Before: Arbitrator EvaStöwe (A), Respondent: CAcert (R), Claimant: Benedikt H (C), Case: a20141231.1

History Log

Private Part

EOT Private Part

original Dispute

This is a split from a20141011.1. The following could be seen as the dispute for this case.


The case was started from a delete account case for an assurer. Because this is the core situation, where the issue arises, the focus will be on those cases, even if the dispute itself may be considered to be more general. Most of the reasoning would be the same for other situations. However, other situations may have to be checked for an initial doubt about the correctness of the assurances in question.

Already cases with deceased assurer are treated as requested by the dispute: there was no "automatic" reason found to revoke their assurances, even while the CAP forms are not available. (See especially: a20131204.1)

1. Current Practice in Delete Account Cases

The current practice for delete account cases at the moment is:

2. Assessment of the current Practice

The current practice seems to be unfair for both the assurers and the assurees. It also is hurting the CAcert community.

2.a. Assurer side

The assurer

At the same time a non assurer can just write one mail and be finished with CAcert.

The assurer are the backbone of our CA, as the RA is relying on them. They already go through a lot of trouble to help us like this. (They have to get assured themselves, do the CATs, meet people, do proper id-checks, store CAP forms, ...) For all of this they also face the 1000 Euro threat, so this probably feels like a real responsibility and obligation.

Assurer do not agree during the assurance, to send in all CAP forms. They only agree that they store the CAP forms and that IF there is doubt that they send them in.

This actually is a difference. This difference has a price because there are real costs involved. If done properly (and not done by unsecured mail) this price is not trivial. Not everybody can easily pay it.

It is at least not nice (if not unfair) to tell people that our services are free and to ask for their help (assurances) but only tell them later that if they want to leave they either have to pay something (for sending in the CAP forms) or that they have to stay for 7 years - because they have helped us, else they just could go.

To somehow force assurer to stay within CAcert, when they want to leave for whatever reasons, after they already have given so much, has to be considered drastic. Especially when CAcert does not state clearly that assuring someone most likely will lead to costs if one wants to quit within 7 years after the last assurance, while we clearly state that our services are free of costs.

Additionally, we are at least threatening the assurer destroy the results of all the effort they went through to help us by threatening to revoke the assurances, if they do not cooperate and hand over the CAP forms and remain a member without access to an account.

On the other hand, any assurer who just does forget about CAcert instead and asking for their removal are probably equally unavailable but do not have to go through all this trouble. On the cost that we keep their data accessible (as much as it is to begin with).

2.b. Assuree side

The other perspective is those of the assuree. If the assuree did everything correct and the assurance is entered, the assuree should be able to depend on it. The assurees certificates are depending on this.

No assuree can tell if their assurer will leave CAcert soon. Even less is it possible to tell for an assuree if their assurer will hand over the assurances when they leave. Or if the CAP forms are destroyed in a fire at the place of the assurer or whatever makes them unavailable for us. In the end ALL cases where there is a permanent reason for us not being able to gain access to the CAP forms, any more, are the same from the perspective of the assuree. The assuree can neither steer them or even knows about them, or knows if arbitration learns about them, or not.

If one exaggerates the current praxis (and to look at the extremes is helpful to find good solutions) we get to the following situation: Assume that a CAP form for an assurance is destroyed or unavailable for whatever reason. There are two cases now:

  1. the assurer A does the correct thing and tells arbitration about this
  2. the assurer B just does not care to contact arbitration.

The assurer B in case b) probably is less trustworthy and less cooperative than A in a). Nonetheless the assurances from A probably will get revoked, while the ones from B would remain.

Why should the fate of the certificates of an assuree depend on something like this? There are assurees for whom it is not easy to get new assurances, so to expect that they can do so, is not the answer.

This would especially be if it was a TTP (trusted third party) assurance. In this case the TTP-assurer is responsible for the correctness of the assurance, but the identity-verification is done by a trusted third party in the country of the assuree. There are real costs involved to get those assurances done. And just the fact that the assurer is not available any more does not affect how the id-check was done or if this part was correct.

If we now say that those assurances would not need to be revoked but normal assurances would have to be revoked in such a situation, the question should be why an assurance where the assurer did not do the id-check but only did monitor it from a distance and the actual id-check was done by someone who is not an assurer would be more trustworthy so it would not need to revoked, than an assurance done by a trained assurer (maybe even the same assurer).

