česky | english
TTP Assurer (TTP Admin I)
All you need to know as TTP Assurer (TTP Admin I)
Table of Contents
Contents
-
TTP Assurer (TTP Admin I)
- Questions that needs to be answered on this page
- State of TTP Assurer role
- TTP Assurers nomination and removal procedure
- TTP Assurers (active)
- TTP Assurer Tasks I - Prepare TTP CAP
- TTP Assurer Tasks II - TTP assisted assurance
- Procedure for TTP-assurers
- Where to find CAP forms?
- Questions and Answers
- Current State Software
-
TTP Assurer (TTP Admin I)
Questions that needs to be answered on this page
Open questions
State of TTP Assurer role
{g}
What is the TTP Assurer role?
{+}
How to volunteer as a TTP Assurer?
{+}
Which infos do I need for practical work as TTP Assurer?
see TTP Assurer Tasks I and Procedure for TTP-assurers{g}
Shall the available list of TTP Assurers be announced to TTP users? To TTP Notaries?
{+}
Is there a register needed for TTPs?
{0}
Where to send the CAP forms from TTPs so they can be received by TTP Assurers?
{+}
{0}
Where to direct TTP Users' and TTP Notaries' questions?
{+}
Will there be a TTP Assurer mailing list?
{+}
More questions?
State of TTP Assurer role
Current state as per 2013-01-20:
2 TTP-assisted-assurances can be entered online
TOPUP program cannot be entered into the online form, so currently doesn't work- system implementation to enter TTP assurances into the system
- The deployment of this bug# has to be developed, tested and deployed first before any TTP Assurer can enter TTP-assisted assurances into the system
- The Software-Assessment team is working currently on the Thawte patch. For details read
- CCA Rollout patch is an Audit blocking factor. That needs to be deployed as well. So the question here will be if the TTP patch will be deployed before or after the CCA Rollout patch
- Current plans from Software-Assessment team to handle projects are:
- Thawte Patch
- several Policy and Arbitration related patches (this may include the TTP patches)
- CCA Rollout patch
- but the order may be turned around if the Thawte patch needs much more time to deploy
- The Software-Assessment team is working currently on the Thawte patch. For details read
Patch bug #1023 is a rewrite of the Assure Someone procedure. This patch probably also solves the "old" TTP assurance bug, the leaves empty assurance method fields. Patch bug #1023 is currently under testing (see Testers Main Portal. Once this patch is transfered to the critical system, TTP assisted assurances can be entered upto 35 pts max with method "Trusted 3rd Parties" (hey, selection box on cacert1.it-sls.de also lists TopUP ) so 2 TTP assisted assurances can be entered for a user. TopUP procedure not yet deployed.
- [2013-01-20]
- Limitation to 2 TTP-assisted-assurances will be checked by Support if a TTP-assisted-assurance request will be sent in. Support adds the current state/count of TTP-assisted-assurances as note to the ticket and moves the ticket to the OTRS TTP queue.
TTP assurers must have to check manualy, that no more then 2 TTP-assisted-assurances will be entered into the online system !!!
TTP Assurers nomination and removal procedure
Requirements for a TTP Assurer
- TTP-assisted-assurance subpolicy 2.2 The Assurer (aka TTP-admin)
- To employ a TTP in an assurance, the Assurer must be a Senior Assurer
- The Assurer must be familiar with the local language and customs.
Definition of Senior Assurer in Assurance Handbook
- Getting an OTRS account and ask for access to TTP queue
- Getting subscribed to TTP mailing list and monitor TTP mailing list
Nomination Procedure
- TTP assisted assurance policy
- TTP assisted assurance policy defines no details on how to nominate and appoint TTP assurers.
- So this process has been started practicaly with the nomination procedure similar to Officers and Critical Roles appointment:
- nomination by the new TTP program deployment team
- secondation by at least one other party from the new TTP program deployment team
- presented before CAcert Inc Board
- appointed by Board
Removal Procedure
According to Arbitration case a20110118.1 the nomination and removal procedure is outlined similar to other officers appointment procedure:
- 2012-04-29 (A): sending notification to (Support t/l), (OAO), (AO) regarding intermediate ruling #3 (Exec Quick Summary #2)
I have to notify you in role as team leader to start any action (if required) that follows the permissions review report 2. reset of flags for admin, ttpadmin, orgadmin to follow similar to nomination procedure a. officer makes a proposal of removal b. board approves the proposal c. officer sends request to support with reference to motion number d. support executes the request e. document the process on team members list f. notification to the team member removed g. in cases where non-active team members are listed, file a dispute
Intermediate Ruling #3
- The ruling defines a 3-steps procedure (covers Board and Tverify flags)
- collect current state
- sql update query to be executed by critical team
- notification to members with changed flag state
- For the flags admin=1 (Support-Engineers, Security Policy), ttpadmin=1 (TTP-Assurers, TTP-assisted-assurance subpolicy) and orgadmin=1 (Organisation-Assurers, OAP) there exist procedures by Policy or the related Manual to bring in new team members with all related documentation issues.
