Mit Marcus hatte ich ja gemailt, mit Eva hatte ich ja gesprochen ...

Ich hoffe, dass wir uns um 21:00 auf unserem Telco-Server (die Nummer
ist ja sicher bekannt, schliesslich habt ihr die gestern ja auch
genutzt ;-) ) mal in Ruhe zum Thema Support-Training unterhalten können.

Wie zuvor auch schon gesagt:

Mir geht es nicht darum, einem von euch beiden Vorschriften machen zu
wollen, sondern einfach darum, dass ein gemeinsames Verständnis da ist
... und demzufolge das Training zügig so abgeschlossen werden kann,
dass Support wieder aktiver arbeiten kann.

Generelle Sachen, die nicht das Training bzw. die Trainingsinhalte
ansich betreffen, sollten bei einem anderen Gespräch u.U. in einer
anderen Runde diskutiert werden.

Machts guat

PS: Ich habe eben eine Nachricht von Marcus bekommen, dass er sich
u.U. verspätet ... in dem Fall können wir auch später beginnen.
Starten wir erst nach ca. 22:00/22:30 wird es mir dann aber zu spät ..

President: reports to board and A, trainer in . CC: report of his tries to organise a conference; summary of events regarding the block of the SE and its removal; summaries that this shows him "that Support does not want to get the SE-block removed"; declares support to be blocking further solutions; regards filing of a20150420.1 "was started to do ARB-bashing" instead of working on a solution

Hello,

Three weeks ago I answered Marcus Email about the training Werner got by
Marcus. In this email I noted my (and boards) objections about this
training.

My Idea was to get Eva and Marcus to a telephone-conference so the
contents of the training etc. will be clear to both sides to speed up
removing the SE-block.

After one week there was no mail from ARB or Support about planning a
telephone conference so I asked Marcus via Email about possible dates
where Eva and I have enough time to talk about it.

The last of these possible dates was last wednesday. I reminded both,
Eva and Marcus, via email around 3 hours before the telco and got a
message back, that Marcus is still busy at a customer. Around 15 minutes
after the start of the telco I called him directly. During this short
call I asked him for a possible date for the telco ... but he told me,
that he will send me a message on the next day.

Up to now (Sunday evening) I did not get a mail from Marcus about a new
possible date.

During the planning of this telco Marcus wanted to add three more
persons to this conference. I answered him back that this telco should
not be for a Support <-> Arbitration bashing: It was planned only to
clarify the contents (and understanding) of the training to remove the
SE block.

To this email i got back no answer from Marcus.

(If you miss emails between me and Eva: I spoke to her directly ...)

My understanding on this case is:

(a)     Something happened: Arb informed support about possibe SE-block (b)
Arb blocked SE (Block should be removed until a training)
(c)     Support complained, a new Arb case was created
        (IMHO it should not be a new Arb case but an appeal)
(d)     First training was done to remove the block
(e)     ARB answered, that the training was not sufficient
(f)     Board answered, that the training was not sufficient
        The idea for a telco for training-contect was given
(g)     I asked both parties about possible dates
(h)     Eva and I were present in the telco, Marcus wasn't
        Remark from my site: Business has higher priority: Accepted
(i)     After 4 days no further mail/date by Marcus for another Telco

If I now try to fill the above table with dates I see, that ARB informed
Support (Eva -> Marcus) about a possible SE-block two days before ruling
the block. Half a week later this ruling was executed.

Some days later the training happened by support, ARB answered within
some hours. Board answered around one week later (with the same result).

Since there there was NO move, NO activity from Support (I don't know if
there were mails between Support and ARB regarding this case during this
time).

This shows me, that Support does not want to get the SE-block removed.

From my site I will not do any activities regarding this case. I offered
to join the telco between Eva and Marcus to avoid any escalations ...
but if support still wants to block I will not offer this again.

Furthermore I think, that the following Arbitration-case (item (c) in
the above list) was started to do ARB-bashing. Up to now I can only see
the title of this arbitration case within the case but not even in the
list of cases or the dispute-text itself.

All in all I'm therefore <irony> a little bit <irony/> upset about
support (at least about Marcus).

Kind regards,

Dirk A[...]
CAcert President

A: forwards two recent mails that the CM had not got to CM; explains delay from about one week; declares/explaines that there is no need to discuss any arbitrator-decision within the arbitration team or with the DRO. There were a lot drastic decisions done by A or other Arbitrators that were not discussed there, either.

(other mails were also forwarded to the CM and archive if they were not already getting them, but without a relevant comment, also previous steps - including the original ruling - were discussed and prepared with the CM)

Dear Magu, dear archive,

as far as I see it, this was the only mail in the context of a20141024.1
which I did not forward to you. I was quite busy and also travelling
around, a lot. A delay for about a week is not much compared to some
other delays.

All other communication was not done via mail - as Dirk mentions in his
mail - was not done via mail. He promised to document the communication
but never did this, beside of this mail. As it was the activity of Dirk
(as president), please contact him if you want to learn about whom he
chose to include and why you were left out. This was outside of my control.

If I find any other mail that could be forwarded to the CM/archive, I
will do so - as I always did before. I probably do this with more care
than some other As and CMs.


Regarding Arbitrator decisions: If you look at the CM-Handbook you will
find that the CM should not be involved in the decision of the
Arbitrator at all. So if I inform you in any way previously to a
decision as the CM, I am already doing more than the CM-Handbook (which
is installed through the SP!) is asking for. Also the DRP puts decisions
in the hands of the Arbitrator alone. The Arbitrator may seek any help
and information but there is no requirement to ask a special group of
people. Especially not the CM and not the DRO. (However as the DRP
allows this, I think I am allowed to discuss decisions even with the CM,
which I try to do.

Also: There were a lot of "hard" or "far going" decisions done by
Arbitrators that were not discussed within the Arbitration team or with
the DRO. There definitely is no requirement to do this.

It is quite suspicious that you start requesting this at this time.
Especially as you never were answering any of my mails that were
addressed to you as the DRO for over a year.


This mail also goes to the president, so that board is informed, if he
regards this to be relevant.


-------- Forwarded Message --------
Subject: Support-Training (was Block of SE)
[quote of that mail]

President: forwards mail from trainer (28.06.) to A - trainer only answered after 5 days, because of computer issues for 3 days, wants to also have support-TL be present - possible dates are in (during the previous software telco) declared vacation of president, the earliest 2 weeks later

Moin Marcus,

Ich habe zur Termin-Abstimmung auch Eva mal mit reingenommen.

On 28.06.2015 18:15, Marcus wrote:
> Hallo Dirk, ich konnte mich nicht früher bei Dir melden, aber seit
> Mittwoch war mein Internet gestört. Seit Freitagnachmittag geht es
> wieder, aber dann war ich unterwegs. Ich möchte das Joost als
> Support Team Leader auf jeden Fall an diesem Gespräch teilnimmt.

