Ĩesky | english
Purpose
The Role of Support Engineer Team is to fix support problems |
- Support Engineers are empowered to see stuff that others cannot see
Changing things, and in many cases seeing things, requires authority.
- this page documents the various incoming acts and resultant outgoing acts.
- this page is intended to be the SE team's primary resource.
SET is part of the overall Support Team. This is your page. Other documentation is at:
The "bible" of support: Security Policy #8 Support which is formal and binding policy over you and the Community.
Each Security Policy section has a matching section in the Security Manual: Security Manual #8 Support. This latter section is managed by the Support t/l so it is easy to suggest changes.
This wiki tree has an Index at Support. Keep that up-to-date and friendly, because also Members seeking help will go there.
The Support Engineer should be familiar with these documents.
The Picture
An evolving picture:
triage
|
\|/
| /--<-----<---arbitrators
\ / |\
\ / \
\ / \
SE channel Case Managers
\ /|\
\ |
\ /
\ /
Support Engineer ---> disputes
| /|\ /|\
| | |
/|\ | |
/ | \ | (via support)
/ | \ | |
/ | user feedback |
/ \ | /
meta \ \|/ /
channel \---> help channel
The Resources
There are several resources available to you. See Triage for description of buckets.
Resources
-----sysadms
/
/
Support Engineer <--- resources <---- buckets
\ \
\ \--- online system
\
\--- feedback from member
Languages
en. If a support mail is written in a language unfamiliar to you, it is likely that en can find enough of a sense of it to tell you what to do next.
- Fiddle around to get the best options, then bookmark the link.
Think Twice before leaking privacy info to google. Have a shot at anonymising the message first. Of course, this is unreliable because you might not be able to read it anyway....
- There are lists for some of the communities where you can ask for a quick translator.
Abuse / Security / Systems
Anything like an abuse, security weakness, disclosure, attack should alert the sysadms or the programmers.
If not-information-sensitive, send to the sysadm maillist.
If information-sensitive, look in the list of Systems Administrators' Page for a list of appropriate people, and/or try the "staff" list there.
- Complaints about spam or other abuse apparently from CAcert have to be dealt with quickly because upstream suppliers of bandwidth might act to cut off the services.
- Note there should be an abuse@co email address. This channel should go directly to the sysadms.
- Check whether this is working, and figure out whether it is being handled properly. Abuse@co is the channel that sysadms understand, but it isn't used that often, so it might have been broken in the meantime.
- Tested on Dec 8, 2009: abuse@co mail is working and mail was delivered to support@co.
- Follow it up to make sure the technical team is on the case. Abuses, breaches, etc often get lost because of hand-over problems.
Don't be shy. Seek help and fast. The more eyeballs, the better. You aren't expected to understand what the system is all about ... but you are expected to find someone who does... Consider for serious cases:
- If there is a breach of Security Policy or similar, consider filing a dispute. The Arbitrator may be required to provide dual control or 4-eyes.
- for a serious breach or a security disclosure, alert the Board which currently handles the portfolio of security officer.
Security and systems Incidents are covered by Security Policy #5 Incident Response and by matching section Security Manual #5 Incident Response.
For the big deal, we may find ourselves in a fully-fledged Security Policy #6 Disaster Recovery (matching section Security Manual #6 Disaster Recovery).
- The Security Engineer may very well be the first person to spot the disaster. If you see this, be prepared to start notifying people.
There is no clear or predictable line between crying wolf and being eaten. Start small, but escalate until it becomes clear.
The Resolutions
As SE you can resolve this to a next level resource:
Resolution
short
location
notes
Help Team
help
cacert-support@
to be rebuilt as a forum sometime
Disputes
disputes
cacert-disputes@
good to go
meta-discussion
meta
IRC #se
if it is not privacy-sensitive
Systems administrators
sysadm
cacert-sysadm@
may be able to help, or may not
Sysadms
sysadm
look at the staffing list there for appropriate admin email addresses
CATS
cats
cacert-education@
all CATS related questions, infos
on recovering passwords, see guidelines on recovering passwords (SEs only)
Requests for Information
The general rule is that a Support Engineer needs an authority to hand out any information. In general, see, SP 1.2, DRP 0.1 and in particular SP 8.1:
8.1. Authority
.... Support Engineers do not have any inherent authority to take any action, and they have have to get authority on a case-by-case basis. The authority required in each case must be guided by this policy or the Security Manual or other clearly applicable document. If the Member's authority is not in doubt, the Member can give that authority. If not, the Arbitrator's authority must be sought.
So, any question needs to establish that authority:
- The user can ask for her information. (As long as we know it is the user, see elsewhere...)
- The Arbitrator can ask. (As long as the request is within a duly filed dispute...) The authority is expressed in the Arbitration filing number.
A member can ask about the assurance level (not points) of another member, according to AP: "A Member may check the status of another Member, especially for an assurance process."
- An Assurer can confirm the details presented in an Assurance. But this is done through the Assurance interface.
Beyond that, we don't have much. Here are some specific cases where there is no inherent authority:
- a request from contracted supplier (business partner of some form) cannot be answered by an SE (or other) unless found in one of the above. Hence such a case is referred to Arbitration.
- a request by an "official" or "quasi-official" agency. Similarly, refer to Arbitration.
Security Policy 9.3.2 speaks broadly to this:
9.3.2. Response to external (legal) inquiry
All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP.
Only the Arbitrator has the authority to deal with external requests and/or create a procedure. Access Engineers, systems administrators, Board members and other key roles do not have the authority to answer legal inquiry. The Arbitrator's ruling may instruct individuals, and becomes your authority to act.
Note that future software revisions (e.g., Birdshack) intend to document the authorities as used, as tokens. For now, we make do with simple substitutes such as the arbitration number.
Communications
In sending email to the member, do this:
- always use your cacert.org email address (not your private one nor support@co).
- always sign the email, so that the member knows it comes from a proper place
for Support/SE/PasswordRecovery check special notes.
- Your mail and the responses should track on to the private SE's channel.
- currently, cacert-support-engineer list.
- By BCCing it, or
- By manually forwarding it.
- Can we use the colours to do statuses? No.
Mailbox Setup
This is no longer actively used but each mail sent to support@cacert.org gets recorded there, so it may be used as fall back if there are problems with OTRS and for searching old mails from the pre-OTRS time
- details:
- username is support
- IMAP only.
- password you have to get from t/l.
See CommunityEmail for most of the details
- a separate sending-STMP-out service needs to configured in your MUA client. This is because the smtp server rejects your existing one as using your individual user name, not 'support'.
- in Tbird, it is Tools/Accounts/ "Outgoing Server (SMTP)" in the list of accounts at left; Add.
username is 'support'; see rest of details at CommunityEmail.
- Turn OFF downloading of mail before you connect.
- The mailbox is already big enough that it will take hours for your client to download and index it locally.
- Also, for security reasons, we don't want all this stuff cached on your machine.