- So in consequence the resign procedure shall follow the same procedure as nomination and acceptance procedure
- In cases where an active listed team member shall be removed, following simple procedure shall be executed:
- A request for removal shall be started by the officer in duty
- passed with a board motion over each individual member
to be documented on the related team members page (admin -> Support Team - Support Engineers, ttpadmin -> active TTP-Assurers list, orgadmin -> Organisation Assurers List).
- The action with reference to the board motion to be sent to Support
- and executed by Support.
- The members shall be notified by email to their primary email about the flag removal with reference to the passed motion.
- In cases where members are listed, that aren't on the active members list (may be caused by old CAcert history, accidently set flags, or other unknown purposes):
- these cases can be handled by a Support-Engineer if an "urgent handling" is required with a following dispute filing (currently I don't see a real "urgent handling" case, but this may occur, one day). In such a case, the arbitrator probably also will check if the "urgent handling" was appropiate
- or by filing a dispute (see a20120330.1)
- Exec Quick Summary
- reset of flags for admin, ttpadmin, orgadmin to follow similar to nomination procedure
- officer makes a proposal of removal
- board approves the proposal
- officer sends request to support with reference to motion number
- support executes the request
- document the process on team members list
- notification to the team member removed
- in cases where non-active team members are listed, file a dispute
- reset of flags for admin, ttpadmin, orgadmin to follow similar to nomination procedure
Intermediate Ruling #5
- AO and OAO shall start with a reset of the old TTPadmin flags to prepare the new TTP-assisted-assurance program.
Members with TTPadmin flag active (Old TTP program)
- as per 2012-06-26: 4 members, none of the nominated and appointed ones
Members with TTPadmin flag active (New TTP program)
- as per 2012-06-26: none
- first half of the TTP-assisted-assurance program has been activated 2013-01-20
for applying for 2 TTP-assisted-assurances (good for >= 50 Assurance Points)
- The TOPUP program currently cannot be entered into the system, so therefor still defered
- but the missing points (70 to 100 AP's) can be issued by regular Assurance program (regular assurances) on top of 2 TTP-assisted-assurances
TTP-Assurer Nomination Procedure (finalized)
Handled at Board meeting 2013-08-25
1. '''TTP-assisted-assurance program - Nomination procedure''' * [[https://lists.cacert.org/wws/arc/cacert-board/2013-08/msg00006.html]] * Board shall rethink and decide about one of the following procedures to install: a. motion: that new TTP-assurers can be nominated by 2 TTP-assurance team members not limited to AO and OAO but probably accepted by them, placed before and accepted by board (similar to new CAcert Inc membership procedure) a. motion: that nominations and approval procedure for new TTP-assurers will be delegated to the TTP-assurance team, to AO and/or OAO, with notification to board that nomination has been accepted. * [[AGM/TeamReports/2013#Assurance|TTP-assurance program report]] by AO (WIP under AGM2013 team reports)
transcript from Board meeting 2013-08-25
(23:03:22) WernerDworak: 2.4 TTP-assisted-assurance program - Nomination procedure (23:04:35) NEOatNHNG: I'm for the first variant, that board approves TTP assurers (23:05:30) NEOatNHNG: I could also live with a variant where a second team is involved that is ot board but having the control fully within the team is not advisable I think (23:06:03) dirk: @u601: we're at 2.4 now ... ;-) (23:06:24) WernerDworak: To 2.3, I assume OO and OAO can nomeinate new TTP assurer without explicit board approval. Only once the bord hast to agree this provedure (23:08:28) WernerDworak: More meanings to 2.3 (23:08:51) WernerDworak: 2.4 I meant (23:09:28) WernerDworak: How will we decide? (23:17:10) NEOatNHNG: I move that the board approves that the Assurance Officer and Organisation Assurance Officer may appoint TTP Assurers on their own but they have to keep board informed about every appointment and removal (23:17:48) WernerDworak: second and aye (23:18:11) NEOatNHNG: aye (23:18:20) dirk: aye (23:18:30) WernerDworak: Carried.
