Arbitration / Training
The Training Course for Case Managers and Arbitrators
Lesson 30 - Name Changes and the CPS
WIP
The CPS comes to draft at Status: DRAFT p20091108
- Certs created before 2009-11-08 are not affected by this investigation
- Certs created after 2009-11-08 needs further investigations
- The certs problem
- If the user has created a client certificates with the not yet corrected name in the account, the certs are built up with the wrong givenname from account.
CPS 3.1.1. Types of names - Client Certificates. The Subscriber Naming consists of:
- CN= The common name takes its value from one of:
- For individual Members, a Name of the Subscriber, as Assured under AP.
- CN= The common name takes its value from one of:
- The name in question isn't probably AP conform after name change
- On creating Client Certificates, users has the option to select between several variations
- from the source code: /pages/account/3.php line 64-68 (create client cert)
- No Name in the Cert (named: WoT user)
- Givenname + Lastname
- Givenname + Middlename + Lastname
- Givenname + Lastname + Suffix
- Givenname + Middlename + Lastname + Suffix
- Which certs has been created by a user?
- if a removal of a middle name is requested and user has created a client cert with Givenname + Lastname, this cert doesn't needs to be revoked because cert doesn't include the middle name
- on a suffix removal request, a cert that doesn't include the suffix, needs not to be revoked
- AP allows accounts with several name variations (i.e. different name variations in different accounts) (all have seen the CAP forms with the possible 3 rows for names from the end 2008, starting 2009 development ? named capnew.php). Those CAP forms (and those multiple lines of names proposed for a system change) allows multiple name variations added onto the CAP form and also to the system
The Problem: this isn't yet implemented in the running system ( LibreSsl )
- A patch is under development or finished, but currently not set active in the production environment
- But this question may influence the revocation of certs in a way that certs doesn't needs to be removed, if Arbitrator checks this possible variation
- i.e. users name is: Renate Bärbel Beckett
- user has a middle name with Umlaut: Bärbel
- user created client cert: Renate Beckett
- the name change from Renate Bärbel Beckett to Renate Baerbel Beckett doesn't affects the client cert
- i.e. users name is: Renate Bärbel Beckett
- user has a middle name with Umlaut: Bärbel
- user created client cert: Renate Bärbel Beckett
- the user wants to add Renate Baerbel Beckett to the account
- so this change request doesn't affects the client cert because the old name is still valid in the account
- the problem that the system doesn't allow to add an additional name variation is possible by AP but impossible to the system
- So this problem conflicts with the allowed name variation, the user is allowed by AP to add a second name variation caused by transliteration
- Assuming, that its possible through the system to allow a 2nd name variation, the cert with the Umlaut is still valid after the additional name with transliteration is added to the system, because the ID doc states a name with Umlaut.
- Now the question is: Why should the cert revoked, as per AP the name variation is allowed, but system cannot handle the 2nd name ?
- As with other naming issues, the system has only one line for one name, the unwritten rule says: we have to deal with this limitation, so this also limits the advanced AP view. Only an Arbitrator can overrule this rule.
- I can remember, somewhere in the translingo system, I have seen help descriptions how to write name variations into a name field: Renate B{ae|ä}rbel Beckett looks alike. There these definitions comes from ? Current Website doesn't include such help pages ...
See also ruling Arbitration case a20100208.1 (Minor name change)
Questions
Assume the users name is Bernd Fröhlich. User created user account Bernd Fröhlich BF and created client cert Bernd Fröhlich BF. After name change request: needs the cert to be revoked?