(C) accuses (R) for making changes to the system that prevent further TTP assurances because the system now assigns an incorrect number of points.

Before: Arbitrator UlrichSchroeter (A), Respondent: Philipp Gühring (R), Claimant: Dirk Astrath (C), Case: a20091118.5

History Log

Discovery

I was asked to remove the super-assurer status of all super-assurers.
I did modify those persons accounts to limit their CAcert-Points to 150
points, to remove their super-assurer status. (Including Robert
C. Account)
The system always enforces (previously and now), that people that have
150 points can issue maximum 35 points.
Since TTP issues more than 35 points, the person that does a TTP
assurance has to have at least 200 points, to be able to issue more than
35 points.

I only did changes to the database, by limiting the points of the
accounts, I was asked to.
I did not do any changes to the webserver. The application behaviour is
still the same as it was before.
Therefore the claim is false, it is a wrong accusation.

Note: (C)'s reply also covers Arbitrations/a20091118.1.

> Please name me the script PG has modified
>   /path/script
> from the CAcert sourcecode package http://www.cacert.org/src-lic.php
> that results to your accusation
> against respondent PG.

according to the statement p. made i compiled the informations i got, checked the source and came to the following conclusion:

p. did not modify the source, but he reduced the points of every 'enhanced' cacert-user to a maximum of 150 points (as it was a board-decision) ... which is correct according to the informations i got due to this arbitration case ...

but i have some new questions:

if RC (as an example) has ttpadmin set, but less then 200 points, how can he do a 'valid' ttp-assurance? (according to the mail: he can't ... rounded down to 35 instead of 50)

if RC (to keep this example) has ttadmin set, but 200 points he can give 150 pts per assurance, which will break the policy ... (but according to the answer p. gave: RC does not have more than 150
pts)

since the support-mail named in this case shows 'rounded down to 35 pts':

does the user (applicant) still have 35 points?

if the user has more than 35 points ... which was the way he had been assured?

coming back to the point:

even if it seemed that p. made code changes in the software, which did not have the expected result, i'm wrong (in this case) ...
therefore: sorry to p. ...

... but the ttp-assurances in the last weeks/months are not clear to me ... ;-(

i wasn't aware of the maximum number of points possible via TTP or super-assurances within the last months since i got several informations  about super- and/or ttp-assurances.

now i know the background ... and number of points possible ...

have a nice day ...

Ruling

I dismiss this dispute.

The claim that there software code changes were made regarding the TTP program is false, and is based on wrong accusations (C) made.

I conclude that (R) did not make any unauthorized code changes regarding this case.

For the record:

(C) apologies within his 2nd statement.

(R) accepts apology

Assertion

The whole system was designed 4 years ago, and does not reflect all today's rules that cames from policies. Mostly they are implemented in the one or another way. Motions and bugs are filed, but this doesn't indicate the implementation into the system.

The priority of the community is "when are the root certs in the browsers" which sets the board's priority of audit. It is always the #1 priority until changed by a call from the community. This is unlikely.

Following the audit, several Policies were applied and ratified. e.g. the Security Policy that includes the 4-eyes principle to update code on the system, the Assurance Policy that bans Assurance points > 50.

This is the environment the TTP Programme found itself in. It is an "oldtimer" from before the audit, and was "frozen" by the auditable Assurance Policy. But never updated.

Therefor the board started and accepted the motion(s) m20090912.1 m20090914.2 The first one that freezes this program and the 2nd one that take it in effect.

There was some activity around in the past to write a TTP policy named: Remote Assurance Policy (RAP) (WIP) but this document has not entered DRAFT status yet.

So therefor, for the arbitration process there is no policy in place.´There was also Policy discussion about this topic, The discussion about how many points can / should be given to the program varies. But as this is not yet a binding policy, so hereby i cannot rule on this if TTP assurances have to have 35 pts or 50 pts. I can only say, at this level this assurance program don't break AP as long as this program does not exceeds this limit of 50 pts that is set by AP.

If the community wants the TTP program back, they have to start a policy discussion to write a TTP policy.

On the other side, there is a common practice, to use TTP assurances with the default assurance form on the website. This wasn't expected that way. But this isn't the topic of this arbitration case and is already handled by another case.

(R) did round down everyone's points to a maximum of 150 in line with board motions m20090912.1 and m20090914.2. This influenced the TTP program indirectly, but it was not a code change. (C) acknowledges that (R) did not make any unauthorized code changes regarding this case.

Frankfurt/Main, Dec 11th, 2009

Execution

. None

Similiar Cases

Appendix

Appendix 1: Original mail from claimant

on 11-11-2009 i got a message via the cacert-support-list with the following content:

from:    website-form@cacert.org schrieb:

> > From: S* H*
> > Email: s*@h*
> > Subject: Rounding down of assurance points
> >
> > Message:
> > Hi,
> >
> > I used the TTP method to get assured. When it was put into the
> > [...]
> >
> > You were issued 150 points however the system has rounded this down
> > to 35 and you now have 35 points in total.
> >
> > Best regards
> > CAcert Support Team

[...]

however ... in detail:

i want to file a dispute against several people:

(1)     [...]
(background: robert gives 150 points for ttp-assurances while the ttp-program is frozen and the assurance policy allowes 50 points per assurance only)

(2)     [...]

(3)     against philipp g. ... since he made changes to the system,
which avoid correct ttp-assurances by rounding down the points to 35 instead of 50

------------------

[...]

according the dispute against philipp this is a small bug, which causes no acts against the assurance policy ... but think about bugs, which may cause possible actions against the assurance policy. in my eyes there should be no modifications possible at the web-server without a second person checking the patch being implemented. (hint: i don't want to rule, since i'm no arbitrator ... it's just MY humble opinion as a normal cacert-user)

[...]

have a nice day

ps: ... and yes ... i accept the CCA ...


Arbitrations/a20091118.5 (last edited 2009-12-11 03:22:01 by UlrichSchroeter)