Kein Problem ...

> Da ich nächste und übernächste Woche beruflich die ganze Zeit
> unterwegs bin kann ich Dir erst diese Termine anbieten: Fr. 10.
> Juli abends Mo. 13. Juli abends Mi.-Fr 15.-18. Juli abends

Du hast zwar explizit bei der Software-Telco nach meinen
Urlaubsterminen gefragt ... aber ich sehe, dass du die Termine genau
in meinen Urlaub gelegt hast. Ich selbst werde zu diesen Terminen also
nicht dabei sein können.

Da [Freundin von Dirk] und ich in KW30 arbeiten müssen, sind wir erst dann auch
wieder da ... in KW31 habe ich dann wieder Urlaub.

... und aktuell heisst Urlaub wirklich Urlaub (und das teilweise im
Ausland).

machs guat

=== A: this should not wait two more weeks or more, it seems to be a real issue for support, also support (especially trainer) has had enough time to provide a sensible date and to answer the mails and questions from A - both was not done - A orders a conference within that week at a time selectable by support, where 1 support representant, A and one out of 3 board members should be persent, A should be informed about date ASAP - if this does not work there have to be consequences for support team members===

Hallo,

ich habe Joost mit in den Verteiler aufgenommen.

@Joost: Ich habe die Mail von Dirk A[...]ls Arbitrator von a20141024.1
bekommen und antworte hier in dieser Rolle.

Mir ist es relativ egal, wer von Support da ist, allerdings denke ich,
dass dort eine Person ausreichen sollte. Entweder Marcus als Defakto-TL
oder Joost als offizieller TL. Das kann Support gerne selbst organisieren.

Was viel wichtiger ist, ist dass es bei dem Thema endlich weiter geht
und dass daher nötige Gespräche wirklich zeitnah stattfinden. Support
hatte genug Zeit meine wiederholten Fragen zu beantworten. Das ist nicht
geschehen. Wenn dieses Gespräch - an dem Dirk jetzt auch schon etwa
einen Monat arbeitet(!) - nicht zeitnah stattfindet oder sonst wie nicht
funktioniert, dann wird letztendlich auch das Nichtbeantworten von
Arbitration-Mails für Supportmember Konsequenzen haben. Daher lege ich
Support deutlich nahe, dies ernst zu nehmen.

Marcus hat in der letzten Softwaretelco, als er aufgefordert wurde einen
Termin zu nennen, zugestimmt, dass dieser Case derzeit durch Support
aufgehalten wird.

Ein Verschieben des Gespräches für weitere Wochen ist nicht akzeptabel.
Auch wenn mir Support nicht geantwortet hat, so erwecken doch diverse
Dinge den Eindruck, dass derzeit zu wenig Personen im Support aktiv
sind, so dass wichtige Kontrollfunktionen entfallen und einzelne
Support-Member Cases bei denen sie möglicherweise einen Conflict of
Interest haben behandeln.

Derzeit gehe ich davon aus, dass dies aus einem Gefühl der Not und nicht
aus Absicht heraus geschieht. Die logische Konsequenz hieraus ist aber,
dass Support aktiv daran mitarbeitet, diesen Zustand zu beenden.
Unterbleibt dies dauerhaft, müsste potentiell auch diese Annahme in
Frage gestellt werden.

Abgsehen davon, dass es nie geplant war, Werner so lange von seiner
Support-Tätigkeit abzuhalten (solange Board oder TL dies nicht für
geboten sehen), so führt dies zusätzlich dazu, dass hier dringender
Handlungsbedarf besteht.

Support und explizit auch Marcus wurde genug Zeit eingeräumt, einen
Termin der Wahl zu nennen. Dies ist wochenlang unterblieben. Nun nehme
ich mein Recht als Arbitrator nach DRP 2.6 in Anspruch und ordne eine
Telefonkonferenz noch diese Woche an, an dem entweder Joost oder Marcus,
wenn beides nicht möglich ist Michael teilzunehmen hat. Koordiniert
diesen Termin bitte untereinander und möglichst mit Dirk, damit dieser
auch eine Chance hat, dabei zu sein.

Teilnehmer werden sein:
- einer der genannten Support Engineers,
- ich als Arbitrator von a20141024.1
- wenn möglich Dirk - alternativ Etienne auf Boradseite, so Michael
nicht von Supportseite her teilnimmt, als dritte Alternative er von
Boardseite.

Teilt mir den Termin bitte schnellstmöglich mit. "Vernünftige" Zeiten
sind deutlich vorzuziehen, aber ich denke das ist in jedermanns Interesse.

Mir wäre es lieber, keine derart harschen Mails schreiben zu müssen,
aber sanftere Heransgehensweisen haben ja leider nicht zum Erfolg geführt.


@Marcus:
Was die Verzögerung wegen dem Internetausfall anbelangt, so ist doch
ernsthaft zu fragen, warum Du nicht auf anderem Wege in der Lage gewesen
bist, einen Termin durchzugeben, obowohl Du dies versprochen hast. Auch
wenn Dirk nicht allgemein telefonisch erreichbar ist, so hast Du doch
z.B. meine Telefonnummer, die Du, da ich ja ebenfalls beteiligt bin,
sicher hättest wählen können. Ich wäre auch durchaus bereit gewesen,
zufürckzurufen. Außerdem ist Dirk A[...]uf indirektem Weg auch dann zu
erreichen, wenn man selbst grade keinen Rechner zur Verfügung hat, aus
eigener Erfahrung weiß ich, dass Du dazu prinzipiell in der Lage bist.
Dirk hätte Dich dann sicherlich kontaktiert.

A: remainder / question about date of conference - remainder that if this does not work that there have to be consequences for support team members

Hallo,

zu dieser Mail habe ich jetzt auch Michael und Etienne mit hinzu genommen.

@Michael und Etienne: Ich schreibe diese Mail als Arbitrator von
a20141024.1. Manches dürfte sich aus der von mir zitierten Mail ergeben
(bitte lest diese). Ansonsten könnt ihr gerne Marcus, Dirk oder mich
fragen, worum es geht. Ich hoffe aber erstmal, dass ihr nicht benötigt
werdet.

@Marcus, Joost, Dirk: Bisher habe ich keinen Termin genannt bekommen.
Die Woche nähert sich langsam dem Ende und es ist zu vermuten, dass hier
jeder gerne das Wochenende langsam planen würde.

Daher bitte ich Euch mir zeitnah einen konkreten Termin zu nennen, zu
dem das Telefonat stattfinden kann. Ich gebe Euch hier alle Freiheiten
einen möglichst vereinbaren Termin zu finden. Wenn dies nicht möglich
ist, kann ich aber auch gerne einen festsetzen. Das wäre dann vermutlich
am Sonntag Abend, zur üblichen Boardmeeting-Zeit.