2.c. Community interests

The interest of the community regarding assurances is, that every one of them is valuable, as they we build our trust in the correctness of the data of the assured members on them.

Interestingly this is independent of the person of the assurer who did the assurance. Regularly everybody only knows THAT there were assurances and also the cumulative assurance points the assuree got. But to evaluate where to place our trust, the person of the assurer is irrelevant. As long as the assurance was done by an assurer.

The important part for the community is to have an assurance that was performed correctly by an assurer. The fact, that an assurance was performed correctly (or not) does not change by a later event, like someone leaving CAcert or CAP forms being destroyed.

We believe that our assurer perform assurances correctly, at least in general. We enforce this by the liability of 1000€ and we teach this on the ATEs and we try to check this with the co-audit system. If somebody detects some problems, this is reported to Arbitration and evaluated, there.

When the assurance done of the leaving member was believed to be correct (and there appears no concrete reason to doubt this when the person is leaving), it is not in the interest of the CAcert community to lose the knowledge, that there was a correctly performed assurance done over the data of the assuree.

This is especially the case, if the assuree drops below 100 AP by a revocation of those assurances, so that no own assurances can be performed by this person until the person went through another assurance. Especially in areas where there are not many assurer, the leaving of one assurer could else lead to CAcert losing at least two or even more assurer and maybe the ability to create new assurer, at all in that area until someone travels there.

So the interest of the CAcert community is clearly to not revoke assurances without reasons that lie in the correctness of the assurance.

3. Reasons for current practice

Such special treatment could be ok even if it can be understood as unfair, if there are good reasons for this practice.

Going through the old cases where this practice was established, there is not much reasoning given, WHY we are doing this, it is mostly argued based on the statement, that if CAP forms are not collected assurances would have to be revoked. But without discussing this.

The discussion with fellow arbitrators did not provide a lot more reasons. It was mostly about the reasons to have CAP forms at all. But this is not under discussion, here.

The main arguments for the current practice seams to be, that if we knowingly "allow" to have assurances without (available) paper documentation that

  1. would be an audit issue or
  2. this would lead to CAP forms not being needed at all.

3.a. Audit

Both, the former and the current internal Auditor see no audit issue, if we do not revoke assurances when later the CAP forms become unavailable. On the contrary, the current Auditor even is the claimant of this case.

As long as there are CAP forms to begin with and as long as assurances are revoked when there is doubt about their correctness that cannot answered by consulting a matching CAP form, their does not seem an audit issue.

Also as delete account cases are documented and by this the knowledge about a known status of the CAP forms in those cases is documented (independent from former assurer data).

3.b. general need for CAP forms

A decision to not revoke assurances when we learn about the unavailability of a CAP form does not lead to CAP forms not being needed at all. On the contrary. We only can allow the continuous existence of the assurances (or to be precise all assurances), just because we have this double layer with the CAP forms.

If there would not be a documentation at all, we never would be able to counter any doubt in any assurance. The general existence of CAP forms leads to us being able to counter someone who just questions the assurances arbitrarily.

So by always creating the documentation of the assurances (CAP forms), we can assume that the assurances are correct and can trust into them until someone does produce concrete doubt for a concrete assurance. The trust in the assurances has only to end and by this the assurance to be revoked, when this doubt cannot be countered with looking up the CAP form (because it is not available or it shows, that there really was something wrong).*

As this is true for all assurances, this also has to be true for the assurances of leaving assurer or other assurances where the CAP form was created but later gets unavailable.

* This is at least true as long as we train, test, co-audit the assurance process and even use the liability of 1000 € and the Arbitration system to enforce this. (From the Arbitration experience it seems that our assurer do take the assurance process quite seriously.)

4. Policy Discussion

The Assurance Policy (AP) states in 4.3. Assurance Points:

The Assurance applies Assurance Points to each Member which measure the increase of confidence in the Statement (above). Assurance Points should not be interpreted for any other purpose.

The termination of an assurer account does not change our confidence in the statement the assurer previously did. We believe in the correctness of the assurance in the same way, as we did before. There is no reason for doubts that anything went wrong, that we believed to be correct, just because someone loses interest in CAcert some time (maybe years) later.