- motion carried variant B alike
TTP assurers Nomination Procedure - detailed
- Every 2 may nominate a new TTP assurer
every two means two CAcert members from Organisation team or TTP admin team or a CAcert assurer who helps deploying a new TTP country, so every 2 CAcert Assurers
- Nomination can be sent to Support or to the CAcert TTP Admins team to be forwarded to AO and OAO
- AO + OAO checks requirements given by policy and accepts or rejects nomination
- In case of acceptance:
- AO or OAO sends email to Support with request to add new TTP assurer ...
- to add the TTPadmin flag to the new TTP-assurers account
- to add the new TTP-assurer to the OTRS / issue TTP-assurance queue
requesting an exec report (-> ticket number will become a reference to the nomination and acceptance procedure)
- AO or OAO sends request to email-admins for adding new cacert email address
AO or OAO adds new TTP-assurer to wiki acl group TTPAdminGroup
- AO or OAO adds new TTP-assurer to cacert-ttp-admin mailing list
AO or OAO adds new TTP-assurer to the Active TTP Assurers list
- send email to new TTP-assurer and cacert-board mailing list with information, that nomination by 2 has been accepted by AO + OAO
- AO or OAO sends email to Support with request to add new TTP assurer ...
TTP Assurers (active)
TTP-admin
Motion
m20120325.2 (2012-03-18)
[s20130929.20] (2013-09-29)
m20240201.2 (2024-02-01)
m20240201.2 (2024-02-01)
m20240201.2 (2024-02-01)
m20240201.2 (2024-02-01)
m20240201.2 (2024-02-01)
Internal (only for TTP assurer, Private Part) (Mailing templates, Open requests/countries)
TTP Assurers (volunteers)
- If you are interested in becoming a TTP Assurer, just add your name to this list. The responsible officer (AO) will get in contact with you and guide you into the process.
TTP-admin
AP
ATE
Comments
Andreas P. Albrecht
35
Stuttgart 2009
no more interested as of 01/2024
35
Brian McCullough
35
Peter Yuill
35
Kim Nilsson
35
Nykobing 2015
Resigned and inactive Assurers
TTP-admin
Resignation
(before 2018)
Marcus Mängel
(2015)
29-04-2016
2015/2016?
TTP Assurer Tasks I - Prepare TTP CAP
2013-09-18: currently not on production, current state: under development
- WoT - Assure Someone
- Enter Email of assuree who requests TTP
Assure someone page - bottom line - Show TTP details
- Enter your postal address in lines 1 to lines 5 (your name, street, city, country or whatever is required to send you a snailmail)
- select the country the user comes from
in case the country the user comes from is not listed Dont complete TTP CAP preparation!
On the form the sentence Country where the TTP will be visited is used. This means: if in the assurees country TTP program is yet not deployed, a visit to a country that has the new TTP program deployed may be an option to those who wants becoming assured.
TTP Assurer Tasks II - TTP assisted assurance
What are the tasks of a TTP Assurer?
The tasks of a TTP Assurer is:
Proposal I: Create and send the TTP CAP form to the TTP user. The TTP CAP form is created from the WebDB by the TTP Assurer and will be pre-filled with the TTP user's data and the TTP Assurer's postal address.
(u60): 2012-03-25 A PDF form is currently WIP, not publicly available{r}
Current implementation: localy created TTP-CAP
{g}
Maybe help in clearing questions of TTPs and TTP Users
{g}
Receive TTP CAP forms via snail mail and keep the form for 7 years similar to the normal CAP forms.
{g}
Check the reliability of the TTP, see How to verify the reliability of a TTP?
{g}
Enter the TTP assurance data into the WebDB. (Instructions: see below)
{g}
- In case of TopUP request:
- send request info to TTP info channel for request of TTP TopUP ? (current system implementation does not give any info or forwards any info to a potential TopUP admin)
- a TopUP admin has to request the TTP cap forms from the TTP-admins #1 and #2 (scan sent by email? or sent by snail mail?) or TTP-admin has to forward TTP CAP form automaticly to TTP TopUP assurer? to whom?)
How to verify the reliability of a TTP?
Have a look into the list of approved TTP for the desired country whether the TTP is approved.