Auch wenn ich sowas deutlich vermeiden würde, wiederhole ich mich hier
sicherheitshalber noch einmal deutlich: Findet dieses Gespräch nicht
statt, so wird dies für Support-Member wohl Konsequenzen haben müssen.

Also: Bitte teilt mir schnellstmöglich mit, welchen Termin ihr für das
Gespräch gefunden habt.

A: asks observer of session with Trainer to provide his notes

Dear Benedikt,

you were a witness at the meeting on Sunday between Dirk (as president),
Marcus (as a support team member) and me as the Arbitrator of
a20141024.1). As far as I know you did some notes.

Please be so kind and provide me with your notes, if this is possible. I
am sorry that I have to ask for them.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Observer: explains why he could not send the notes so far; asks if next Tuesday would be enough

Arrrr...

I'm sorry, I fogot to copy the data from the scanner the last days and
today they have been deleted. Was a busy week for me.

Is it okay, if I send you the document on Tuesday evening?

Best regards
Benedikt

Am 25.08.2015 um 23:25 schrieb Eva Stöwe:
[full quote of that mail]

A: tells observer that next tuesday would be fine

Dear Benedikt,

sure. Next week would be fine.

But I fear I have to make another decision in that case, "soon". It
would be good to have the notes for this.

Thank you,
Eva

On 28.08.2015 23:57, Benedikt H[...] wrote:

secretary: asks A if she knows about the SE (trainer) who declared to do support work by the re-try of the meeting - board was informed about no activity on support side by a triage member

Liebe Eva
Weisst du mehr?
Lieber Gruss
Etienne

-------- Original Message --------
Subject: Support - Who works at actual Tickets?
Date: Fri, 28 Aug 2015 18:44:37 +0200
From: Stefan T
To: board-private, audit, Joost S[...]

Hello,
i asked Joost 2 times since Monday, who is ticketing at OTRS SE Queue?
I became no answer until yet.
The Triage is in order.
But i am worried about the Tickets that i placed into the the SE Queue.
And there are new Tickets!

Have you spoken with Marcus?
Is he coming back?
The only thing i knew is, he has suspended his duty on Support.
I am on alert about this Situation.

Regards
Stefan

-- 

Mit freundlichen Gruessen / best Regards

Stefan T[...]
CAcert Assurer

A: probably there is nobody working in support; would have reported knowledge to board, if President had not asked to get some time to report to board, prior to A; explains shortly behavior of trainer at the event, that he had declared to stop working for support and that he probably was the last active SE at that time; reminds that there was a proposal to help out if support was short-manned because of block of one supporter; there was an approach to do an ABC to create candidates for support

Hallo,

ich gehe derzeit davon aus, dass niemand daran arbeitet.

Eigentlich wollte ich Euch auch davon berichten, aber Dirk hat mich
inständig gebeten, dass er zuerst davon berichtet, darum steht mein
Bericht noch auf "warten".
A: probably there is nobody working in support; would have reported knowledge to board, if President had not asked to get some time to report to board, prior to A; explains shortly behavior of trainer at the event, that he had declared to stop working for support and that he probably was the last active SE at that time; reminds that there was a proposal to help out if support was short-manned because of block of one supporte
Marcus hat sich bei der Froscon geweigert, ein Gespräch mit mir als
Arbitrator von dem Werner-Case (bei dem es hauptsächlich darum gehen
sollte, das mit dem Training zu besprechen), fortzusetzen, als "der
neutrale Beobachter seiner Wahl" keine Zeit dafür hatte. Nicht, dass ich
sehe, dass so etwas neben Arb und Präsident nötig wäre, oder das
irgendwo in unseren Regeln vorkommt.

Auf meine Warnung hin, dass wenn er nach all dem vorhergegangenem
Nicht-Antworten und Verschieben des Termins er jetzt auch diese
Anordnung zu einem Face-to-Face-Meeting (ist dem Arb explizit in der DRP
erlaubt) verweigert, dass das dann Konsequenzen für seinen Status als
Supporter haben könnte, hat er vorgezogen, das Event vorzeitig zu
verlassen, so dass er weder zu dem Termin den ich wollte, noch zu dem
Termin den er meinte zu wollen, weil er hoffte, dass seine neutrale
Person dann Zeit hätte, da zu sein.

Das hat er mit den Worten getan, dass er ab so fort von sich aus nichts
mehr für Support tut.

Er war bis dahin der letzte aktive Supporter, meines Wissens nach.

Mein Versuch ein ABC über Stefan zu machen, damit er aus Triage
nachrücken kann, wurde durch ein Ruling von Magu so weit verzögert, dass
es da nicht mehr stattfinden konnte. Das Ruling von Magu hört sich
deutlich nach Marcus Stimme an - insbesondere da Marcus und nicht Magu
uns (mir und Dirk) anschließend versucht hat, die Logik des Rulings zu
verstehen.

Ich erachte das Rulig von Magu als unberechtigten Eingriff in die
Autorität von Board Stellen nachbesetzen zu wollen und werde wohl "die
Tage" eine entsprechende Einschränkung / Erläuterung zu Magus Ruling aus
meinem ABC-Case heraus geben (derzeit arbeite ich noch an den Details).

Danach hoffe ich das ABC mit Stefan möglichst zeitnah durchziehen zu
können - wobei ich zum Trainingsstatus von Stefan nichts sagen kann.


Solange sich Support weigert das Thema Training von Werner weiter
anzugehen, ist Support derzeit wohl erstmal "tot.

Wobei ich nochmal darauf hinweisen möchte, dass ich durchaus in meinem
Werner-Block Case etwa 7 verschiedene Varianten angeboten habe, wie man
das Problem "entschärfen" kann, also was für Ausnahmen ich (wie die SP
mir erlaubt) bereit bin zuzulassen. - Allerdings ohne je eine Antwort
von Board ODER Support zu bekommen. - Das Angebot steht aber.

Viele Grüße,
Eva



On 31.08.2015 15:08, Etienne R[...] wrote:
[full quote of above mail]

Observer: send his notes for the meeting

Dear Eva,

Attached the protocol.

BR
Benedikt

notes_of_observer.pdf

A: thanks the observer of the meeting for his help

Dear Benedikt,

thank you for your help.

Greetings,
Eva Stöwe

A: informs board about events on FrOSCon (after a grace time so that board could be informed by the president), the notices of the observer were included (as well as an English transcript) reminds bord of the issue to get the re-training done, informs board about the positions and refusals of the trainer to continue in this case, reminds board that there may be a shortage of the support team to be addressed

Dear board,

regrettably I have to write to you about some issues in the context of
a20141024.1 ("termination of assurer account Bruno" - you would probably
file it under "block of Werner").