The only thing that changes if an assurer leaves CAcert is that we may not able to contact this person, afterwards.

AP 3. "The Assurer" states that an Assurer is a Member of CAcert. But the obligations mentioned in AP 3.1 does not forbid to leave CAcert, neither does 4.1 "The Assurance Process".

One interpretation could be, that the AP assumes that an Assurer is always a Member of CAcert. But this is not possible - as far as we know all our members will die eventually. So even if all Assurer would stay a members until their death, this can happen at any time after an assurance took place. to give an assurance does sadly not prevent the death of the Assurer within the next 7 years. According to the CAcert Community Agreement (CCA) 3.3 point 3. the membership is terminated by the death of a member.

So the assumption that any Assurer has to be a member for ever, cannot be a final interpretation to base our rulings on.

There are two possible other interpretations

  1. If an assurer leaves CAcert there cannot be an assurance from this assurer, because the assurance process just became incorrect.
  2. An assurer leaving CAcert is anticipated and does not interfere with assurances at all.

Even as 1. seems to be the most accepted interpretation, at the moment - at least when we look at the current delete account process for assurer account. But it again leads to the point that there never could be a valid assurance at all, as every assurer would die, eventually. By this the assurance would become invalid right from the beginning. So there could never be an assurance

So the only interpretation that would work is 2.

Beside of the already mentioned cases of late assurer, there is another practice, that also leads to this interpretation, as there are no CAP forms available:

Currently people mention the 7 years, to keep the CAP forms, at the time where the membership of an assurer may end. But this is just a random number. Nothing is really changed by this. The assurances are considered to be valid afterwards. The accepted reason for this is, that there is no reason to doubt their correctness, just because 7 years have passed.

So if the existence of CAP forms is irrelevant in those cases, then there is no reason why this should be different, earlier. In both cases we assume, that the CAP forms cannot be produced when the assurance is questioned.

Everybody - especially the assuree should be able to trust in given assurances, as long as the assurance process was correct, there is no reason to revoke the assurance.

Given, "7. Safekeeping of the CAcert Assurance Programme (CAP) forms by Assurer" is the last part of the Assurance Process defined in AP 4.1. But there is explicitly no time stated how long the assurances have to be kept by the assurer. So as long as the assurer did follow this, the process is not violated.

Just because someone wants to terminate the membership of CAcert, this does not change if the CAP forms are kept safely, or not. The obligation to keep the CAP forms save, to hand them over to a person dedicated by an Arbitrator or to destroy them safely, remains, independent of the membership of the (former) assurer.

The important point regarding those assurances has to be our trust in the validity of the execution of the process. This and only this is what the AP requires. If there is any doubt assurances should be revoked - if this doubt cannot be countered by showing the CAP form. But there should be no other reason to revoke an assurance (beside maybe an explicit, well-founded request of the parties).

5. Conclusion

As the current process

The process should be altered.


Assurances do not have to be revoked, based only on the fact that the CAP forms are not available for CAcert, as long as there is no reason to doubt that the assurance was performed correctly according to the Assurance Policy.

Because of this, assurances given by an assurer who is leaving CAcert and where it is not possible to collect the according CAP forms by the Arbitrator, should not be revoked, if there is no additional reason to revoke them.

The determining measure to revoke an assurance has to be that there is some concrete and reasonable suspicion that the assurance was not done correctly according to the Assurance Policy and this suspicion cannot be countered by the CAP forms or other evidence.

The assurances of the account closed in a20141011.1 do not have to be revoked.

Frankenthal, 2015-03-30


Delete assurer account from which this case was split:


Delete assurer account Johannes K

Delete assurer accounts cases identified, where the current practice was performed, so that the case could be closedd:


unclear, if CAP forms were collected


CAP forms collected


CAP forms collected


CAP forms collected


CAP forms collected


revoked because of no CAPs


CAP forms collected

Delete assurer account cases identified, that remain open:


handover of CAP forms was ordered but could not be executed


handover of CAP forms was ordered but could not be executed


handover of CAP forms was ordered but could not be executed


handover of CAP forms was ordered but could not be executed


not tried so far


not tried so far


not tried so far


not tried so far


no response


no response


no response


no response

Arbitrations/a20141231.1 (last edited 2015-03-30 21:03:12 by MartinGummi)