Go to the country list to verify the TTP e.g. with the registration number. In some cases there are registers to cross check the registration number, otherwise there should be an advice there how to check the TTP.
- List of registers ?
Procedure for TTP-assurers
Intermediate procedure until the CAcert software is running with all features
Preliminaries
- User sends request via mail to Support (or TTP group)
- Support checks user account and enters result in a note into OTRS:
- Are TTP assurances entered?
- If one is present, write down the place, date, registration number and name of TTP as well as the name of the TTP Assurer
- If two are present, write down for each the place, date, registration number and name of TTP as well as the name of the TTP Assurer and request for TTP TOPUP
- If two TTP and a TTP TOPUP entries are present, stop process
- If account shows more than 100 points, stop process
- Name, DoB and primary email address of the user are entered (why DoB needs to be added to the OTRS ticket ?!?), Name and email should be enough to contact the requestor
- Are TTP assurances entered?
- Support forwards request to TTP mailing list and closes the ticket.
- One of the available TTP admin picks up the request, prepares a PDF and sends it to the primary email address of the user, adding his own postal address to the mail (+ TTPadmins email address: the TTP user receives the email and can reply to the TTP Admin, the TTP cannot reply the email to the TTP user, so therefor the email address of the TTP admin should be added to the TTPCAP form)
The TTP Assurer creates a TTP CAP form as PDF form for internal use. TTP admin goes to WoT and Assurer someone to get the personal data but does not finish the assurance.
In this form the TTP Assurer enters the user name, DoB and primary email address and creates a personalized PDF file for the user.
The TTP Assurer sends this PDF file to the user with his own postal address. The TTP user prepares an envelope and hands it over to the TTP. The TTP sends back the filled and signed TTP CAP form in the prepared envelope.
If it is the second request, the TTP Assurer has to point out that the user is not allowed to go to the first TTP again, which shall be stated clearly in the mailing.Dear <user>, you requested a TTP assurance. Attached you will find the personalized TTP CAP form. Please print this out and take all pages to the meeting with the TTP. Check if your personal data entered in the TTP CAP is correct. If there are any errors report them to me. <Optional: Your first TTP assurance was done with <name first TTP> in <place of first TTP>. You are not allowed to do the second TTP assurance with the same person. In case you will take the same TTP again, the assurance will not be accepted and not entered into the system.> Once you finished the meeting with the TTP, send back the filled, signed and sealed page to my postal address: TTP Assurer Street Town ZIP Country If anything is unclear or you want additional information, do not hesitate to ask. Best regards TTP Assurer
- The user goes to the TTP, gets verified. The TTP sends back the filled form via paper mail to the TTP Assurer
Entering TTP-assisted-assurances into the Online system
TTP Admin enters TTP Assurance "Assure someone" (/wot.php?id=5) into the WoT part of the software.
Regard the following changes compared to a normal assurance:- method: TTP
- location: Place, Name of TTP, registration Number, date of TTP f2f meeting
- date: Date the TTP admin enters the TTP assisted assurance into the system
I certify that [username] has appeared in person
Changed somewhere between https://bugs.cacert.org/view.php?id=1137#c4199 test 9 (2013-07-31),
https://bugs.cacert.org/view.php?id=1137#c4239 (2013-08-20)
and https://bugs.cacert.org/view.php?id=1137#c4290 (2013-09-05)
Example: Name: Hans Dampf DoB 1950-01-01 [ ] I certify that Hans Dampf has appeared in person <=== requires to be checked by software in case Bug Bug:1137 has passed, Bug Bug:1137 installed to production 2013-09-06 [X] Checked I verify that <username> has accepted the CAcert Community Agreement. Location: Alberta, MrTTP, TTP12345, 2012-11-08 Date: 2012-11-26 Method Trusted 3rd Parties [Checked] I believe that the assertion of identity I am making is correct, complete and verifiable. I have seen original documentation attesting to this identity. I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible. [Checked] I have read and understood the Assurance Policy and the Assurance Handbook and am making this Assurance subject to and in compliance with the policy and handbook. Points 35
Example Picture 1
Where to find CAP forms?
First draftCAP forms for TTP-Assisted-Assurances (WIP) of a TTP-CAP form. As there is a actual TTP CAP available you have to request it via support.
Draft You have to request a TTP-CAP-Form with an email to support.