Dirk - who was present at the events as president / representative of
board - had asked me to be allowed to report to the rest of board,
before I address you myself as Arbitrator, so I hope that you are
already informed at least about the broad picture.

As far as I know he send you a report of his own (which I am not
familiar with).

This mail consists of the following parts:
0. Background (skip it, if you do not need it)
1. Report of the events at FrOSCon
2. Marcus (short)
3. Werner (short)
4. Issue with support team

0. Background
=============
Here are some words to give you the context of the events that I have to
describe.

The case is originally about the closure of an assurer account. Within
that case a new precedents ruling was given how this can be done by
support, based on CCA 3.3 2.

During the execution of that case Werner made a grave mistake, so that
the CCA was not terminated correctly and had to be terminated by my as
an Arbitrator, afterwards. Also he showed a lot of missing knowledge in
more than one area (especially regarding the CCA).

Because of this I ordered a re-training focussed on these special
points. As this was not the first time that issues with the performance
of Werner in the role as Support Engineer were detected (there were
multiple incidents by Benedict and more than one arbitration case in
this regard), and as another - different - issue with his performance
was witnessed at more or less the same time and as multiple
(non-Arbitration-enforced) promises to retrain Werner given by support
team members, the retraining should have to be done within a few days.
To enforce this, and to prevent further damage, I also ordered to remove
his access to the support console and OTRS until there would be a
successful re-training. (See SP 9.1.7., DRP 3.6.)

Both the block and a re-training were performed within about two weeks.
But the re-training was not documented as requested. The part that was
documented was a) not about the required topics and found to have a lot
of missing or wrong parts by board and me as the Arbitrator. The
re-training of Werner was done by Marcus.

As there was no response or any visible activity from support to re-do a
training, both I and Dirk for board tried to organise a meeting between
Marcus (as the trainer), Dirk (for board) and me. A lot of attempts were
tried to set up a telephone conference. Marcus never really answered my,
if I did not address him before other people at the software telco, but
he never fulfilled the promises he gave there - which was mostly to get
in contact with Dirk to set up another date.

One date for a telephone conference was found, eventually. Dirk A[...]nd me
showed up - Marcus was missing. When Dirk called him he was told, that
Marcus was busy with his job and would not be able to join us. Marcus
promised Dirk to contact him at the next day about another timeslot.

Marcus did not contact Dirk A[...]t the next day but only 5 days later with a
shallow excuse. The dates he proposed were relatively long away and - as
far as I am told - all during the vacation of Dirk (Marcus was informed
about the vacation of Dirk, previously).

Mails from me to set up a meeting probably with another representative
for board, were not answered. Even not when I set deadlines.

Instead of ordering some consequences (which observers of the case
suggested), I decided to do another approach with a personal meeting at
the FrOSCon.


1. Report of the events at FrOSCon
==================================
On Friday evening at FrOSCon I asked Marcus to tell me when he would
have time for about an hour either at that evening or on Saturday after
15:00 (because I was busy before 15:00). He answered that he would tell
me a time at Saturday morning. I did not mention a subject because I
thought that based on the multiple tries to set up a meeting, this would
be clear, when Marcus did not ask for one.

At Saturday we agreed to meet at 17:00.

As Dirk A[...]nd me had a meeting with Benny right before which took more
time than planned (you got a mail about that), the meeting with Marcus
had to start at about 17:30.

Marcus entered with
a) insisting that Benedikt also takes part of the conversation as "a
neutral person of his choice"
b) informed everybody that he only had 10 Minutes, instead of the
originally 30 Minutes left, so that he thought that the conversation
should be cancelled. He said that he just had changed his mind about a
talk that he wanted to join.

I did not like the idea to have someone else present, as this meeting
was about the performance of a person who was not present. To involve
and inform someone else about such topics should be done with great
care. I informed everybody about this and voiced my disagreement
together with the fact that already a board member was there as a third
party to him and the Arbitrator (who has to be neutral, anyway, whatever
that should be in the discussion of a re-training).

As time was short and as I wanted to use at least those 10 Minutes, I
did not want to make a big fuss about the presence of Benedikt and
allowed him to stay and to take notes.

You can find Benedikts notes and a translation to English in the attachment.
(As a side note: Joost was not present at the FrOSCon, but he should
have got at least most of the mails regarding this issue.)

I would summarise the meeting as:
Marcus did refuse to answer any question with the excuse that he would
have to look that up in his notes which he did not have with him.

This includes a question why he did not answer Arbitration for 3 months.
He answered this question that he would have to look this up in his
notes. So he seriously stated that he could not remember any reason for
this but that he noted this for more or less any minute?!?

When the 10 Minutes were over it was decided to continue the meeting at
the next day. Reasons were that Marcus had to look up his notes and that
he claimed to not have time any more on Saturday. (He had time to attend
the social event of the FrOSCon.)

When he was asked if he had any time constrains for Sunday he said that
the only thing would be the re-signing-test-session at about 11:00 and
that he would be blocked for about one and a half hours.

When I addressed him to continue the meeting at about 14:00 on Sunday,
everybody agreed that Marcus had time. But he refused to join a meeting
without Benedikt "as a neutral person of his choice" who was needed at
the second re-signing-test-session which was up to start.

Marcus insisted to have the meeting continued at 16:00 or 17:00 where
either Dirk or me had other plans, because he hoped that Benedikt would
be free at that time.

I declined those dates as both me and Dirk (for board) were required but
Benedikt was not.

After I declined Marcus stated that he had lost any respect of me as an
Arbitrator and because of this does not accept me as an Arbitrator.

He then decided that he would leave instantly so he explicitly would
neither be available then or at 16:00 which he just had proposed as a
time of his choice. He repeated this more than once.

He continued to repeat this after I told him that this may lead to
consequences regarding his support engineer status, as he was just
refusing an Arbitration order.

He answered this by stating that he will volunteeringly would not do any
more support work. After that he left the FrOSCon.

Explanation:
There is no part in the DRP about a "neutral party of the choice of
somebody" (see below). Actually the Arbitrator is neutral per
definitionem (else one is not allowed to pick up a case) DRP 1.5 and 2.2.

While board has to be regarded to have a position, this is definitely on
the side of CAcert Inc. and hopefully on the side of our community and
our polices. As this should be "the side" of anybody within CAcert in
the context of this case this probably has to be regarded as "neutral".

The discussion was not about Marcus, it was about the contents of a
re-training of Werner. So even Marcus should have had a "neutral" position.

By insisting on "a neutral person" Marcus implied that there are sides -
and quite probably / especially that the Arbitrator "was on a side". I
do not have any idea what kind of "sides" that should be, but the one
that DRP 2.6 requires me to be as an Arbitrator: "The Arbitrator also
works to the mission of CAcert, the benefit of all Members , and the
community as a whole."

If he regards this as "a side" that is not his side, this is quite
disturbing.

Also: Without regarding the person of Benedikt. If a side selects a
person, that person quite likely is not neutral, so to insist on a
"neutral person of ones choice" is at least misleading.


DRP 2.2 even states:
* The Arbitrator confirms that parties are representing themselves.
Parties are entitled to be legally represented, but are not encouraged
to do so, bearing in mind the volunteer nature of the organisation and
the size of the dispute. If they do so, they must declare such,
including any changes.
* The Arbitrator may appoint experienced Assurers to assist and
represent parties, especially for NRPs. The Case Manager must not
provide such assistance.

Marcus is not regarded to be a party in that case. But even if he would
be the Arbitrator would be the one who would appoint an assistant. This
part of the DRP is obviously meant to ensure that every party has the
chance to know about our policies. As a RA-auditor (formerly
Co-auditor), Marcus has to be familiar with our processes, so he should
not need such assistance.

On the other hand, DRP 2.6 states:
"[...]
1. [...] The Arbitrator may order CAcert Inc. or Members under
jurisdiction to provide support or information. The Arbitrator may use
email, phone or face-to-face meetings as proceedings.
2. [...]
[...] The Arbitrator may seek any assistance.
[...]"

There was a need for that meeting, as we were not able to get a working
re-training for Werner without it. A lot of things can be clarified
face-2-face and the DRP explicitly allows this.

Later he filed a dispute against me - also based on the above events -
to remove me out of all cases where he is involved, "because he lost
respect" in me. (As he my be involved in any case where a
support-request has to be done, this in theory can be any case!) -
Currently no Arbitrator has moved it out of the OTRS.

Our policies do not allow for something like this. And there are quite
old and quite new rulings about what is required to


Btw: Marcus did not send any further information until 30.8. as he had
promised according to Benedikts notes. He did not send it until, now. A
week later.

2. Marcus
=========
Marcus has clearly failed to respond to an Arbitration order, which is a
big issue for a support team member, who has special access to the
member database.

Also he has declared that he does not want to do any further work for
support. If that is true, his access should be reduced if it is not
needed, any more.

Maybe you should investigate this with some hurry.

3. Werner
=========
We remain in a need to get a re-training for Werner, if he should
continue his work as support engineer. (I only require that re-training
to allow him back.)

It would be good if you (and not only Dirk) would help, to get this done
as soon as possible. In reality this is not a big issue.

4. Support
==========
As we currently have to fear that there is nobody active in the support
team, maybe it is up to take up this part?

Sure, as board is the authority to set up the teams. And I do not want
to interfere there. It is your responsibility to ensure that we have
enough active support team members. But you may only select persons who
have an ABC and who are not part of a team that may not be combined with
support (see SP).

As there is a recent ruling from Magu that maybe forbids more ABCs in
the "near" future, it may be quite hard for you to set up the support
team with fulfilling all requirements. The SP allows Arbitration to make
some exceptions there. Again I am asking if you need that help, at least
regarding the block of Werner.

Shortly after I ordered the block (and before the re-training war
performed) I had the feeling that support would be short-manned without
Werner and proposed a lot of options how this could be addressed (for
example to allow access back to Werner under some conditions, to allow
someone else with the according ABC to help out, to allow someone
without an ABC but with triage-training, ...) [SP 9.1.1. allows
Arbitrators to allow exceptions].

So far, even after at least one reminder, I got neither an answer to
this by board nor by support. Even as support probably is short of
manpower (SP requires 2 active support team members, according to
Benedikt the SM requires even 3).


[I hope I did not forget anything to mention in this mail. As I am
relatively busy at the moment but I think that this should be reach you
"soon" I just send it, as it is.]

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

2 Attachments: Notes of Benedikt as above + Transcript of them to English:

Transcript of Benedikts notes:

Conversation protocol Date 22.08.2015 page 1/1
Present: E. Stöve [sig.], D. Astrath, M. Mäbgel, B. Heintel (protocol)

EV: Topic: block of W. as SE
MM: topic of conversation was not known
DA: all previous dates from MM have not taken place
MM: Demanded J.Stei as partipician of conversation
    accuses EV of wrong quotes
EV: no answers in case + failed to be at an appointment ["geplatzter Termin"]
    Block W. whould only be for a few weeks
    MM blocks the canclation of the block
MM: regards training as finished
EV: Wishes a protocol of the three points of the re-training from W.
MM: promises to finish protocol/documentation until 30.08.2015
EV: Why did the protocollation take 3 months?
DA: This 10 Minutes could have been taken place within the last 3 months
MM: Asks to prepare the topic; proposes to continue conversation Sunday 03.08.2015
EV: accepts

board: requests to solve shortage of support team by adding two persons, one (who does not have an ABC but support experience) with access to the OTRS one (with an ABC but without support experience) with access to the DB via the support console

The clock of Dirks computer seems to be off. The mail was sent after the according part in the board meeting was handled, which was in the late evening of that day.

Hello Eva,

According to our board-meeting we make the following offer to get the
support-issues handled within a reasonable time:

Guillaume has no ABC (as far as i know), but worked in Support a long
time ago (before Werner was starting support).

I do have an ABC initiated by support, but used for software-assessment
only.

Therefore the idea is to let Guillaume do the Mailings and me do the
support-console.

This was agreed by Guillaume, Etienne and me. Other boardmembers were
not online. The official motion will be entered by tomorrow i think.

For "non-standard-cases" (like: delete account) we should both be able
to contact arbitration directly to avoid any issues (= training on the job).

However:

This should be a temporary solution only to avoid the bottleneck in
support. The goal should be to have a working support again.

If Guillaume or I get the missing parts (ABC and/or training) we MAY
stay in support, but this should not be discussed now.

Kind regards,

Dirk A[...]

A: corrects typo in English transcript

Dear all,

while this is only minor, I have to make a correction to my translation
of Benedikts protocol. Near the end there is a date. There is a typo. It
has to be "23.08.2015" - but you probably already saw this by
comparision with the original.

A: follow up ruling II

Dear all,

as the Arbitrator of a20141024.1[1] I hereby come to the following
follow up ruling:

1. Dirk A[...] and Guillaume Romangy should be added temporarily to the
Support Engineer team. Dirk should gain access to the support console.
Guillaume should gain access to the Support OTRS-queues. Both of them
should get any other access necessary for support work. Together they
should help out within the Support team.

2. Both should take special care that the work of support is done
correctly and should especially help each other in this regard. When
establishing necessary channels of communication they should consider
how to secure the privacy of the affected members.

3. Dirk A[...]nd Guillaume are asked to make themselves familiar with the
work of an support engineer. They should undergo each available training
in this regard.

4. Board and any support engineer are asked to consider to initiate an
ABC for Guillaume by filing an according dispute. If such a dispute is
filed, Arbitration should handle it with priority as long as Guillaume
works as temporary Support Engineer.