Questions and Answers
Requirements
- Must be Senior-Assurer
- 100 Assurance Points, 50 Experience Points
- has attended an ATE
- passed a co-audited assurance
- Interview with the responsible officer (AO) (interview can be made by every TTPadmin, proposal/nomination in TTPadmins group?)
- The responsible officer (AO) will appoint the TTP Admin, send a notification to the board, request support to set TTPadmin flag category TTPadmin
- TTPadmin flag set in User account
- Before TTPadmin flags can be set, a clean-up needs to be done on production system
(u60) 2010-10-11 first part finished with release of Bug #855
- Before TTPadmin flags can be set, a procedure needs to be documented for Support-Engineers
(u60) 2010-10-11
- Candidate needs to get a CAcert mail address
- Candidate needs to subscribe Mailing list / needs an account for OTRS
(u60) 2012-03-25: closed mailing list for TTPadmins created cacert-ttp-admin@l.c.o
List of Approved TTPs
- A list of TTPs that are accepted by CAcert needs to be deployed.
List of approved TTP by country for new TTP-assisted-assurance program lists the approved TTPs for each country. If not yet in the list, TTP program needs to be deployed for this country first.
The old Assurers TTP Matrix (inactivated) is only a suggestion from the old days program that needs to be get approved. Needs the TTP be listed in a register that can be checked by a TTP Admin?
Will there be a mailing list for TTPs?
- There should be a closed mailing list for TTP Assurer to communicate internally and to find the TTP requests.
- Should TTP Assuers use OTRS?
(u60) 2012-03-25: closed mailing list for TTPadmins created cacert-ttp-admin@l.c.o
Where to direct TTP Users' and TTP Notaries' questions?
- Main contact is support
- Once the TTP Assurer sends the TTP CAP form to the TTP User, he is also a contact for questions.
- (u60): is the email address of the TTPadmin also on the new TTPCAP proposal ?
Where to send the CAP forms from TTPs so they can be received by TTP Assurers?
Since the TTP Assurer sends a pre-filled TTP CAP form with his postal address to the user, the TTP user and TTP knows where to send the TTP CAP form to.
Shall the available list of TTP Assurer be announced to TTP users? To TTP Notaries?
- As the main contact for any questions is support, all questions should be sent there, so no need for a detailed list with addresses. The list should only show the names so that the TTP user and TTP can verify that the person is really a TTP Assurer. Also, the TTP-admin should use his @cacert.org address in sending the prefilled TTPCAP form.
- Once the TTP Assurer sends the TTP CAP form to the TTP User, he is also a contact for questions.
- Should the mailing list be a place of contact for TTPs if they have question about CAcert and TTP related topics?
- (u60): email address of TTP-admin also to add to the TTPCAP form ?
Current State Software
- [2012-11-26] With patches applied on cacert.it-sls.de testserver, enter TTP assurance works {g}
266042 2012-11-26 Hans Dampf 20 Alberta, MrTTP, TTP12345, 2012-11-08 Trusted Third Parties 266041 2012-11-26 2012-11-26 12:29:50 m.m Marcus Mängel 35 ttp Trusted Third Parties 0 Revoke 266042 2012-11-26 2012-11-26 13:13:03 ul Ulrich Schroeter 35 Alberta, MrTTP, TTP12345, 2012-11-08 Trusted Third Parties 0 Revoke
- [2012-11-26] Local Testscenario (production system similar software state) {r}
T6 testserver image, localy installed logged on localy /home/cacert/git/cacert renamed to /home/cacert/git/cacert.sik cd /home/cacert/git git clone git://git-cacert.it-sls.de/cacert.git cacert (according to: https://wiki.cacert.org/Software/DevelopmentWorkflow ) creates and copies current production revision to local system server restarted going to local testserver website doing 2 assurances a. ttpadmin user with board=1 flag set b. ttpadmin user with board=0 flag set Both test assurances results in assurance method [ ] (empty string) so it seems that on production https://bugs.cacert.org/view.php?id=855 is not yet fixed or did run into a new bug TTPadmin user: board=0 flag set 256984 2012-11-26 Hans Dampf 35 Alberta, MrTTP, TTP12345, 2012-11-08 [ ] (empty string) 256985 2012-11-26 Tinto Baggins 35 Alberta, MrTTP, TTP12345, 2012-11-08 [ ] (empty string)
Example Picture 2 - with TTP method empty bug
[2012-11-27] Result under Arbitration case a20121127.1 {g}
Example Picture 3 - TTP-assurance under production system