5. Any support engineer is asked to help the temporary Support Engineers
to enable them to do the work, including any necessary training or
information.

6. Dirk is suspended from active regular Software Assessor work. He may
be active in emergency situations. (Situations where a necessary bug
cannot be installed in an acceptable amount of time, without his review.)

The above points are valid until at least two regular support engineers
are active on a regular basis, or if revoked by the Arbitrator of this
case or a follow up case. This ruling should be reviewed by the
according Arbitrator, when at least one regular support engineer is
found to be active on a regular basis. Any such activity should be
reported to the according Arbitrator. The according Arbitrator should
also consider a review if either Dirk or Guillaume, Support or board ask
for it.

Board is asked to aim to get two regular active Support Engineers
working in the support area. This may include to get the temporary
Support Engineers to be full flagged regular Support Engineers.

Wien, 2015-09-07

The above is necessary because and based on the following:

Security Policy[2] (SP) 9.1.2. first sentence gives the following
requirement: "Each team should have a minimum of two members available
at any time."

Currently this does not seem to be the case for support. At the board
meeting of 2015-09-06 board decided to ask the Arbitrator to get a
temporary replacement added to fulfil the requirements for the team
staffing.

SP 9.1.3. "New team members need:
 * Recommendation by team leader
 * Arbitrated Background Check ("ABC")
 * Authorisation by Board"

There seems to be no candidate who fulfils those requirements. Also at
least two out of the current four support engineers have declared that
they are not available for regular support work for the time being. Also
time has shown that it takes much longer to get Werner through the
requested re-training, than originally assumed by the Arbitrator, so he
probably will not be able to do regular support work for an undefined
amount of time. Approaches to hasten this, remain to be welcomed.

SP 9.1.1 defines the roles and responsibilities at least for the context
of staffing. It includes: "Arbitrator: conducts ABCs. Authorises
exceptions to policy."

As there is no way for board to ensure the minimum of active support
engineers which is required by the SP by people who match the
requirements of the SP, an exception to the SP requirements is required.


[1] https://wiki.cacert.org/Arbitrations/a20141024.1
[2] https://www.cacert.org/policy/SecurityPolicy.html
-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Vice president: files incident about follow up ruling II

> Dear all,
> 
> as i think this is a violation of your rules, i see it as my duty as
> Vice-President of CAcert Inc., to officially inform our internal Auditor
> aubout this situation.
> He will have to file this incident and mention it in his next
> Audit-Report.
> 
> I have big objections about this ruling, especially as Dirk A[...]nd
> Guillaume dont have enough training and experience in support-work.
> 
> Another big issue for me is, that there was publicy questioned the
> personal integrity of Dirk  a n d  Eva.
> 
> Also Eva should know that there isnt a chance to get Guillaume into an
> ABC-process for a longer time.
> 
> So i hope you all are knowing what you do.
> 
> At least i have to say it clearly again:
> Each individual board member is  p e r s o n a l l y  responsible and  u
> n l i m i t e d liable for EVERYTHING that happens within CAcert.
> Not only within CAcert Inc., but also for events in the CAcert Community
> and also decisions of arbitration.
> The often-mentioned 1.000,- EUR limit does NOT apply for board members.
> 
> best regards
> Juergen
> 
> 
> Am 07.09.2015 um 22:15 schrieb Eva Stöwe:
[full quote of mail to follow-up ruling II]
> 
> -- 
> Juergen B[...]

A: reminds the vice president that the ruling can only challenged via appeal, or by addressing the Arbitrator and explaining the issue, addressing auditor is no option; request could be understood as if VP would not accept two recent rulings (this case and a20150420.1); A does not mind if case is reviewed; a VP should be careful to challenge a board-motion beside of filing a dispute against it; this is serious topic, A is interested in good solutions; orders VP to provide his issues until 2015-09-21, so that the ruling could be reconsidered, if this is not done the assumption stands that there are no such issues

Dear Jürgen, dear all,

your mail came to Arbitration as a new dispute, but I understand it as
an answer to my ruling and a request to the internal Auditor to file an
incident about it. If I am wrong, please state this.

One way or the other: There is a ruling. Actually that ruling is also
based on a passed board motion. As the Vice-President and member of
board you should not act against board motions beside maybe to file a
dispute against them. In that case you would need to have good arguments
to do so. Just "I think this is a violation of your rules" is not
enough. And the fact that you and/or others question the integrity of
the Arbitrator - after there was a ruling that just approved the
integrity of that Arbitrator - is also no such argument.

Actually you are currently indicating that you have issues to accept two
recent Arbitration rulings. The one from PD about the integrity of the
Arbitrator of this case, and the one the last one in this case, here. (I
have included PD to the recipients of this mail, because of this.)

There are already discussions about the severity of not accepting
arbitration rulings. So maybe you should at least do the following:

a) If you have an issue with a ruling, address the Arbitrator of that ruling
b) provide your concrete points why you think there is an issue.

If this does not lead to anything you can also file an appeal but you
have to follow the according process. This also includes to provide
concrete arguments of what was wrong.

To address the auditor is quite likely not leading to anything.
Incidents are not a replacement for disputes. The only way to address a
ruling outside of that case is to file an appeal which is a dispute. If
this was not meant to be an incident but if you are addressing the
normal audit process, you maybe should be a little bit careful to
address the auditor AS the vice president about how he should do his
work and what he should look at.

I do not mind if this case is looked at by the Auditor. He actually even
was present at a recent meeting in the context of this case. Most of
this case was also already reviewed by another Arbitrator.


Anyway: I presented my ruling with multiple policy references. Based on
those I describe why a ruling like the one I did was not only allowed,
but necessary. Sure there could have a lot of other variants and options
that would probably also be an acceptable ruling in that situation. But
if one uses Arbitration authority to install someone in a role, it is
best to keep as close as possible to what the regular authority would
have done. The regular authority (board) informed me about that wish.
You may not agree with this and quite probably you lost the according
voting. But it is neither my job nor the job of audit to question the
decisions of board as long as they are within the boundaries of the
authority of board. Those are board internals.


Anyway, this is a serious topic, so I am interested in good solutions.

So I hereby ask you to provide your issues with the ruling so that I can
reconsider my ruling.

If you do not provide your arguments for your issues until 2015-09-21, I
have to assume that there are none.

Just to avoid further misunderstandings, I add the following quote:
CCA 2.3:
"You are obliged
[...]
4. to assist the Arbitrator by truthfully providing information, or with
any other reasonable request.
[...]"

Kind regards,
Eva Stöwe
CAcert Arbitrator of a20141024.1


On 08.09.2015 20:54, Juergen B[...] wrote:
[full quote of that mail]

VP: mail about ruling was "simple statement that VP has personal objections cause the involved acting persons, that i think it's a violating of our rules, and that i have to inform our internal Auditor about the incident."; it was NOT an appeal; but relevant to audit process; auditor has to file an incident and mention it in his audit-report; "that is all"

Dear all,
Dear Eva,

my mail about this ruling was just a simple statement by me that i have 
personal objections about the ruling cause the involved acting persons, 
that i think it's a violating of our rules, and that i have to inform 
our internal Auditor about the incident.

It was NOT any kind of appeal to the ruling of the Arbitrator neither do 
i think that a filed incident overrules this or any other ruling.
This situation is relevant to the Audit-Process and so i had to inform 
our Auditor about this.
The internal Auditor has to file an incident and name it in his 
audit-report.
Thats all

regards
Juergen

--
Juergen B[...]
CAcert Assurer, CAcert OrganisationAssurer

Am 14.09.2015 um 14:23 schrieb Eva Stöwe:
[full quote of that mail]

A: if VP thinks that there is a need for an incident, arguments are required; addresses role of involved persons; explains decision again; relevant part of mail was if there was a policy violation; a feeling that something is wrong because one does not trust the persons is not enough as a reference; repeats request to provide issues until deadline; agrees that there was something of incident status, ruling and motion were not cause but are meant as a solution; explains situation of support team

Organization: CAcert

Dear Jürgen,

if you think that there is a need for an incident (you write that the
"internal Auditor has to file an incident and name it in his
audit-report"), then there is more required, than "a simple statement",
that you have "personal objections" about the ruling, "cause the
involved acting persons" that you "think it's a violation of our rules".

You may have "personal objections". But if you want them to be regarded
either by Arbitration or by Audit (or by board) you have to name them.
If you do not name them they cannot be considered by anybody and are not
relevant. They may have been enough for your vote on the motion. But the
motion has passed nonetheless.

I do not understand what "cause the involved acting persons" should be
about. We have 3 board members who agreed on a motion in an area that is
the core authority of board according to the SP. As they were not
authorise themselves but as it was just about what kind of answer should
be given to the Arbitrator who than had to make another decision to
authorise anything I do not see a conflict.

Btw: Dirk is currently quite likely the only person who could have been
granted the access to the Support Console by not violating the
requirement of the ABC for that area. And even if he probably has not
done much, Guillaume at least HAS some experience in the support area.
There are probably no other people available in that regard, either. All
this was discussed properly in the according board-meeting. So there
were quite good reasons to name those two persons by board.

The next involved person was the Arbitrator of the case where the block
of one Support Engineer is handled. As the block is covered within that
case it is sensible to cover the substitution within that case. When
that case was reviewed by PD the proposal to do such covering was
already given.

The Arbitrator is the correct person to order what I ruled, according to
the SP. You can find the correct references with the ruling. Nobody else
was allowed to authorise something like this at that time.

The only relevant part of your mail is the question if there was a
violation of our rules.

I am sorry to say that just your feeling that there may have been
something wrong because you do not trust some persons or whatever, is
not enough as a reference.

So please do as you was asked to do:
State what kind of violation you think could have been done by the
ruling. Please name the according policies as precise as possible.

If you do not do this until the named deadline we all (!) have to assume
that there was no such violation, at least not one that you are implying
with your statement that there has to be an incident. And "all" in this
case includes yourself.


Anyway. You are correct, that there was something that can be called an
incident. But the ruling is not the cause of the issue. On the contrary
the ruling is hopefully the solution to the incident.

The incident was that too few (for over 3 months only 1 person, since
the FrOSCon no person) was taking care of support while the SP requires
at least two persons to do this.

Or to phrase it like board: "So we have 4 supporter: 1 busy, 1 silent, 1
disapeared, 1 not re-trained."

Hopefully the ruling will be enough to solve the issue until we have
enough regular SEs again. Beside of the remedy "serve in a role -
support, dispute arbitration" as named in DRP 3.6 Arbitration has done
anything possible that I currently see in that regard.

What is currently needed is to get the re-training of Werner done (if he
should be allowed access again - and if he remains to be a member of
CAcert which, as far as I know, is a requirement for that position and
as far as I could see was questioned from PD and others - and if he is
not blocked completely from that role by a ruling in one of the cases
filed against him by the Auditor), to get Dirk A[...]nd Guillaume trained
and/or to get the ABC done for further candidates, which we have. All of
this requires time and training.

Btw: To solve the issue with the understaffed support team was what Dirk
as President and I as Arbitrator of this case were working on mostly at
the FrOSCon. This was actively hindered by more than one person.


On 14.09.2015 17:24, Juergen B[...] | CAcert.org wrote:
[full quote of that mail]
-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: informs board-public and cacert-inc-members list about ruling and situation of support team, as the motion was discussed there and this is of general interest

Dear Werner, dear all,

this also probably answers Stefans question.

In general, I try to prevent to discuss elements of open arbitration cases.

But this was probably so critical, that it makes sense to explain it
here. Our SP requires us to be transparent.

I am answering as the Arbitrator of a20141024.1 who was addressed based
of the motion you addressed (m20150908.1).

The motion already passed was already passed on the board meeting and I
- as the Arbitrator of that case - got an answer by board to act based
on that motion (with some more details). This lead to a ruling in that case.

All this is documented in the according case file at
https://wiki.cacert.org/Arbitrations/a20141024.1



The background for that motion is, that board had to state at that board
meeting about the status of the support team:
"So we have 4 supporter: 1 busy, 1 silent, 1 disapeared, 1 not re-trained."

[with "busy" it is meant "declared to be busy with other things and by
this does not have time for support work"]

This means that at that time it was found that we do not have any active
support engineer at all. This is one of our crucial teams which are
required to have at least two active members by our Security Policy (SP)
9.1.2.

As the need for the re-training for one of the support engineers arose
out of a20141024.1, I as the Arbitrator of that case had proposed to
help out if that order had led to a shortage of the support team by
allowing some exceptions, shortly after the re-training was ordered.
With the current motion board has answered to that proposal.

Afterwards I ruled to allow (with some more details) what board had
requested as an exception to the staffing requirements for that team. As
an Arbitrator, I am not only allowed to do but required to do this,
based on SP 9.1.1 which describes the requirements of the teams (in the
context of staffing):

"Arbitrator: conducts ABCs. Authorises exceptions to policy."

Without that exception there would have been no way for board to fulfil
their requirement:
"Board: authorise new individuals and accesses. Coordinate overall." and
"All: respond to Arbitrator's rulings on changes. Respond to critical
security issues. Observe."

The reason is that currently there does not seem to be an eligible
candidate who fulfils all requirements that board could have chosen
while at the same time they have to restaff that team, as the current
staff is not available. Multiple prior attempts to get the re-training
pushed forward have failed, because of support either not answering or
even refusing to answer both board and Arbitration for over 3 months
(nearly 4).

The current solution is the closest available approach to what the SP
asks us to do:
* two active persons in the team (4 eyes principle)
* only persons with an ABC have access to the data (only Dirk got that
access and he has an ABC that was done for support work)
* team-members are selected by board
* exclusivity of teams not violated

Yes, both are short in training. But as it seems there is nobody who is
up to do that work at the moment AND who has the required training.

There would have been one obvious alternative to this kind of decisions,
as support is a crucial team:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The alternative would have been:
To call for a termination of the services of CAcert.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Arbitration could have allowed only one active team member (actually
that was the case until recently, even if this was not done explicitly).
But as support is our major means of contact, allowing no active support
engineer for more than short period of time, would not work.

Sure, there definitely could have been some other details ruled/decided.
All of them would have lead to comparable decisions as you see here,
someone who does not fulfil all regular requirements would have to be
given access to the support area. (As support was not answering at all
for months, the possible remedy to order the regular support engineers
to do support work as DRP allows cannot regarded to be a sensible
option, either.)

But to not be in breach with core elements of our SP and to be able to
perform day-to-day business there were not many big options left.

So if you Werner write:
> So I regard this plan as a very bad solution.

I agree. But the real alternative would have been even worse. It would
have been critical.



Well, there is another alternative, which was tried to do first by board
and by Arbitration for 3-4 months. But so far it did not lead to
results: Support could finally go through the required re-training in a
way that can be found acceptable by either the Arbitrator or board (or
at best both).

The re-training only has to be about:
- required authorisations to do something as a Support Engineer starting
with the SP
- how to handle delete account cases with special respect to the ruling
in a20141024.1
- how to handle Arbitration rulings, especially if some points are
unexpected or unclear.

I remain to be convinced that something like this should be able to be
done within a few hours.

Afterwards we will have at least one regular support engineer.

This would be a lot easier than anything that was done instead:
 * A dispute (not an appeal) against a20141024.1, where the new
Arbitrator finds that the case was handled fine
 * Prevention of meetings with board and the Arbitrator to coordinate a
new re-training up to a clear refusal of an Arbitration request for such
a meeting.
 * Request that the AGM removes the ruling that a20141024.1 was handled
fine (again not by an appeal)
 * Request for an SGM for the same
 * At least one more dispute (not filed as an appeal) against the
Arbitrator of a20141024.1 regarding that case
 * An incident request against that ruling in a20141024.1 (again not an
appeal)


Shortly after a case to open an Arbitration Background Check (ABC) over
another candidate for support that was filed by the president was picked
up by an Arbitrator and CM, there was a ruling from another case that
currently no ABC is allowed. That ruling probably does not apply to the
the running ABC, but it also leads to a situation that does not make it
easier to re-staff that team. Or other teams that are also in need of
new members.

@ Stefan: So board and Arbitration were active to solve that issue.
Until your recent mail I just assumed that there are now two people who
share the required access. Support was ordered to provide this in the
ruling. This should be clarified as soon as possible.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe
CAcert Arbitrator of a20141024.1

A: repeats execution request for follow up ruling II to provide ordered access

Dear Michael, and others,

up until yesterday evening I thought that the ruling was already
executed, but this does not seem to be the case.

Michael, please provide the following access based on the follow up
ruling II in a20141024.1[1]:
Dirk A[...]: Support console
Guillaume R[...]: OTRS

And also any other access that is necessary to do support work and can
be added by you (beside of support console and OTRS).

You already should have some mails with more information to this.

@ Dirk & Guillaume: I think you at least need access to some parts in
the Wiki. Please ask Magu or Mario for access, there if Michael cannot
help you.

I also would suggest to address Joost for more information. Maybe also
Stefan can help you, as he is active in the Triage area and seems to be
concerned.


[1] https://wiki.cacert.org/Arbitrations/a20141024.1
-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

Support: confirms execution; access rights were provided

Hi Eva,

On 16.09.2015 18:20, Eva Stöwe wrote:
> Michael, please provide the following access based on the follow up
> ruling II in a20141024.1[1]:
> Dirk A[...]: Support console
> Guillaume R[...]: OTRS

Done. I added Guillaume to the Triage and Support Engineer Role and
switched on the SE flag on the critical system for Dirk. Password and
user name was sent in separate email.

While setting the SE flag for Dirk I made a mistake and clicked the link
of the “Account History”. I tried not to look at the data and closed the
page immediately.

-- 
Have a Good Night,
Michael T[...]

A: thanks support for execution

Hello Michael,

thank you. :)

On 17.09.2015 00:01, Michael T[...] wrote:
> Hi Eva,
> 
> On 16.09.2015 18:20, Eva Stöwe wrote:
>> Michael, please provide the following access based on the follow up
>> ruling II in a20141024.1[1]:
>> Dirk A[...]: Support console
>> Guillaume R[...]: OTRS
> 
> Done. I added Guillaume to the Triage and Support Engineer Role and
> switched on the SE flag on the critical system for Dirk. Password and
> user name was sent in separate email.
> 
> While setting the SE flag for Dirk I made a mistake and clicked the link
> of the “Account History”. I tried not to look at the data and closed the
> page immediately.
> 

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe

A: informs cacert-inc-member-list that access for temporary support team members was confiremd and tickets should be handled, again

Dear Stefan,

as I wrote in my mail at 2015-09-15 under the subject "Re: m20150908.1 -
Temporary solution for support - modified" there was a motion and a
ruling that addressed this issue.

I got a confirmation that the temporary Support Engineers got access at
least to the core elements for support work, yesterday evening. So I
hope that the tickets will be answered at least with an explanation of
the situation, soon.

On 15.09.2015 20:57, Stefan T[...] wrote:
> Dear Board Members, dear Members of CAcert Inc.,
> 
> we are 3 Weeks without Support.
> In the Queue of Support-Engineers are some new Tickets.
> The oldest of this Tickets are dusting for 3 Weeks, now.
> Typical the most are Password-Resets, TTP Requests and Account-Remove
> requests.
> Some of the Members are upset about no answers.
> This Tickets must be handled by experienced Support-Engineers, immediately!
> I repeat my proposition to call Marcus M. to resume his Work. And
> reinsert Werner D. into Support.

Board was presented with multiple alternative temporary solutions for
the support shortage months ago by Arbitration, including to give back
partial or full access to the blocked support engineer, even without the
re-training. This was not the solution board selected.

Contrary to most others, the current board (as well as the auditor) was
involved early and is familiar with the current situation. I believe
they had good reasons for their decision.

> I am frustrated by frustrated Members.

I heartily agree.

Btw: Thank you for keeping up the triage work.

@ some others: I am quite astonished that after a report like this, some
of you only seem to care about "who said what", again - even with new
disputes.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe



Arbitrations/a20141024.1/statements (last edited 2015-09-23 13:13:00 by EvaStöwe)